|Estonian ID card software vulnerability study|
|Kokkuvõte||Over the history of Estonian ID card software, several vulnerabilities have been fixed. Some of these vulnerabilities have gained public attention, while others have not been documented either in the release notes or the changelog.|
The aim of this work is to study, from a historical perspective, the security flaws that the Estonian ID card software has encountered.
Potential tasks would include checking the changelog, understanding and explaining the past vulnerabilities and their impact, classifying the flaws and analyzing the reasons for failure.
Was the flaw properly documented in the changelog and release notes? Was the public informed? Was the development process improved after the flaw?
Auditing software for previously unknown flaws would be beneficial as well.
== Abuse potential of Estonian eID authentication ==
If an attacker was able to forge just a single authentication process for an arbitrary Estonian eID holder, what it would be?
The aim of this work is to provide insight on the scale of information that the public and private bodies have collected and made accessible to persons through the authentication provided by Estonian eID solutions (ID card, Mobile-ID and Smart-ID).
Possible tasks include:
- Gather a list of every public service of significant interest and the data categories therein which the eID holders can access using eID authentication.
- Suggest the most useful abuse scenarios from the attacker's perspective for: (a) illegitimate financial gain; (b) compromising a person's privacy (how to measure the level of privacy compromise?); and (c) general harm done to the person.
- Suggest and analyze possible measures to limit the potential scale of abuse.
Things to consider:
- Smart-ID is being actively added to many systems expanding its abuse potential.
- In some systems PIN1 not only allows the reading of data, but also alloows modifications as well.
- Some Estonian online banks (e.g., LHV and Danske) allow transfers with only PIN1.
- In some systems knowledge of PIN1 is not enough (e.g., in most Estonian online banks a username is needed in addition).
- Some personal information can be legally obtained by third persons from public registers (e.g., electronic land register).
- Some central authentication systems (such as banklink and TARA (RIA)) can be used to access other systems.
- Test if the authentication tokens issued by the central system (banklink/TARA) can be used to authenticate to different relying parties (token cross-site replay attack - https://www.youtube.com/watch?v=w79UqJGXQsY).
- Implement an open source information gathering tool that could be used to create a demonstration similar to Memopol (https://www.timo.ee/memopol1/).
|Lõputöö kaitsmise aasta||2019-2020|