German e-government SDK patched against ID spoofing vulnerability

Germany has patched a key “e-government” service against possible impersonation attacks, and both private and public sector developers have been told to check their logs for evidence of exploits.

Vulnerability in web library lets attackers spoof electronic ID card identities. The vulnerability, when exploited, allows an attacker to trick an online website and spoof the identity of another German citizen when using the eID authentication option. There are some hurdles that an attacker needs to pass before abusing this vulnerability, but the researchers who found it say their eID spoofing hack is more than doable.

In July, SEC Consult, the German cyber-security firm who discovered the flaw in this SDK, warned the country’s federal computer emergency team at CERT-Bund that software supporting the government’s nPA ID card had a critical vulnerability (the ID cards themselves have not been breached). Thereafter, Germany’s Computer Emergency Response Team coordinated with Governikus, the vendor, to release a patch –Autent SDK v3.8.1.2– in August this year.

The vulnerable component is named the Governikus Autent SDK that allows web developers to check users’ identities against the nPA. Because of a quirk of HTTP, the system could be tricked into authenticating the wrong person, SEC Consult said.

Governikus Autent SDK is one of the SDKs that German websites, including government portals, have used to add support for eID-based login and registration procedures.

The vulnerability doesn’t reside in the radio-frequency identification (RFID) chip embedded in German eID cards, but in the software kit implemented by websites that want to support eID authentication.

SEC Consult’s explained the exploit process in this blog post.

Online authentication is carried out using a smartcard reader and electronic ID (eID) client software such as the government’s AusweisApp 2. To authenticate a citizen, a web application (which could be a government service such as tax, or a private service such as a bank or insurer) sends a request to the eID client.

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).