Video-Ident is still considered sufficiently secure. Now the CCC has succeeded in cracking the video-based online identification.
Most of us have probably had to deal with video identification at some point bang around. Regardless of whether you need to register a new SIM card for your mobile phone or just want to open a new bank account. It is almost impossible to avoid the video-based online identification “Video-Ident”. Or does it?
Security researchers at the CCC have now succeeded in hacking online identification with just a few means that are freely accessible to everyone and are demanding “no longer use this insecure technology there , where there is a high potential for damage“.
Video ident tricked with open source software and a bit of color
The security researcher of the Chaos Computer Club (CCC), Martin Tschirsich, did not need more to trick or hack the video ident advertised as so secure. The IT security expert only recently succeeded in proving serious security deficiencies in the digital driver’s license.
As erdgeist reported today in the CCC blog, Tschirsich only needed open source software and a bit of red watercolor paint.
While the whole world is afraid of sophisticated deep fakes, here the attack was successful with ancient technology and simple means.
With little effort to a new identity
The trick is as simple as the possible misuse scenarios are varied. With his PoC (Proof of Concept) published on August 8th, Martin Tschirsich not only publishes the exact procedure. He also shows the many dangers and potential for abuse that are made possible by this rather simple way of manipulating the video ident.
It doesn’t take much imagination to be able to imagine what someone with a lot of criminal energy and the possibility to undermine or hack the video-based online identification, which is still considered safe.
Depending on the attacker’s motivation, the attack can aim to create any new identity (e.g. fraud, money laundering, bankdrop) or take over an existing identity (e.g. access to existing accounts, medical records).
The “export hit” Video-Ident
Although this has been 1037 is questioned, they continue to insist on the security of said online identification.
Since 2014 at the latest, however, considerable doubts about the trustworthiness of the video ident have also been known. The then Federal Commissioner for Data Protection and Freedom of Information recommends “forgoing the possibility of video identification” and refers to the unclear effectiveness.
But not only the Federal Commissioner for Data Protection at the time had justified doubts about the Video-Ident. The BSI and the CCC had also expressed concerns several times in the past. concerns, which z. B. does not share the Federal Ministry of Economics and Climate Protection.
The video ident is also funded by the Federal Ministry of Economics and Climate Protection (Federal Ministry of Economics and climate protection, 2020). The economy emphasizes that Video-Ident “represents an export hit” (Wirtschaftsforum der SPD eV, 2019).
Deaf ears at the Federal Government and the Federal Network Agency
For a long time, security researchers and data protectionists have expressed legitimate concerns about video identification. So far, however, it has always fallen on deaf ears. A fact that is now likely to change. Because the CCC has managed to undermine a procedure that is considered safe with just a few “tools” that are accessible to everyone.
This total failure now confirms what data protection officials and the Federal Office for Information Security (BSI) have been warning about for a long time, but with the Federal Government and the Federal Network Agency fell on deaf ears.
Their excuse was: “The federal government has not received any specific security incidents so far.” The CCC is happy to provide a specific security incident and thus reports the need for action.
We can respond to the reactions of the responsible authorities to be excited. Only one thing is certain at the moment. With a bit of criminal energy and a little red color for the new identity, thanks to Video-Ident is not a big problem at the moment.