Forgot your password?
typodupeerror
Government Privacy Security Your Rights Online

New German Government ID Hacked By CCC 86

Posted by timothy
from the danke-sehr-fuer-die-papieren dept.
wiedzmin writes "Public broadcaster ARD's show 'Plusminus' teamed up with the known hacker organization 'Chaos Computer Club' (CCC) to find out how secure the controversial new radio-frequency (RFID) chips were. The report shows how they used the basic new home scanners that will go along with the cards (for use with home computers to process the personal data for official government business) to demonstrate that scammers would have few problems extracting personal information. This includes two fingerprint scans and a new six-digit PIN meant to be used as a digital signature for official government business and beyond." That was quick. Earlier this year, CCC hackers demonstrated vulnerabilities in German airport IDs, too.
This discussion has been archived. No new comments can be posted.

New German Government ID Hacked By CCC

Comments Filter:
  • by Anonymous Coward on Thursday September 02, 2010 @01:19PM (#33454578)

    They have, they just use special invisible tattooing ink that can be read by satellites.

  • by Anonymous Coward on Thursday September 02, 2010 @01:22PM (#33454612)

    4. Get it on an episode of Mythbusters...

    That's basically #3, they'd just be censored instead of arrested, like that time with the credit cards.

  • Re:OpenPGP (Score:2, Informative)

    by Anonymous Coward on Thursday September 02, 2010 @01:26PM (#33454686)

    Private keys have passwords which *should* protect the key if someone gets a hold your private key.

    Ofc, if you're dumb enough to have no password or something that can easily be bruteforced, then it's your problem.

  • by Anonymous Coward on Thursday September 02, 2010 @01:52PM (#33455204)

    The PIN is not stored on the card. The whole summary is quite misleading.

    - This is not about extracting information from the ID card (be it PINs, finger prints or whatever)
    - it has nothing to do with the RFID chip

    What the CCC demonstrated is that, by typing your PIN on your PC keyboard, it can be logged by a key logger if your PC is infected by such a program.

    The main problem is that the government wants to distribute "starter kits" with a simple card reader making use of the PC keyboard to enter the PIN. More secure (and a bit more expensive) card readers with their own keypad eliminate this problem.

  • Re:PGP not a panacea (Score:3, Informative)

    by malloc (30902) on Thursday September 02, 2010 @02:23PM (#33455700)

    The pgp digital sig proves it was sent by your computer, or any other digital device in the universe that has a copy of your key , but not necessarily sent by you.

    FTFY.

  • by Archangel Michael (180766) on Thursday September 02, 2010 @02:32PM (#33455838) Journal

    According to Mythbusters (whatever you think of the show), getting a fingerprint is easy, and the scanners aren't that great at telling fakes from the real. You should watch that episode, it is quite revealing. The expensive scanner was worse than the one build into the laptop.

    So, I wouldn't count on that to secure your Laptop/Phone.

  • by jgtg32a (1173373) on Thursday September 02, 2010 @04:54PM (#33457772)
    DNA scans take a long time
  • by Peeteriz (821290) on Thursday September 02, 2010 @05:40PM (#33458394)

    It's far safer than magnetic cards; I've heard no fraud cases where the PIN has been successfully extracted from the chip or the chip data cloned - reading the chip's contents would generally be far more expensive than the maximum money limits on the card. Mag-stripe cards can be cloned by a cafe waiter or a tiny 10$ device hidden on an ATM and then your money used in any place that "verifies" only signatures.

    Also for the ID card - if it has some way to send the fingerprint data or encryption key outwards, then that is a design fuckup; but if it is only able to verify pin and sign message packets with the key if the pin is valid, and permanently erase the key if pin is entered wrongly a few times, then the security is quite adequate.

  • Actually ... (Score:2, Informative)

    by garry_g (106621) on Friday September 03, 2010 @04:01AM (#33462480)

    ... it's not the ID card itself they managed to hack, but a basic reader ...
    Germany planed on handing out free readers (something like 1 million of them) for the ID cards, enabling people to sign electronic messages and the likes ... Now, while the idea might sound good, they decided on giving out the cheapest kind of readers, which are basically JUST readers. They rely on the PC to enter the code for the card. This is where the attack was targeted - using some PC software, they managed to record the information sent to and from the reader. Once you have the code, you could then steal the ID and use it to fake your identity. More expensive readers have displays and keypads that keep all unlocking away from the actual PC, so keyloggers or similar won't be able to steal the code ...

The world is no nursery. - Sigmund Freud

Working...