Vulnerabilities in the Europe’s Digital Identity System, patched

European authorities released a patch for the eIDAS system. The electronic Identification, ONEhandedness and trust Services is the official software package that government organizations run on servers to support eIDAS-friendly transactions. The system was created to conduct cross-border electronic transactions that can be verified against official databases in any country.

Last week, SEC Consult security researchers found two vulnerabilities that could allow attackers to pretend to be any EU citizens or businesses. The released patch makes two security flaws that may allow an attacker to pose any EU citizen or business during official transactions. The cryptographically secure electronic system was created in 2014 for managing electronic transactions and digital signatures between EU Member States, citizens and businesses.

As it has a critical role, any vulnerability can allow attackers to interfere with the EU official transactions (tax payments, bank transfers etc.). Researchers discovered that the current versions of the eIDAS-Node package could not validate certificates used in eIDAS operations. Thus, the attackers could forge the certificate from any other eIDAS citizen or company.

In a potential attack, one has to only initiate a malicious connection to an eIDA-Node server in any Member State and provide forged certificates during the approval process.

“We do not have detailed information about the configuration or additional security measures for the installed production systems. We are therefore unable to provide information on the Member State concerned to what degree,” mentioned Wolfgang Ettlinger, SEC Consult Senior Security Consultant, for ZDNet.

Although the representatives of the European Commission’s CONNECT department declined to comment the incident publicly, a patch was released, together with a reminder to national administrators to get patching.