The Video-Ident procedure is used for numerous areas on the Internet. Bank accounts can be opened and contracts concluded in this way, for example. But now a serious security gap has been discovered in the video identification process, which has always been considered secure.
The security experts from the Chaos Computer Club (CCC) have managed to outsmart the video identification process and thus reveal a security gap. In the process, users have to hold their ID card in front of a camera from different angles in order to identify themselves. But this is exactly where the problem lies.
CCC discovers a security gap in the video identification process
The CCC manipulated the entire identification process of the Video-Ident procedure and thus encountered the security gap. The experts created a digital twin of an ID card and replaced it with the name, address and passport photo. Using software, they then merged the original and the revised copy of the ID card into a video copy. Now they started the video identification process, but instead of holding a real ID, they held the video with the copy of the ID for the camera. At the same time, they used a smartphone with a poor camera, which plausibly reduced the quality of the image transmission. The circumstance was enough to fool the employees of the video identification service into believing that the ID card was real.
A total of six national and international providers of the video identification process were fooled in this way. Particularly bad: The procedure worked even if obvious errors were visible on the ID card. The experts at the CCC therefore assume that ordinary users could also exploit the security gap in the video identification process for themselves. The conclusion was therefore unequivocal: The experts described the security of the procedure as a “total failure”.
Also read: Activate online banking access from home
Electronic medical records accessible through vulnerability
As mentioned at the beginning, the video identification procedure on the Internet is often a prerequisite for the conclusion of accounts or contracts. However, it is also used in the medical field, for example to gain access to the ePatient file and ePrescription services. Due to the security gap in the video identification procedure, the experts could thus gain access to the medical records of each of the 73 million people with statutory health insurance in Germany. And that includes the medical information stored there from doctors, hospitals and insurance companies. The CCC even tested that this works without any problems and called up and opened the files of an initiated test person. The security experts then had access to completed prescriptions, disability certificates, medical diagnoses and original treatment documents.
The health insurance companies have to suspend the video identification process for the time being due to the security gap. The step is unavoidable against the background of the high protection requirements in the digitization of the healthcare system, according to the digitization service provider of the German healthcare system, Gematik. “Gematik has declared the further use of video identification procedures for the issuance of means of identification for use in the telematics infrastructure (TI) to be no longer permissible and on August 9, 2022 decreed that the health insurance companies can use the video identification procedure with immediate effect suspend,” reads the official statement. A decision can only be made about the re-approval of video identification procedures when the providers have provided concrete evidence that their procedures are no longer susceptible to the weaknesses shown. The Federal Ministry of Health is also behind the decision to stop the video identification procedure in the medical sector for the time being.
Also read: Digital driver’s license comes to cell phones – but still has limitations
The reaction of the authorities
But not everyone is as cautious as Gematik. The CCC points out that data protection authorities and the Federal Office for Information Security (BSI) have long been warning of security gaps such as those in the video identification process. According to the experts, however, they have so far “fallen on deaf ears” at the Federal Network Agency. The authority’s justification: “The federal government has not yet become aware of any specific security incidents.” And in fact, the vulnerability that has now been discovered was not previously known to the BSI. The CCC is therefore pleased, according to its own statement, to bring in a specific security incident and thus to be able to highlight the need for action.
The BSI also emphasized that the decision as to the extent to which the video identification process can continue to be used in other areas of application under the given circumstances is the responsibility of the respective supervisory authorities. The CCC report apparently shook many of them up. For example, the responsible Federal Financial Supervisory Authority (Bafin) explained at the request of hotthat the information is also taken very seriously. However, the decision of the health insurance companies not to use the procedure does not automatically allow conclusions to be drawn about applications in other sectors. Because the authorities are not yet aware of any details. “Therefore, a final assessment of the attack scenarios described and a decision on possible measures is not yet possible,” said a Bafin spokesman.