Security Flaw Discovered in German Digital ID Card Software

One day after its release, the software used to read new German ID cards was shown to be vulnerable to attack. The Federal Office for Information Security has removed links to the program from its website. Jan Schejbal, a German computer security researcher living in Sweden, described a way to hack the new electronic German ID card software.

The new cards, which became available November 1 and will gradually replace current German cards, contain an RFID wireless chip - the same kind found in many contactless security or payment keycards. The chip stores digital versions of the card holder's photo, name, address, date of birth, height, eye and hair color and location of issuance.

The Interior Ministry and the Federal Office for Information Security (BSI) have claimed the cards will help the government provide easy-to-use digital signatures and other government services, as well as protection against online scams and phishing attacks. Germans can also use the IDs in place of a passport when traveling within the European Union. But to be useful to individuals, the digital information on the cards needs to be accessed with a card reader.

After downloading the first version of AusweisApp from a German government website, a major flaw was found when the program checks for updates. The software does not verify the origin of a digital security (SSL) certificate, which leaves the program open to a spoof attack that conceivably could lead to the download of malicious software.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.