Editorial

eIDAS security flaw discovered

“During a short crash test we identified critical vulnerabilities in the eIDAS-Node software component (EU cross-border authentication). These vulnerabilities could allow an attacker to impersonate any EU citizen”

Posted 31 October 2019 by

Older versions of the EU’s eIDAS Digital Identity system may be vulnerable to hackers, who could use the flaw to impersonate any EU citizen, as it was technically possible to fake security certificates via the bug.

The problems were spotted by Cybersecurity firm SEC Consult, which warned that:

“During a short crash test SEC Consult identified critical vulnerabilities in the eIDAS-Node software component (EU cross-border authentication). These vulnerabilities could allow an attacker to impersonate any EU citizen.” 

Specifically, according to the company’s Cybersecurity expert’s warning, if an Italian citizen wants to authenticate against a German online service, first the German eIDAS-Node (eIDAS-Connector) is directed by the web application to initiate the authentication process.

This then sends a request to the Italian eIDAS-Node (eIDAS-Service). The Italian eIDAS-Node forwards the user to a system that is equipped to authenticate the Italian citizen using the national eID scheme. After authentication, the German eIDAS-Connector receives the citizen’s information which it forwards to the web application.

As a result, the company recommends any and all operators of eIDAS-Node installations to conduct a “forensic investigation into whether this vulnerability has already been abused”.

The news was released on Tuesday by the group, but was brought to most people’s attention by IT developer news and analysis site The Register yesterday (which also helpfully translated the above warning from the original German).

Under a headline of ‘Europe’s digital identity system needs patching after can_we_trust_this function call ignored,’ its write-up alleges that, “Security flaws have been found in the European Union’s electronic identity system that could have been exploited by miscreants to impersonate member states’ citizens online.”

The EU has now issued a patch, but in the words of The Register‘s story, “If you’re running an eIDAS-Node installation – as many member states do – then make sure you’ve updated to version 2.3.1 or higher to avoid these security weaknesses.”