German "secure" ID cards compromised on national TV, gov't buries head in sand

A German TV programme showed hackers from the Chaos Computer Club using off-the-shelf equipment to extract personal information from the government's new "secure" ID card, which stores scans of fingerprints and a six-digit PIN that can be used to sign official documents and declarations.
In an interview with the show, Interior Minister Thomas de Maizière said he saw no immediate reason to act on the alleged security issue.

Meanwhile on Tuesday the Federal Office for Information Security (BSI) rejected the Plusminus' criticism of the new ID card. The agency's personal identification expert Jens Bender said the card was secure and called the combination of an integrated chip with a PIN number a "significant security improvement compared to today's standard process of user name and password."

But a classic Trojan horse program that logs keystrokes remained a threat, he admitted, because users must use keyboards in addition to the scanners.

New government ID cards easily hacked (via /.)


  1. The hack didn’t went for the ID card itself but for the so-called basic card reader, which is an simple RFID reader with an USB connection.

    So the PIN is typed with the computer’s keyboard and is of course effected by key loggers and other malware on PCs.

  2. This security issue concerns card readers without integrated keypads, which obviously makes the system open to abuse by keyloggers. However, the PIN is no use without the card itself.
    In addition, the card’s functions are limited unless you use the enhanced card readers with integrated keypads.

    Since this is bound to become a general ID card discussion: I have grown up in Germany and do not consider an ID card a threat to my privacy or freedom at all. Threats to freedom come with a central database which logs ID checks etc, which doesn’t happen here (but was planned, IIRC, in the UK – hence the bad publicity). Having a secure photo-ID makes fraud and identity theft much more difficult. I also lived in the UK for a while where you had to take your phone, gas, water and tax bills to the video store to rent a DVD – now where is the privacy in that???

    I for one can’t wait for the new card, if only because of the smaller format…

  3. Yes, biometrics. Please, let’s use more security measures that involve components that once they are “cracked” cannot be un-done. Pure genius.

  4. As I understood it, the TV show used some pretty improbable scenario to “prove” the system’s insecurity, requiring physical access to the ID card, while neglecting the obvious long-term problem:

    This ID card is meant to be valid for 10 years, all the while employing security mechanisms that may be up-to-date today. And I think it’s safe to assume there’ll be handier exploits around before the end of its “life”.

    Good thing there’s still a few weeks time for Germans to order an old-fashioned, no-chip ID card. I for one have just renewed mine ahead of schedule to make sure I have the old one for another decade.

  5. “But a classic Trojan horse program that logs keystrokes remained a threat, he admitted, because users must use keyboards in addition to the scanners.”

    so the next move will be to scare us all to have embedded chips so the keyboard can be avoided, all this will be sold to us as “for our security and benefit”!

    resist the police state ppl..

Comments are closed.