Be sure you have updated your EID middleware

There is a big spoofing hole in version 2.6. THe middleware is now in version 3.5. There are other issues with version 3.5 but version 2.6 is so easy to spoof that it is too risky to use it still for authentification and identification.

I am not sure that the bugs that were in version 2.6 are resolved in version 3.5 because I can't find a list of resolved issues and the release document is just a bunch of propaganda crap, not a technical file that inspires trust.

The spoofing vulnerability with openssl that can be found in the old EID readers is described here and here and here. By the way openssl is a can of bugs that you have to update every so many days or weeks. So I don't understand what this kind of open free stuff that ain't got enough maturity level to be used without the fear of fundamental bugs that go to the heart of its function did find its way into an Electronic Identity Card that is not only being given to all citizens in a country (and all habitants very soon) and that is being used in an ever increasing scale for authentification and identification (for example to fill in your taxes online....)

Not one of the vulnerability reports states that by upgrading the bug has been solved. Or it is not solved. Or a big worldwide company like Zetes - leader in EID and all that kind of publicity - doesn't follow up on those even official reports.

Because those reports say "The vulnerability is reported in version 2.6.0. Other versions may also be affected." and "Do not rely on the middleware for verification."

Maybe this is why some in Microsoft are still off the record having doubts about this Middleware .....

Meanwhile the propaganda caravan is going through Belgium promoting this tool. Come to see. Come to see.

For international security researchers. Belgians can't try to crack or spoof or attack the code because the Belgian computer criminality law has no responsable disclosure. We have asked that since longtime but aside from promises there is nothing. And as there is no real Belgian security attack research, we don't have a clue about the security of the code and the product. And as there is no real open (free) best of practices and independent code-audit review there is nobody else that can give us some greencard. But you can download the code here (french/flemish) and let us know something .... Maybe there is a reason there is no official information in english.... but in english the researcher can also read this

Yeah they say "norms and standards" but how in the hell did this happen than ?

* a remote  spoofable bug without authentification since february 2009 and since than no official news or reaction or mention

* the first bug that makes it possible to use malicious servers with specially crafted SSL packets (that people have been pressured to treat as always safe...) to bypass authentification which makes attack schemes on Belgians with vulnerable EID software on their computers for the first time easy and interesting.

* no campaign to upgrade your EID software (if you don't use it the vulnerable softwareclient stays on the machine)

just trust is not enough.

 

The comments are closed.