sPACE Attack: Spoofing eID’s Password Authenticated Connection Establishment
ctrlalt.medium.comIs this unexpected? When your PIN input and transaction confirmation device is untrusted, about the only thing a smart card can protect against is key exfiltration, and maybe rate limiting signature/authentication attempts (I believe the German protocol sends trusted timestamps from the remote reader which would allow that).
Tapping your card and entering your PIN in a compromised app/on a compromised device has the same (and to me expected) result as tapping it on a fraudster’s device directly and providing them the PIN.
Yeah, this is a phishing attack replacing the terminal with a compromised one.
The terminal used the PIN for three transactions: The original sign-in process, the attacker's ID verification process for the bank, and a "Selbstauskunft" which essentially is an echo service that returns data read from the card back to the user.
It's not a very performant process and needs to happen near real time.
When using a PC, isn't one supposed to use a hardware RFID reader[^1] with a physical numpad to enter the key? Then, the PC never gets a hold of the PIN. Ideally, the hardware reader has a display to show 1. which data is sent to 2. which site/authority that is asking for it.
So on a phone, with every layer of the communication in just software, not hardware, that is inheritly unsafe? (On e.g. Apple phones a security chip could work to increase security, but if a prompt is faked, the PIN can still be exfiltrated.)
[1]: Free RFID USB readers were given out at every local agency in germany, but those were the cheap models, without a numeric input.
Yes, but realistically, nobody is going to get a hardware CCID reader with the required security level and connect it to their computer anymore (assuming they even have one – for more and more people, their smartphone is their main and sometimes only computing device they own).
What might work today is a Bluetooth-capable smartcard reader with a PIN pad and display for secure transaction confirmation ("enter your PIN to open a bank account with bank xyz" vs "enter your PIN to confirm that you own a valid driver's license for the purpose of renting a car" etc.), but even that is a stretch and will probably only ever see very low adoption.
It would be great to have it as an option supported by the official reader app, though!
The research paper has shown the existence of a vulnerability in the German eID scheme, posing a significant risk to all services relying on the eID, especially those handling sensitive data such as insurances, banks, and government services.
The vulnerability has the CVE-ID CVE-2024–23674 and a CVSS rating of 9.7 (Critical)
A bank account has been successfully opened in the name of a victim at a major German bank.
The first Attack that somewhat usable, if there there users to exploit.