Austrian ID card vulnerable to spoofing attack
Security expert Wolfgang Ettlinger has discovered a vulnerability in the Austrian Citizen Card that allows attackers to spoof the credentials of their victims. This is the second time the card has been hacked. The attack exploits a vulnerability in the Java-based online version of the ID card environment (Bürgerkartenumgebung or BKU) to authorise banking transactions or sign PDF documents with the victim's qualified signature. This digital signature is legally equivalent to a signature on paper.
To do so, an attacker must first create a web site that uses the ID card to verify, for example, the visitor's age. When potential victims visit the service and enter their PIN into the BKU applet with their card inserted into a card reader, the attacker can read and store the PIN. While the victim continues to browse the site, the attacker embeds the applet again; but this time invisibly. This instance of the applet can be fully controlled by the remote attacker – from clicking on buttons to entering the previously harvested PIN. Therefore, the attacker can now proceed to sign arbitrary data on behalf of the victim. To demonstrate, Ettlinger has released an online video .