Security expert Wolfgang Ettlinger has discovered a vulnerability in the Austrian Citizen Card that allows attackers to spoof the credentials of their victims. This is the second time the card has been hacked. The attack exploits a vulnerability in the Java-based online version of the ID card environment (Bürgerkartenumgebung or BKU) to authorise banking transactions or sign PDF documents with the victim's qualified signature. This digital signature is legally equivalent to a signature on paper.

To do so, an attacker must first create a web site that uses the ID card to verify, for example, the visitor's age. When potential victims visit the service and enter their PIN into the BKU applet with their card inserted into a card reader, the attacker can read and store the PIN. While the victim continues to browse the site, the attacker embeds the applet again; but this time invisibly. This instance of the applet can be fully controlled by the remote attacker – from clicking on buttons to entering the previously harvested PIN. Therefore, the attacker can now proceed to sign arbitrary data on behalf of the victim. To demonstrate, Ettlinger has released an online video .

Ettlinger says that attackers can harvest PINs and control the applet via the Java LiveConnect API, which gives access to Java methods via JavaScript. While direct card access is performed in a context with special privileges that prevent JavaScript from executing, the user interface does not offer this level of protection. The security expert says that, although the BKU applet vulnerability has now been fixed, vulnerable versions that are already deployed remain functional.

Vulnerabilities in the interaction between card reader and browser plugins have previously also been found with the German system: a member of the Pirate Party managed to clone the German software in JavaScript and harvest a victim's PIN. He then used the PIN to open a channel to the chip card via a browser plugin.

(fab)