New German national ID card hacked by Chaos Computer Club

The feature-rich cards, which the government has spent €24 million on so far and is hoping will be used by a variety of third-party organisations, are capable of storing useful authenticators such as biometric data and allied information.

Or rather, was hoping, as German newswires have reported that members of the Chaos Computer Club demonstrated how easy the cards were to crack live on the WDR TV channel, reportedly resulting in considerable consternation in government circles.

According to Deutsche Welle, the German media portal, the Chaos hackers appear to have cracked the PIN system on the cards, which then allows the hackers to impersonate the cardholder online.

The BSI, the Federal Office for Information Security, has apparently acknowledged that the card's PIN can be cracked using trojan malware, noting that the methodology of the hack is similar to keylogging software.

Commenting on the card hack, Richard Kirk, European director of Fortify Software, said that the crack was almost certainly down to a failure of security being added as an afterthought, rather than integrated from the earliest stages of the development process.

"The gameplan with this card – which is capable of carrying a wealth of data on German citizens, including their online banking data, personal biometrics and authentication information for use when interacting with online government web sites – is quite extensive", he said.

"But given the fact that the notorious Chaos Computer Club has cracked the card system on a WDR TV programme, it will almost certainly discourage German citizens – or third party institutions – to adopt the technology", he added.

Kirk went on to say that it is critical to any new security system that its users have absolute confidence in the platform, if the system is to take off.

The ID card industry was hit badly this year, he explained, when the UK government scrapped its plans for an ambitious UK national ID card system, so this very public cracking of the German card scheme – weeks before it is due to go live – is not positive on several levels.

On one level there is the public confidence in the security, whilst on another there are the commercial implications for the German ID card system, since third-party organisations will not have been filled with enthusiasm over the TV cracking of the system, he said.

Kirk said that the ID card project is a breathtaking example of what can go wrong on the development front when developers don't 'get' the need for security as a fundamental aspect of an IT project.

"Yes, the card system is claimed to be more secure than an ID/password combination, but that's not the issue here. Confidence in the new German ID card programme has been shattered, so the government will have to resolve the situation", he said.

"And that resolution is going to cost far more money than it would have cost the government and its contractors to integrate high levels of security into the development process", he added.

What’s Hot on Infosecurity Magazine?