@patrickcmiller : Germany's eID system vulnerable to AitM (*) attacks, leading to possible (hard to dispute) impersonation / identity fraud

(*) Attacker in the Middle

Note that this vulnerablity may affect other or all "electronic passports".

The German site Heise.de (well known in western Europe, publisher of popular paper IT magazines such as c't and iX) reports [1] that a researcher was able to attack the German "eID", an electronic passport using a malicious smartphone app.

BSI, Germany's Federal Office for Information Security [2], acknowledges the vulnerability (CVE-2024-23674) but says [3] that there is no fix (I fully agree, device compromise means game over - even if the secrets themselves are safely stored in the passport itself, in a "secure hardware enclave" in a smartphone, or in a TPM in a PC).

The researcher, "CtrlAlt", published an extensive English write-up (plus PDF) at:

[0] https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1

This risk will be exacerbated for European citizens once they can download iOS/iPadOS apps from alternative "app stores" (the EU forces Apple to allow this).

I'd like to point out that eID apps are typically VULNERABLE TO PHISHING AS WELL (not requiring device compromise and/or malicious apps): a fake (AitM) website may ask a person to authenticate using their electronic passport, and forward such credentials to another website, impersonating the real person.

Furthermore, in December BSI together with their French collegues ANSSI published "Remote Identity Proofing" [4], assessing the risks of "VideoIdent" - to my surprise not mentioning AitM's at all. Not to mention the rapidly increasing risk from AI (such as OpenAI's Sora, which generates artificial videos).

In my opinion some things cannot be digitalized reliably without significantly increasing risks - in particular for vulnerable people (those with limited cybersecurity awareness and/or those using old, no longer supported, hardware).

Authentication, involving significant risks (for the person authenticating), therefore requiring maximum reliability, can only be achieved IN A LIVE SETTING by letting trustworthy verifiers thoroughly check hard-to-duplicate passports for falsifications and/or manipulations, and asserting that the person matches their passport-photo (plus any other physically identifying attributes).

Yes, this is more expensive, time-consuming and inconvenient, but in my opinion inevitable if risks are to be kept low.

[1] (German) https://www.heise.de/news/AusweisApp-Kritische-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html

[2] https://bsi.bund.de/EN/

[3] (German) https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html

[4] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html

P.S. A personal thank you for keeping many followers informed on current security risks!