back to article Europe's digital identity system needs patching after can_we_trust_this function call ignored

Security flaws have been found in the European Union's electronic identity system that could have been exploited by miscreants to impersonate member states' citizens online. The programming blunders were buried in the five-year-old eIDAS – that's electronic IDentification, Authentication and trust Services – that was designed …

  1. A Non e-mouse Silver badge
    Joke

    Stack Overflow Code?

    Have the developers been using too much Stack Overflow sample code again?

    1. Warm Braw Silver badge

      Re: Stack Overflow Code?

      Or perhaps they'd just been watching Spartacus.

    2. Glen 1 Silver badge
      Trollface

      Re: Stack Overflow Code?

      or not enough

  2. Richard Boyce

    Why the change?

    The flaw seems to be in a critical part of the system. If the flaw wasn't present a year ago, how did it get introduced? Was there a significant change in the spec that required this part of the system to be changed?

    1. Venerable and Fragrant Wind of Change

      Re: Why the change?

      We can only speculate, but perhaps the function (or function call) in question was a new capability?

    2. Doctor Syntax Silver badge

      Re: Why the change?

      "If the flaw wasn't present a year ago, how did it get introduced?"

      If. The article has a note of doubt about that.

    3. Anonymous Coward
      Anonymous Coward

      @Richard Boyce - Re: Why the change?

      DevOps - We like to break things. Or we can't be bothered. Whatever.

  3. Twanky Bronze badge

    eIDAS – electronic IDentification, Authentication and trust Services

    A couple of thoughts on this:

    1) I note they didn't dub this 'eIDATS – electronic IDentification, Authentication and Trust Services'. Why are they de-emphasising 'Trust'?

    2) The article says eIDAS is 'designed to act as a secure bridge between all the various bureaucracies and ID systems of the 28 countries...'. Please let's not get into '28 -1' discussions about this but as far as I know the UK does not issue eIDs. I have a reference number from HMRC, the NHS, DVLA, the electoral roll and God alone knows what other sub-division of the government and civil service. Does eIDAS allow these 'systems' to cross-reference IDs within the UK and is that a Good Thing?

    1. Pascal Monett Silver badge
      Coat

      Well, now that you've mentioned it, Johnson is preparing a National Government ID project to tie all different services together and bridge these various ID number issues.

      It will be a grand, sweeping project with an initial budget of just £80 million, to be completed in three years. Three years after that, costs will have ballooned to £450 million, and the planned end date will be six years from then. After ten years working on the project, UK Gov will sadly conclude that £935 million were wasted and bin the project.

      1. Anonymous Coward
        Anonymous Coward

        £450 / £935 million

        Less than three weeks of "Brexit savings"?

        Surely they can blow more than that before admitting they didn't have any proper requirements or a change control system in place?

      2. onemark03

        Isn't this a bit like what Tony Blair was proposing in the early Noughties ("joined-up government" or something, I think he called it)? Then the Conservatives junked the scheme. (OK, it was an election bribe but even so.)

        Are we to understand that Boris now intends introducing the same kind of scheme after next month's General Election?

        1. veti Silver badge

          This plan is baked in to the Home Office. It will keep coming back until it gets implemented.

          But the article makes no mention of a "single" national ID. Passports, driving licenses, NI numbers - these are all different things, why not use any one of them?

          1. Psmo Bronze badge

            None of the above are required, and most are only available for UK Nationals:

            . A UK Passport is only needed for UK Nationals crossing border control.

            . National Insurance numbers are for workers and UK Nationals.

            . A UK Driving License is for people who pass their test or exchange their license in the UK.

        2. onemark03

          Why the downvotes?

          What did I get wrong?

          1. Intractable Potsherd Silver badge

            Don't worry - it's just Tony Blair, David Blunkett and the random down voter.

    2. FrogsAndChips Silver badge

      Re: as far as I know the UK does not issue eIDs

      The UK implementation of eiDAS relies on gov.uk's Verify.

  4. Pascal Monett Silver badge

    "a validate() function call [..] was ignored, and the software progressed regardless"

    And now the system is patched, and the function call result is no longer ignored, right ?

    So all the systems that were put in place and tested based on ignoring the function's result are now going to have to deal with a new, untested scenario : the function returns False. I'm sure they planned for that back then, but how come nobody ever tested a False before ? Because if they had tested the False scenario and found it worked anyway, this bug would have been raised a long time ago.

    Once again, improper testing is the source of a bug.

    1. cantankerous swineherd Silver badge

      Re: "a validate() function call [..] was ignored, and the software progressed regardless"

      testing cannot prove the absence of bugs.

      1. Baldrickk Silver badge

        Re: "a validate() function call [..] was ignored, and the software progressed regardless"

        No, but you should at least test for the common inputs - i.e. each boundary condition, which should include all of true positives, false positives, true negatives and false negatives.

        That (minimal) set of tests should have found this.

        You can't prove the absence of bugs, but you can find the ones easy to find if they exist.

        The best test is one that fails.

        If all your tests pass, you might want to write some more tests.

        1. cantankerous swineherd Silver badge

          Re: "a validate() function call [..] was ignored, and the software progressed regardless"

          it's tests all the way down!

    2. Brian Miller

      Re: "a validate() function call [..] was ignored, and the software progressed regardless"

      Once again, improper testing is the source of a bug.

      No, bad development practices are the source of the bug. The test did not introduce the bug. Now, the test in question could have correctly flagged the error, and the software was shipped regardless. We, out here, don't know.

  5. Blockchain commentard Silver badge
    Facepalm

    Well, shouldn't affect us once Brexit is implemented !!!!

    1. Venerable and Fragrant Wind of Change

      Sorry to ignore the tongue-in-cheek, but if the system is available to the world at large to verify a citizen online, then brexit won't stop UK biz using it in applications like KYC.

  6. Venerable and Fragrant Wind of Change

    Naming no names ...

    There are a handful of "usual suspects" in Government IT projects. Do we have a familiar name here?

    1. Zimmer
      Coat

      Re: Naming no names ...

      Jason Bourne....??

      ===> it's the one with the multi sim burner phone in the hidden inside pocket...

      1. Venerable and Fragrant Wind of Change

        Re: Naming no names ...

        As in, Bourne shell? He must be getting on a bit by now!

  7. Anonymous Coward
    1. cantankerous swineherd Silver badge

      Re: I'll just leave this here:

      worth a read.

  8. beast666

    No, no, no.

    The flaw is far more fundamental than that. It is the EU project in it's entirety that is broken.

    1. cantankerous swineherd Silver badge
      Trollface

      Re: No, no, no.

      did you just drop this? ->

  9. Joe Harrison

    UK people can buy them

    If you feel the need for one of these then sign up with the Estonian government https://e-resident.gov.ee/

  10. Jason Bloomberg Silver badge
    WTF?

    "All a bit complicated"

    "For example, a person in France can use their French government-issued electronic ID to access online services in Italy, using eIDAS to identify themselves. All very Brussels, and all a bit complicated."

    In what way is it "all a bit complicated"? And how could it be made less complicated?

    Or is it just more unwarranted, throwaway, poisonous criticism of Brussels and the EU?

    1. IGotOut

      Re: "All a bit complicated"

      No the UK system is so much less complicated.

      Just get the form from the Post Office (if you can find one), fill it out in Black ink...post it, wait 6 weeks, phone up (9am to 4:30pm Monday to Friday, excluding lunch times) to see where the document is, be told they have sent it, wait another 6 weeks, phone back up, be told they never received it after all. Get another form, repeat. Now once you finally receive the documents, you can apply for part two.

  11. Justthefacts Bronze badge

    Much more serious than you think?

    “The scope of these vulnerabilities, we note, is rather limited: the software is used by countries to talk to the systems of other countries. It could, therefore, potentially, be used by agents of one nation to pretend to be citizens of another nation – or by miscreants that somehow managed to impersonate or compromise an eIDAS-Node deployment, at which point, you've got bigger fish to fry.”

    Are you sure? I read the back-link, and the bigger picture looks much more serious.

    https://sec-consult.com/en/blog/2018/11/my-name-is-johann-wolfgang-von-goethe-i-can-prove-it/

    Seems like currently any EU citizen has or can have a smart card reader, to read their National ID card, and a ton of organisations have agreed to use the same ID software with potentially common security failure modes.

    AllI have to do to subvert this system is get hold of any citizen card reader, open it up, and MITM some of its responses towards a few well chosen organisations web portals, since the standard server side software wasn’t verifying signatures.

    “Several public and private organisations allow this login mechanism (e.g. the online tax filing portal, several De-Mail services, several insurance companies)”

    OK.....well, I bet the German online tax filing portal patches this PDQ. But every insurance provider and telco? Everywhere in the EU? I just have to find the weakest two or three organisations who fail to patch, out of maybe thousands in the EU, logon there to pwn that ID, and redirect those mailing address to where I like. Normally you only need two or three letters from telco, utility or insurance provider to your address, as evidence of ID for getting other ID’s. This is the mother lode of ID fraud!

  12. veti Silver badge

    Are there any figures on

    ... approximately how many people have ever tried to use this system? Are we talking 50, or 50 million?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019