Software-Update for Austrian Citizen Card vulnerable to MITM

TL;DR: Update-Mechanism of A-Trust BKU did not check SSL-Server-certificate before version

Long story:

The Austrian Citizen Card (Bürgerkarte) is a Smartcard that allows every citizen to make qualified digital signatures, which should be equivalent to handwritten signatures. In order to use the Bürgerkarte a Software (Bürgerkartenumgebung, BKU) is needed, either a locally installed or a Java applet (Mocca). The most widely spread locally installed BKU is the “A-Trust BKU”, which has been around since November 2008.

I was wondering how the update mechanism worked and found that it uses HTTPS to fetch an “update.ini” which contains information about the latest version. I was curious and created an update.ini file, altered the hosts-file and…. it worked.

When A-Trust BKU thinks it has found an update it shows this window:

After the update has been downloaded it simply gets executed (UAC elevated!):

An update to version fixes this problem.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s