New German Government ID Hacked By CCC 86
wiedzmin writes "Public broadcaster ARD's show 'Plusminus' teamed up with the known hacker organization 'Chaos Computer Club' (CCC) to find out how secure the controversial new radio-frequency (RFID) chips were. The report shows how they used the basic new home scanners that will go along with the cards (for use with home computers to process the personal data for official government business) to demonstrate that scammers would have few problems extracting personal information. This includes two fingerprint scans and a new six-digit PIN meant to be used as a digital signature for official government business and beyond." That was quick. Earlier this year, CCC hackers demonstrated vulnerabilities in German airport IDs, too.
A sound har-de-har-har from me. (Score:1, Interesting)
But please do note that at least the Germans know how to do it thoroughly: They'd give you a home reader with it, so you can actually use that card and incidentally also see what's on it. Oh, and pwn the crap out of it, but that's courtesy the CCC.
Re:OpenPGP (Score:5, Interesting)
And once someone else gets access to your private key, you're royally screwed.
Royally screwed? I thought that's what key revocation was for. With PGP, you just revoke the old, generate a new key, and you are good to go from there on out. But how exactly do you revoke and reissue fingerprints?
Government's reply: Stick Head in Sand (Score:3, Interesting)
"Meanwhile on Tuesday the Federal Office for Information Security (BSI) rejected the Plusminus' criticism of the new ID card. The agency's personal identification expert Jens Bender said the card was secure"
It's not secure. They just hacked it without special equipment, they used the scanner that you provide. Saying it's secure in response just means you're
Your ATM card doesn't have your pin on it. Neither does your credit card, or your student ID, employee ID, etc. unless someone really stupid designed the system. How does this get missed? Why are the fingerprint scans on there? Did more than one person look at the plan before they went ahead with it?
This is one of the largest mind-blowingly stupid decisions I've heard lately.
Re:Ugh: Identification vs authentication (Score:3, Interesting)
Not entirely a bad idea, but the concept behind storing the information on the device itself is so that nobody except the owner has possession of it. And, in theory, every authorized agency has immediate access to the information if they have physical access to the device.
The alternative is a massive database that virtually every government agency needs to access with everyone's information in it. Data mining that carries substantial risks but is an opportunity that just couldn't be denied. Also, because of the widely disparate agencies that need access what you end up with is something that is so open that everyone can get at it.
Think of the DMV data in the US. It is centralized by state but the police and DMV agents have access. As well as a few other agencies. Oh, and by the way, just about every private investigator has access. Now in most states because it was so wide open they got trapped into basically selling access subscriptions. So there are a few hundred organizations that pay for access to every state's records.
This is the scenario they are trying to avoid with having the person possess their own information and not having it in some large virtually uncontrollable database. Too many people need access - probably legitimately - but access for short periods of time for well defined purposes that happen to also include having the person in front of them.
The big national database might be a good idea, but the control and access problems have already been seen in way too many situations.
Re:OpenPGP (Score:1, Interesting)
But that would mean there had to be a central database containing the fingerprints and identities of all citizens.
Isn't that exactly what people are trying to avoid?