The national ID card, which was released on Nov. 1, contains an RFID wireless chip that stories digital versions of the card holder’s photo, name, address, date of birth, height, eye and hair color, and location of issuance. A card reader is needed to access the digital information.
The AusweisApp (ID App) software that runs the card reader contains a security flaw, according to Jan Schejbal, a German information security researcher living in Sweden.
According to a report by Deutsche Welle, Schejbal noticed a major security flaw in the ID App software when he downloaded it from a German government website. The software does not verify the origin of the digital security certificate, which leaves the program open to a spoof attack that could result in the downloading of malicious software that steals personal data.
“The electronic ID itself may have quite a high security level. However, this security becomes worthless if the framework, which is used to access this secure core, is insecure and allows compromising overall security”, Schejbal told Deutsche Welle.
The German Federal Office for Information Security said it was looking into the security issue and had removed the software from its website to prevent more people from downloading the program. "The media has been made aware of a perceived vulnerability in the software AusweisApp necessary for the eID feature of the new ID card", the office wrote on the German tech news website Heise.de.