The ID Wallet program promoted by the Federal Chancellery, which citizens can use to digitally identify themselves to third parties, for example with a driver’s license, initially failed in September: The service provider Digital Enabling commissioned by the Federal Government pulled the app from the Google and Apple stores after massive criticism from security experts and users and back. A request for the Freedom of Information Act now revealed that the Federal Ministry of the Interior (BMI) had long been aware of one of the central weaknesses that had come to light.
The ID Wallet is part of the larger, larger inter-ministerial project “Ecosystem Digital Identities”. The company Digital Enabling, behind which IBM Germany and the Langen-based IT security company Esatus stand, had already published an earlier version of the app in May. The forerunner Esatus Wallet has even been available since mid-February 2020. In May, the federal government started the first pilot project of the planned ecosystem for digital hotel check-in with partners from the travel industry. To do this, Bundesdruckerei saved the owner’s verified identity data on the ID wallet.
At the Federal Office for Information Security (BSI), however, the concept largely failed. It warned on May 11th in a now from the BMI issued rating for the hotel project, among other things, just before the security gap that led to the fiasco in September with the ID wallet variant extended to the digital driver’s license. In particular, it is not clear to users of the app who they identify with at all. With the identity theft enabled in this way, trust in the application is undermined.
BSI: Not sufficiently protected against unauthorized access
The BSI expresses the problem as follows: “The authentication of the user required to carry out a hotel check-in on the basis of the factors possession (” link secret “) and knowledge (” PIN “) takes place exclusively on the basis of key material that is stored in the Wallet app is saved. ” No specially secured electronic storage and processing medium such as a “secure element” integrated in smartphones is used.
Personal data would also only be encrypted by the app at software level and, if necessary, after unlocking the mobile phone, when starting the application, it would essentially be decrypted using the six-digit secret number. With these technical measures, however, the verifiable proof of identity is “not sufficiently protected against access by strangers”. This enables even less experienced attackers to copy and use such “credentials” as the “basic ID” used here without the owner knowing and without knowing his PIN.
The BSI therefore only approved the hotel check-in test because it was limited to company cell phones. These had at least one dedicated business area to manage in order to mitigate the greatest risks along with additional organizational measures.
Vulnerable to security holes, unclear benefits
The BSI expressly advised against using the concept beyond the pilot. As other “security-relevant points”, it emphasized, for example, that the use of the blockchain-based solution “significantly increases the complexity and, as a result, the fundamental susceptibility to security gaps in the entire system if the benefits are unclear”. Many goals could also be implemented on the basis of classic encryption techniques such as a public key infrastructure.
For the operation of the blockchain network and the proof of identity, cryptographic protocols and procedures are used that are “not recommended” by the BSI, it continues. In general, apart from identification with the electronic ID card, the test does not use any certified components.