German eID Authentication Flaw Lets You Change Identity
German identity cards issued since 2010 come with a radio frequency identification chip that stores information about the holder. This includes name, date of birth and a biometric picture. If the holder so chooses, it can also store their fingerprints.
The new cards are machine-readable and can be used as travel documents in most countries in Europe, as well as for authentication into online government services (tax, mail) or for age verification. Authentication via the RFID chip is possible using a smartcard reader and an eID client application that communicates with the RFID chip and an authentication server to validate the login data. To prevent tampering with the ID card data, the authentication server checks the validity of the information and then signs its reply, so that the web service can trust the legitimacy of the data received.
Wolfgang Ettlingerresearched the vulnerability for SEC Consult Vulnerability Lab abd and able to bypass protections from the authentication server and fool the web application to accept the altered data. The researcher found a way to manipulate the response from the server without breaking the seal of trust given by the digital signature. Ettlinger was able to authenticate with an arbitrary name against a demo version of an eID client (AusweisApp).
The expertchanged the eID holder’s nameto Johann Wolfgang von Goethe and used the address (Frauenplan 1, 99423 Weimar) the writer lived at for 50 years, where today is the Goethe Museum.