Abuse potential of Estonian eID authentication
Organization
Cybersecurity
Abstract
If an attacker was able to forge just a single authentication process for an arbitrary Estonian eID holder, what it would be?
The aim of this work is to provide insight on the scale of information that the public and private bodies have collected and made accessible to persons through the authentication provided by Estonian eID solutions (ID card, Mobile-ID and Smart-ID).
Possible tasks include:
- Gather a list of every public service of significant interest and the data categories therein which the eID holders can access using eID authentication.
- Suggest the most useful abuse scenarios from the attacker's perspective for: (a) illegitimate financial gain; (b) compromising a person's privacy (how to measure the level of privacy compromise?); and (c) general harm done to the person.
- Suggest and analyze possible measures to limit the potential scale of abuse.
Things to consider:
- Smart-ID is being actively added to many systems expanding its abuse potential.
- In some systems PIN1 not only allows the reading of data, but also alloows modifications as well.
- Some Estonian online banks (e.g., LHV and Danske) allow transfers with only PIN1.
- In some systems knowledge of PIN1 is not enough (e.g., in most Estonian online banks a username is needed in addition).
- Some personal information can be legally obtained by third persons from public registers (e.g., electronic land register).
- Some central authentication systems (such as banklink and TARA (RIA)) can be used to access other systems.
Technical part:
- Test if the authentication tokens issued by the central system (banklink/TARA) can be used to authenticate to different relying parties (token cross-site replay attack - https://www.youtube.com/watch?v=w79UqJGXQsY).
- Implement an open source information gathering tool that could be used to create a demonstration similar to Memopol (https://www.timo.ee/memopol1/).
The aim of this work is to provide insight on the scale of information that the public and private bodies have collected and made accessible to persons through the authentication provided by Estonian eID solutions (ID card, Mobile-ID and Smart-ID).
Possible tasks include:
- Gather a list of every public service of significant interest and the data categories therein which the eID holders can access using eID authentication.
- Suggest the most useful abuse scenarios from the attacker's perspective for: (a) illegitimate financial gain; (b) compromising a person's privacy (how to measure the level of privacy compromise?); and (c) general harm done to the person.
- Suggest and analyze possible measures to limit the potential scale of abuse.
Things to consider:
- Smart-ID is being actively added to many systems expanding its abuse potential.
- In some systems PIN1 not only allows the reading of data, but also alloows modifications as well.
- Some Estonian online banks (e.g., LHV and Danske) allow transfers with only PIN1.
- In some systems knowledge of PIN1 is not enough (e.g., in most Estonian online banks a username is needed in addition).
- Some personal information can be legally obtained by third persons from public registers (e.g., electronic land register).
- Some central authentication systems (such as banklink and TARA (RIA)) can be used to access other systems.
Technical part:
- Test if the authentication tokens issued by the central system (banklink/TARA) can be used to authenticate to different relying parties (token cross-site replay attack - https://www.youtube.com/watch?v=w79UqJGXQsY).
- Implement an open source information gathering tool that could be used to create a demonstration similar to Memopol (https://www.timo.ee/memopol1/).
Graduation Theses defence year
2019-2020
Supervisor
Arnis Paršovs
Spoken language (s)
English
Requirements for candidates
Level
Keywords
Application of contact
Name
Arnis Paršovs
Phone
E-mail
See more