Security researchers have discovered a flaw in the German electronic ID card system which enables hackers to spoof the identity of another German citizen and access web services. The flaw can also let someone change another’s date of birth.
According to a blog post by SEC Consult, the German cyber-security firm which discovered the flaw, the vulnerability affects web applications running Autent SDK 3.8.1 and earlier that handle duplicate HTTP parameters.
Wolfgang Ettlinger found the vulnerability and was able to bypass defences on the authentication server and dupe the web application into accepting the altered data.
Normally, when authentication is started, the web application sends a request to the eID client which then initiates all further steps needed for the authentication. It requests a PIN from the user, communicates with an authentication server (eID-Server or SAML-Processor), the web application and the RFID chip and finally sends a response to the web application.
"To prohibit an attacker from manipulating this data, the response is digitally signed by the authentication server (which takes on the role of a trusted third party). If an attacker would attempt to manipulate the data being sent, the web application would not be able to verify the signature and abort the identification process," said researchers.
The flaw means that hackers could arbitrarily manipulate the response without invalidating the signature. "An attacker could therefore abuse this vulnerability, eg to alter data coming from the id card, fool age verification or authenticate as any other citizen," researchers said.
Websites using an older version of the Autent SDK accept eID client responses that contain one cryptographic signature but multiple SAML parameters containing the user's data.
"If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence," explained the blog.
"To exploit this vulnerability, an attacker requires at least one valid query string signed by the authentication server. It does not matter for which citizen or at which time the signature for the query string has been issued."
SEC Consult disclosed the details of the issue privately to CERT-Bund in July. Governikus released a patched version (22.214.171.124) of the Autent SDK and informed affected customers.
Adam Brown, manager of security solutions at Synopsys, told SC Media UK that organisations using this authentication mechanism are open to repudiation attacks which could result in identity fraud.
"Given the highly trusted nature of the mechanism and its widespread implementation, the impact of any attack using this flaw would likely be critical," he said.
Brown added that this is a good example of a design flaw with 50% of vulnerabilities at the design level.
"Design flaws are not easily picked up through automated testing and review; they are typically identified through a design review. This is a really important activity in the software development lifecycle and must be performed early to prevent implementations of flawed designs," Brown said.
Vittorio Bertola, head of policy and innovation at Open-Xchange, told SC that there are lessons to be learnt for the industry.
"Even if it seems that this is just a bug in the software implementation of the SDK – easily fixed with a new version – rather than a design flaw in the entire system, the sensitive nature of the information dictates measures to be implemented in order to safeguard it," he said.
"When it comes down to creating such a critical piece of software, it’s essential to ensure that all the proper release and quality assurance controls are done rigorously. Another thing to keep in mind is to also employ specialised third-party researchers to conduct ongoing penetration tests and try to crack your system, to make your security as robust as possible."