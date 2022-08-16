The CCC has hacked the videoident s of various providers: now the identification method for setting up an e-patient file is prohibited.

Using simple means, members of the computers-advances-from-ibm/">Computer Club have undermined the videoident procedures of six providers. The identification method may no longer be used when setting up an electronic patient record (ePA) since Tuesday. The Chaos Computer Club (CCC) has now explained in detail how this worked.

The online identification procedures were tricked in order to create and fill out an ePA. With a little color and open-source software, the procedures of six national and international providers could be outwitted. The CCC did not name who they are. Instead, in a press release, the CCC calls for the procedures to be generally “no longer used where there is a high potential for damage”.

Use of the videoident procedure “negligent”

Gematik GmbH, which is responsible for digitization, was the first organization to react and temporarily prohibited health insurance companies from using videoident processes. In the CCC press release, Martin Tschirsich, a security researcher at the CCC, warns against its use. “In the light of these discoveries, it would be negligent to continue to rely on Videoident where misuse can potentially cause irreparable damage – for example through unauthorized disclosure of the most intimate health data”. In addition, everyone who has previously used video identification procedures would have to weigh up how identifications that have already taken place are to be dealt with. Because even the “AI test” named by providers as a miracle weapon could be overturned during the attacks. Therefore, the CCC calls for a fundamental revision:

“It is time for an end to the reversal of the burden of proof: those affected should not have to prove weaknesses in the systems, rather the process operators should be obliged to prove their security according to recognized rules. In the future, the fulfillment of existing and new requirements should be carried out regularly by independent tests under real attack conditions be proven. In particular, any statement on the effectiveness of countermeasures requires reliable evidence. The mere assertion that one sprinkled some AI over it must no longer suffice.”

In the detailed documentation of the attacks, Martin Tschirsisch not only presents the previously known methods of manipulating data, images and holograms on an ID card before this ID card is held up to the camera for inspection in a video conference. According to him, the video-technical combination of several ID cards to form a forged ID document can also cope with the “better examination protection” that the use of artificial intelligence is supposed to offer. The attack was not detected for six providers. The documentation does not state how many providers were examined in total.

Attack can be carried out with little effort

The conclusion of the CCC is simple: “The attack can be carried out by an interested hobbyist and even more so by motivated criminals in a short time and with little effort. “It is particularly bitter that secure ID methods such as the electronic ID function of the ID card are not used , continues the CCC. Hardly anyone uses this secure online identification, the club complains. With his campaigns for the then new ID card, he also played a not inconsiderable part in the fact that the e-ID function was not accepted by German citizens.