Chaos Computer Club exposes video identification vulnerabilities

Anyone who wants to sign up for an account with an online bank or a new mobile phone contract today no longer necessarily has to go to a branch of the provider. A virtual presentation via mobile phone app is often enough to show and verify ID or driver’s license via a kind of video call. Appropriate options for video identification, often called video identification in everyday life, are being offered in more and more areas.

Now, however, experts are showing of the Chaos Computer Club (CCC) around the renowned security researcher Martin Tschirsich, which security risks the procedure obviously harbors. With little effort, they managed to register with six providers under a false identity and were even able to view the electronic patient file of an informed test person.

As early as Tuesday, the IT service provider in the healthcare sector Gematik had stopped access to the electronic patient file with Video-Ident, health insurance companies have to switch off the system. Today, the hackers revealed details of what vulnerabilities they found in market methods of video identification.

TV and Color

The challenge for the security researchers: they had to deceive the employees at various video identification services. In a video call, they check certain security features such as the holograms integrated on ID cards. In order to expose forged documents, customers are instructed to hold the ID card in front of the camera at different angles, sometimes they are also required to cover certain parts of the ID card with their finger to make video manipulation difficult.

To be in such a real-time conversation Covering an authentic ID card with a digital forgery therefore required a great deal of effort. In preparation, security researcher Tschirsich first had to photograph the real ID card from many angles. In this way, the hackers were able to create a digital twin of the document in which they could replace the name, address or even the image. During the video call with the support employee, the real ID could then be seamlessly replaced by the fake twin.

No complex hacks were necessary to show the fake video image in the video call: the hackers simply filmed a commercially available television, on which they played the video manipulated in real time. Due to the limited video quality of the cell phone cameras, the employees of the video identification service could not tell that the hacker was not sitting directly in front of the cell phone.

Deception suitable for amateurs

The hackers had difficulties with the details. Since the hackers’ real-time technology sometimes has problems distinguishing objects, there were problems when they were supposed to cover part of the presented document with their fingers. The resulting errors in the video would have easily exposed the deception. But the problem was quickly solved: the test person simply painted the hand red so that the computer could more easily distinguish it from the ID card. Returning the hand to a natural color via video manipulation was not a problem.

The security researcher Tschirsich, who wrote the CCC report presented on Wednesday, assumes, however, that in principle laypeople could also exploit the vulnerabilities . The techniques required for video manipulation are already widespread.

Access to other customer data

The hacker’s balance sheet is devastating: According to them, six providers they tested not only accepted the wrong documents, in one case the security researchers also discovered a vulnerability with which they could access the data of other customers

In order to check how susceptible the procedures are to forgery, the hackers also asked the providers for the saved video material of their video identification with the false ID. The result: imperfections in the manipulated videos were occasionally visible, but were not discovered by the employees of the video identification provider. They are also said to have ignored whether the security features contained in the hologram matched the other information in the document. Conclusion of the CCC: The video identification practiced today is a »total failure«.

Tschirsich demands consequences: »In the light of these discoveries, it would be negligent to continue to rely on video identification where misuse can potentially cause irreparable damage – for example through unauthorized disclosure of intimate information health data,” explains the security researcher. The promises of the providers to improve video identification using artificial intelligence are also a dead end.

The conclusion is unlikely to meet with much approval from the providers. The IT industry association Bitkom complained publicly on Wednesday about the shutdown of the health insurance companies. “With the blanket and unannounced ban on video identification procedures by health insurance companies, Gematik has done patients in Germany a disservice,” explained Bitkom CEO Bernhard Rohleder.

Instead of the technology being lump sum to prohibit, solutions to safeguard the procedures should have been presented. However, the online function of the identity card is currently not a practicable alternative, since too few citizens have activated the function or do not know how the identification works.

Related Articles

Back to top button