As of: February 19, 2024, 5:30 a.m
By: Philipp Bräuner
Comments
Press
Split
There is a security gap in the online function of the German ID card.
The hacker who discovered the problem warned authorities.
Munich - Of all personal data, that of the electronic identity card (or eID) is among the most sensitive.
According to the Federal Ministry of the Interior, use should be safe and easy.
A report by
Spiegel
about a possible security gap in E-Perso is therefore particularly explosive.
Ultimately, this would potentially put the data of over 50 million users of the online ID function at risk.
Hackers also recently used a vulnerability for an attack at Apple.
As
Spiegel
reports, a hacker has now managed to steal the PIN code for the “AusweisApp” and the ID of the identity card.
Fraudsters could use this data to take out insurance or open bank accounts.
The hacker actually did the latter.
And this despite the fact that there are now sometimes higher hurdles when opening an account.
System attack on e-personal data by “white hat hackers”
However, the attack did not cause any real damage because the hacker with the pseudonym “CtrlAlt” is a so-called white hat hacker.
This movement among cybersecurity professionals, also known as ethical hacking, has set itself the task of attacking online systems - but for the benefit of users.
If someone finds a vulnerability there, as in this case with the electronic ID card, they make it public and warn authorities, companies and users.
A hacker has discovered a security flaw in the electronic ID card.
© Jens Büttner/dpa
However, this is still illegal in Germany, which is why “CtrlAlt” would like to remain anonymous.
As the IT magazine
Heise
reports, this could perhaps change in the near future.
Accordingly, Federal Justice Minister Buschmann announced last November that he wanted to level out Section 202c of the Criminal Code – also known as the hacker section.
Hacker builds fake app to access online ID card data
According to Spiegel,
in its current test attack, “CtrlAlt” has now
developed an app to gain access to the data.
This looks so similar to the official “ID App” that laypeople don’t even notice the difference.
For example, if a victim wants to verify his or her age in an online shop using E-Perso, the trap will spring shut.
Because instead of the real ID app, the fake application would open unnoticed on the smartphone.
This could have gotten onto the cell phone either via a special Trojan or another fake program from the App Store.
When the victim then scans their ID card and enters the PIN, the data ends up with the hacker.
My news
100-year calendar with Easter forecast: This is how to read the weather
Monthly salary of 3500 euros gross – that’s how much is left over in the pension
Example calculation shows: This is how much you have to earn throughout your life to get around 2000 euros in pension
Property tax assessment rates are rising: These communities are the front runners
Trick saves dying houseplants in no time: With a spice you can read it
Edeka recall affects organic product: Item sold in numerous federal states
“CtrlAlt” did not keep the knowledge of this security gap to itself.
The hacker had already forwarded the information to the Federal Office for Information Security (BSI) at the end of last year, the
Spiegel
report continues.
He also recorded his actions on the Medium platform.
The responsible authority sees a security risk for online ID cards on end devices
The BSI explains that it sees no reason for “changing the risk assessment when using the eID”.
From the authority's point of view, this is “not an attack on the eID system, but on the users' end devices”.
After all, the attack was carried out via a different app and therefore only via the victim's smartphone.
Nevertheless, the authority emphasized that it was taking the hacker's warning seriously.
(
pkb
)
The health ID is also intended to promote digitalization in Germany in the health sector.