Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>patrickcmiller</span></a></span> : Germany's eID system vulnerable to AitM (*) attacks, leading to possible (hard to dispute) impersonation / identity fraud</p><p>(*) Attacker in the Middle</p><p>Note that this vulnerablity may affect other or all "electronic passports".</p><p>The German site Heise.de (well known in western Europe, publisher of popular paper IT magazines such as c't and iX) reports [1] that a researcher was able to attack the German "eID", an electronic passport using a malicious smartphone app.</p><p>BSI, Germany's Federal Office for Information Security [2], acknowledges the vulnerability (CVE-2024-23674) but says [3] that there is no fix (I fully agree, device compromise means game over - even if the secrets themselves are safely stored in the passport itself, in a "secure hardware enclave" in a smartphone, or in a TPM in a PC).</p><p>The researcher, "CtrlAlt", published an extensive English write-up (plus PDF) at:</p><p>[0] <a href="https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ctrlalt.medium.com/space-attac</span><span class="invisible">k-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1</span></a></p><p>This risk will be exacerbated for European citizens once they can download iOS/iPadOS apps from alternative "app stores" (the EU forces Apple to allow this).</p><p>I'd like to point out that eID apps are typically VULNERABLE TO PHISHING AS WELL (not requiring device compromise and/or malicious apps): a fake (AitM) website may ask a person to authenticate using their electronic passport, and forward such credentials to another website, impersonating the real person.</p><p>Furthermore, in December BSI together with their French collegues ANSSI published "Remote Identity Proofing" [4], assessing the risks of "VideoIdent" - to my surprise not mentioning AitM's at all. Not to mention the rapidly increasing risk from AI (such as OpenAI's Sora, which generates artificial videos).</p><p>In my opinion some things cannot be digitalized reliably without significantly increasing risks - in particular for vulnerable people (those with limited cybersecurity awareness and/or those using old, no longer supported, hardware).</p><p>Authentication, involving significant risks (for the person authenticating), therefore requiring maximum reliability, can only be achieved IN A LIVE SETTING by letting trustworthy verifiers thoroughly check hard-to-duplicate passports for falsifications and/or manipulations, and asserting that the person matches their passport-photo (plus any other physically identifying attributes).</p><p>Yes, this is more expensive, time-consuming and inconvenient, but in my opinion inevitable if risks are to be kept low.</p><p>[1] (German) <a href="https://www.heise.de/news/AusweisApp-Kritische-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/AusweisApp-Kriti</span><span class="invisible">sche-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html</span></a></p><p>[2] <a href="https://bsi.bund.de/EN/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">bsi.bund.de/EN/</span><span class="invisible"></span></a></p><p>[3] (German) <a href="https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsi.bund.de/DE/Service-Navi/Pr</span><span class="invisible">esse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html</span></a></p><p>[4] <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsi.bund.de/SharedDocs/Downloa</span><span class="invisible">ds/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html</span></a></p><p>P.S. A personal thank you for keeping many followers informed on current security risks!</p><p><a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://infosec.exchange/tags/impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>impersonation</span></a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentityFraud</span></a> <a href="https://infosec.exchange/tags/idfraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>idfraud</span></a> <a href="https://infosec.exchange/tags/passport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passport</span></a> <a href="https://infosec.exchange/tags/ElectronicPassport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ElectronicPassport</span></a> <a href="https://infosec.exchange/tags/MaliciousApps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MaliciousApps</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/sideloading" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sideloading</span></a> <a href="https://infosec.exchange/tags/BSI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BSI</span></a> <a href="https://infosec.exchange/tags/ANSSI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANSSI</span></a> <a href="https://infosec.exchange/tags/EU" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EU</span></a></p>