sPACE Attack: Spoofing eID’s Password Authenticated Connection Establishment

Is this unexpected? When your PIN input and transaction confirmation device is untrusted, about the only thing a smart card can protect against is key exfiltration, and maybe rate limiting signature&#x2F;authentication attempts (I believe the German protocol sends trusted timestamps from the remote reader which would allow that).<p>Tapping your card and entering your PIN in a compromised app&#x2F;on a compromised device has the same (and to me expected) result as tapping it on a fraudster’s device directly and providing them the PIN.

The research paper has shown the existence of a vulnerability in the German eID scheme, posing a significant risk to all services relying on the eID, especially those handling sensitive data such as insurances, banks, and government services.<p>The vulnerability has the CVE-ID CVE-2024–23674 and a CVSS rating of 9.7 (Critical)<p>A bank account has been successfully opened in the name of a victim at a major German bank.

The first Attack that somewhat usable, if there there users to exploit.