Leak in eIDAS identification system allowed attackers to impersonate EU citizens

Spread the love

The European Commission has patched a critical leak in the electronic identification system eIDAS. Attackers were able to abuse the leak to impersonate a European citizen when performing actions controlled via eID applications.

The abbreviation eIDAS stands for ‘electronic identification, authentication and trust services’. The system was set up as a result of a European regulation that states that Member States must grant each other access to digital services. This concerns, for example, eID resources, with which citizens can file tax returns or open a bank account in other European countries. This is done by running a special server software package called eIDAS-Node. Government agencies run that package on their servers to support eID applications.

Security researchers from SEC Consult recently found two vulnerabilities in eIDAS-Node. According to the researchers, it was possible to spoof a certificate because eIDAS-Node did not validate it. Spoofing can already be done while setting up a connection to any Node server and is therefore relatively easy to use as an attack, according to the researchers. By exploiting the vulnerability, it was possible for an attacker to impersonate an EU citizen and thus use the applications supported by eID.

The vulnerabilities have now been resolved, the researchers told ZDNet. This happened after they shared their findings with the European Commission. Today it releases version 2.3.1 of eIDAS-Node, including a warning to member states to update the software.

You might also like