Services offering Video-Ident allow users to prove their identity to them by transmitting video showing themselves and an identity document for verification by an operator or by software. Once identified, individuals can proceed to sign up for cell phone contracts, create electronic signatures which are legally binding throughout the EU (QES), apply for credit and open bank accounts – or access their German personal health record (ePA).

A specially devised choreography designed to reveal circumstancial evidence such as visible security holograms or facial expressions is supposed to answer two critical questions in every Video-Ident session: Is the identity document genuine? Is the person in front of the camera genuine? Video-Ident service providers claim that their solutions reliably detect fraud attempts.

Open source software and a little watercolour

Martin Tschirsich, a security researcher with the CCC, demonstrates the failure to keep that promise in his report published today (all links refer to sources in German). In 2019 Tschirsich had already demonstrated how unauthorized individuals could acquire German medical insurance cards as well as special doctors' and clinics' electronic ID cards.

He now presents in detail how, using only open source software and a bit of red watercolour, he managed to outsmart six different Video-Ident solutions by means of "re-combination of multiple video sources" to fool human operators and algorithms alike. These attacks have remained undiscovered until today.

While the entire world succumbs to fears of polished Deep Fakes, this attack worked with long tried and tested technology and rather simple means.

Access to prescriptions, diagnoses, treatments

Because Video-Ident controls access to the German online medical services ePatientenakte since 2021 and now also eRezept, Tschirsich could in principle open the medical records of any of the 73 million individuals with public health insurance in Germany and request any medical information stored there by clinics, hospitals and insurers.

In the case presented in his report, Tschirsich gained access to the medical information of an initated proband, including filled prescriptions, certificates of being unfit for work, medical diagnoses and original treatment documents.

Only a minor effort

This complete failure confirms the long-standing warnings of data protection authorities and the Federal Office for Information Security (BSI) which have fallen on deaf ears in the federal government and at the regulator Bundesnetzagentur. Their excuse was: "The federal government has no knowledge of a concrete security incident at this time." ("Der Bundesregierung sind bislang keine konkreten Sicherheitsvorfälle zur Kenntnis gelangt.") The CCC is pleased to contribute a concrete security incident here and thereby announces a need for action.

The attack is practical for an interested hobbyist and certainly for a motivated criminal, in a short amount of time and with little effort. The risk of further abuse must therefore be estimated as high.

Commenting on previous claims by the service providers that an "AI verification“ silver bullet would solve all remaining problems, Tschirsich found that "The assumption that current Video-Ident processes can fix known weaknesses "by using artificial intelligence" has shown to not hold true in practice.“

Use of Video-Ident prohibited

"In light of this discovery it would be negligent to continue using Video-Ident where abuses could potentially cause irreparable harm – for example, through unauthorized disclosure of intimate health data", said Tschirsich. In addition, those in charge must now consider what the appropriate course of action should be for already completed identity verifications.

After the supervisory authorities of the service providers affected were informed about the security problems at the beginning of the week, gematik has now reacted and „"prohibits the use of Video-Ident in their Telematik infrastructure until further notice".

Fundamental concerns about Video-Ident

The current situation is particularly bitter in the light of the past years: An expensive electronic ID card was forced on every German, with the promise of it preventing identity theft on the Internet. The project turned out to be a complete flop. Even after ten years, hardly anyone uses the secure online identification that comes with the ID card, and that every single owner has subsidize by paying a skyrocketed fee.

Instead, a now proven insecure Video-Ident enjoys widespread use, despite sporting glaring holes while also raising several fundamental concerns: As part of the Video-Ident process, service providers are presented with, among other sensitive data, their user's biometric information. Selective disclosure of only the information required for the identification process, which was built into the electronic ID card from the outset, is not even possible by design. This is because, although the electronic ID card also came with a compulsory collection of biometric data, the biometric information stored on the card is not part of the data transfered for Video-Ident.

The Chaos Computer Club recommends

It is time for an end to the reversal of the burden of proof: it should not be the affected parties who have to prove weaknesses in the systems, but rather the process operators who should be obliged to prove their security according to the state of the art.

In the future, compliance with existing and new requirements should be regularly proven by independent tests under real attack conditions. In particular, any statement on the effectiveness of countermeasures requires verified evidence. The mere assertion that "some AI has been sprinkled over it" should no longer be sufficient.

It is also of utmost imprtance to follow the recommendations of the Federal Commissioner for Data Protection and Freedom of Information – well before CCC must spring into action to practically demonstrate these simple attacks. The clues were already there in 2020, when the Commissioner declared the use of Video-Ident to be inadmissible for accessing secure health data under data protection law "wherever there is a very high need for protection".

Links and further information

• Chaos Computer Club: Attack on Video-Ident
• gematik press release, 9. August 2022
• 35C3-Vortrag: Circumventing video identification using augmented reality
• As early as 2019, glaring security vulnerabilities were discovered in Telematik, which could be used to forge e.g. doctor's IDs at will.
• CCC-Meldung von 2013: Trügerische Sicherheit: Der elektronische Personalausweis
• BfDI: 29. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit 2020, 7.11 Videoidentverfahren: Aktuelle Grundsatzentscheidung des BfDI mit Ausstrahlwirkung für viele Bereiche