The Chaos Computer Club has duped Videoident services, calling this method of online authentication into question. Now there is uncertainty.
The Videoident procedure has prevailed because both sides benefit from it. The providers authenticate their customers with legal certainty – and can grant them access to the desired product, such as a current account or mobile phone contract, without delay. And customers don’t have to march to a post office and then wait for days, as they do with Postident.
Instead, they are directed by service providers such as IDnow or WebID to a secure web connection or a smartphone app, where they have their face recorded biometrically, wave their ID card around in front of the webcam as instructed by an operator, and finally give up another TAN. That’s it. The matter has only one blemish: in recent years, authorized bodies such as the Federal Office for Information Security (BSI) and the Federal Data Protection Commissioner have repeatedly warned that the procedure has inherent weaknesses.
At some point, it is feared, someone could come up with a plan of attack using very simple means that would deprive Videoident of its integrity and thus its legal certainty. Now this scenario seems to have become reality: The Chaos Computer Club has successfully hacked six different video identification procedures, as it announced on August 10th. However, it is not known how many unsuccessful attempts it took.
“Recombination of video technology”
Take: Your own and someone else’s ID card, a standard ArUCo marker board, an open source software library, some consumer electronics that can be found in every household – and red watercolor paint. In a report, CCC security researcher Martin Tschirsich describes how he successfully fooled Videoident employees into believing a foreign identity by “recombining several source documents using video technology”. Real attackers could have stolen data, opened accounts, taken out insurance or obtained access to other paid services under a hijacked identity.
Roughly speaking, Tschirsich masked biometric features such as the passport photo and information such as the address on the ID card, exchanged them and re-entered them in 3D – so they can be swivelled. The trick consists, among other things, in playing the manipulation on a TV set, filming its screen and sending this image to the videoident session. The red color is used to color fingers so that they can be released and replaced if they are to cover areas of the ID card during authentication.
One thing is certain: Videoident naturally does not record many of the security features of the ID card. According to some providers, the hologram check should work quite well thanks to AI, which the CCC claims to have refuted with its experiment. A haptic and tactile test falls flat in the video call. The comparison of biometric features has already been undermined with deep fake technology and has now been duped by the CCC with what it says are far less complex measures. A real problem is looming.
According to researcher Tschirsich, for example, after successful Videoident authentication, he received both access to the online office of the test person and an electronic patient file (ePA) with the ID card and health insurance number of a test person. According to his information, the researcher was able to “access extensive health data of the insured person, including redeemed prescriptions, certificates of incapacity for work, medical diagnoses and original treatment documents”.
rip cord pulled
The Federal Data Protection Commissioner had already warned of precisely this scenario in his 2020 activity report. At the time, he wrote verbatim about access to health data: “Video identification cannot guarantee the very high level of protection required.” Informed in advance by the CCC, the state health agency Gematik pulled the ripcord on August 9 and decreed that health insurance companies are no longer allowed to use Videoident when applying for an ePA. “A decision can only be made about the re-approval of videoident procedures when the providers have provided concrete evidence that their procedures are no longer susceptible to the weaknesses shown,” said Gematik.
The Federal Financial Supervisory Authority (Bafin) announced that the information was taken very seriously. However, she is not yet aware of the relevant details. The banking association pointed out that the Bafin last rated the videoident procedure in connection with other measures as sufficiently secure in May 2022. According to a spokeswoman, these additional measures would include new customers being subject to strict transaction monitoring for a period of six to twelve months. “The decision of the health insurance companies not to use the procedure does not automatically have to result in applications in other sectors.”
The BSI announced that the attack scenario explained by the CCC would now be carefully examined. In any case, what is new is that the attacks “apparently were also carried out in productive video identification systems,” said a spokesman. The industry association Bitkom criticized the now prevailing skepticism about Videoident: “Because of individual security incidents, which cannot be ruled out in the digital world any more than in the analogue world, you shouldn’t flatten the Videoident process as such with a bulldozer.” The online function of the identity card is currently not a practicable alternative.
The CCC, on the other hand, demands that Videoident “no longer be used where there is a high potential for damage”. He points out that the attack he describes “can be carried out by an interested hobbyist and even more so by motivated criminals in a short time and with little effort”. The club refers to the e-perso as a safe alternative, but at the same time calls this project an “expensive non-starter”.
c’t issue 19/2022
Don’t be afraid of your e-mail inbox anymore! In c’t 19/2022 we explain how to avoid the phishing danger. Learn how to better detect ransomware threats and mitigate attachments. To do this, we test PCIe cards, card readers, cables and SSDs that can handle Turbo USB with 20 Gbit/s and show you how you can monitor the performance of your PV system. You can read that and more in the current issue of c’t.
-
Email without the risk of phishing
-
Super fast USB up to 20 Gbit/s
-
Balcony power plants: measure electricity production
-
The Videoident hack and its potential consequences
-
Test: Palm-sized, fanless miniature PC
-
Test: Android newcomer: Nothing Phone (1)
-
Practice: Interactively evaluating data from the James Webb telescope
-
Metaverse: Problems, Visions and Promises
-
Fritzbox project: Raspi monitors line quality
-
FAQ: Backup
-
c’t 19/2022 in the Heise shop
(raised)