White Hat Hacker Reveals Vulnerability in Germany’s Digital ID

By Masha Borak

Germany’s digital ID may come under threat from malicious attackers, according to an analysis from a digital security expert.

A white hat hacker recently demonstrated how a cybercriminal could perform a Man-in-the-Middle attack on the online version of the German National Identity Card, known as eID. The vulnerability could potentially pose a danger to the approximately 10 million people currently using the system.

“I was surprised at how easy it was to compromise the system,” the hacker told news outlet Der Spiegel.

The anonymous digital researcher, who goes under the name CtrlAlt, built an application that could record the six-digit PIN users type in to log in to the eID on their smartphones. To aid the process, he used the official eID app code, which is available online as open-source software.

The malware could potentially be installed on the user’s smartphone through sophisticated Trojan software that gives access to the entire smartphone, similar to the ones used by certain governments to target dissidents and journalists. Alternatively, cybercriminals could also place the malware by tricking a user into downloading a fraudulent app from an app store.

Once they gain access to the digital ID, malicious actors could log the user into a fake eID app account as well as intercept data used to log into other eID services, including government services, eHealth platforms and banking systems, according to the hacker who published an analysis of the attack last Friday.

CtrlAlt says he informed Germany’s Federal Office for Information Security (BSI) in December last year and that the agency has acknowledged the vulnerability. In a response to Der Spiegel, BSI said there is no evidence of specific attacks carried out and that it sees no reason for a change in risk assessment for using the eID.

“From the BSI’s point of view, this is not an attack on the eID system, but on the users’ end devices,” it says.

CtrlAlt, however, says that this places undue responsibility on users for maintaining client device security. And with plans for expanding Germany’s digital ID system, the problem could linger on. Since 2017, the country has been automatically enrolling citizens into the eID program while issuing new ID cards. Fifty-six million people in Germany now have the eID.

Source: Biometric Update

Masha Borak is a technology journalist. Her work has appeared in Wired, Business Insider, Rest of World, and other media outlets. Previously she reported for the South China Morning Post in Hong Kong. Reach out to her at masha@biometricupdate.com.

Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE

Subscribe to Activist Post for truth, peace, and freedom news. Follow us on SoMee, Telegram, HIVE, Minds, MeWe, Twitter – X, Gab, and What Really Happened.

Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.

Activist Post Daily Newsletter

Subscription is FREE and CONFIDENTIAL
Free Report: How To Survive The Job Automation Apocalypse with subscription