German e-government SDK patched against ID spoofing vulnerability

300 malicious websites were blocked in Kazakhstan
Germany has patched a key “e-government” service against possible impersonation attacks, and both private and public sector developers have been told to check their logs for evidence of exploits.

Vulnerability in web library lets attackers spoof electronic ID card identities. The vulnerability, when exploited, allows an attacker to trick an online website and spoof the identity of another German citizen when using the eID authentication option. There are some hurdles that an attacker needs to pass before abusing this vulnerability, but the researchers who found it say their eID spoofing hack is more than doable.

In July, SEC Consult, the German cyber-security firm who discovered the flaw in this SDK, warned the country’s federal computer emergency team at CERT-Bund that software supporting the government’s nPA ID card had a critical vulnerability (the ID cards themselves have not been breached). Thereafter, Germany’s Computer Emergency Response Team coordinated with Governikus, the vendor, to release a patch –Autent SDK v3.8.1.2– in August this year.

The vulnerable component is named the Governikus Autent SDK that allows web developers to check users’ identities against the nPA. Because of a quirk of HTTP, the system could be tricked into authenticating the wrong person, SEC Consult said.

Governikus Autent SDK is one of the SDKs that German websites, including government portals, have used to add support for eID-based login and registration procedures.

The vulnerability doesn’t reside in the radio-frequency identification (RFID) chip embedded in German eID cards, but in the software kit implemented by websites that want to support eID authentication.

SEC Consult’s explained the exploit process in this blog post.

Online authentication is carried out using a smartcard reader and electronic ID (eID) client software such as the government’s AusweisApp 2. To authenticate a citizen, a web application (which could be a government service such as tax, or a private service such as a bank or insurer) sends a request to the eID client.

Leave a Reply

Your email address will not be published. Required fields are marked *