Security vulnerabilities in Austrian Citizen Card despite certification
The Austrian government has been trying to promote its Citizen Card, and with it electronic signatures for government services, banking and other applications, for several years. Trust and acceptance within the population, however, remains low. Now it turns out that government departments and manufacturers have failed to publish details of implementation errors in the 'Citizen Card environment' software which they have been aware of since 2006. Certification authority A-SIT, which certified the software as secure, has also had nothing to say about the errors.
Research carried out at the Technical University of Vienna, made public this weekend, although given to the departments responsible for the card in 2006, describes successful attack scenarios. An encrypted connection to the Austrian Ministry of Finance's FinanzOnline service (which businesses must use to submit tax returns and applications) established using the Citizen Card could, in 2006, be hijacked and the session continued on another computer. The content of encrypted e-mails could also be changed and signed so that recipients were unable to notice the difference.
The most critical problem, however, is the third security vulnerability. The researchers succeeded in injecting a different document onto the user's system, with the original document continuing to be displayed on the screen – with the result that it would appear to the user they were signing a visible document while in fact signing another, invisible document.
It is not clear whether all of these problems have been fixed. Information such as public source texts and version information has not been forthcoming. Quintessenz, which campaigns for civil rights in the digital age, concludes that even A-SIT certification is no guarantee of secure software.
A-SIT is an organisation established by the Ministry of Finance, the Nationalbank and the Graz University of Technology. The Austria government's Chief Information Officer, Reinhard Posch, is the organisation's scientific director and a board member. A-SIT also certified the software which is now being used, from today, for e-voting for the Austrian Students' Union (ÖH).
What the three successful 2006 attacks have in common is that they all use a trojan to attack the interface between the Citizen Card environment and other software components. The researchers carried out their attacks on IT Solution's free (but not open source) trustDesk basic Citizen Card environment. At the time, the software was only available for Windows XP. BDC's hotSign, the only contemporary competitor product, was also considered to be insecure by the experts. trustDesk basic's trustview components are intended to ensure that the user knows what he is signing. The content should therefore be displayed both before and after entering the PIN number. The document is, however, saved to the hard drive as a temporary file. By using detours, the Citizen Card software was redirected to access a different file which was then signed and displayed on the screen using HTML. The attackers used the Windows document object IHTMLDocument2 to alter the HTML body such that the original document was displayed, whilst the alternative document was signed. The researchers stressed, however, that non-HTML display methods would also be vulnerable, in that all that was necessary was to overwrite the window displayed by the Citizen Card environment, which could be achieved by accessing the graphics drivers or simulating the desktop.
Hijacking a connection to FinanzOnline proved to be relatively easy. After logging in with the Citizen Card, FinanzOnline transfers a cookie, which is used to label all subsequent queries. The server does not, however, check that the cookie data always comes from the same computer. An attacker, therefore, merely needs to copy the cookie onto another system, from where they are then able to access FinanzOnline with the original owner's identity. The cookie, and therefore the session, was hijacked using an Internet Explorer plug-in (browser help object). Such a plug-in could be installed using a trojan, for example.
The Citizen Card (with the exception of the E-Card) can be used to add a simple certificate to email sent from common email clients. A-Trust, Austria's only supplier of official Citizen Card certificates, has, for example, made a Thunderbird plug-in available for this purpose. The researchers used this to demonstrate how it was possible to change the content of a message and still generate a valid signature for it. A local SMTP proxy and diverting the hash command, again using detour, was all that was required. Users would only notice this tampering if they were to check their own signatures on sent email.
(Daniel AJ Sokolov)
- FinanzOnline, from the Austrian Ministry of Finance (German).
- eVoting: Certifications are sounds and smoke, advisory from quintessenz.org (German).
- trustDesk basic, IT Solution's basic Citizen Card environment (German).
- hotSign, BDC's Citizen safe environment (German).
- .atrust Tools for Mozilla Thunderbird, Citizen Card certificate plug-in for Thunderbird (German).