Software-Update for Austrian Citizen Card vulnerable to MITMPosted: January 31, 2012
TL;DR: Update-Mechanism of A-Trust BKU did not check SSL-Server-certificate before version 22.214.171.124.
The Austrian Citizen Card (Bürgerkarte) is a Smartcard that allows every citizen to make qualified digital signatures, which should be equivalent to handwritten signatures. In order to use the Bürgerkarte a Software (Bürgerkartenumgebung, BKU) is needed, either a locally installed or a Java applet (Mocca). The most widely spread locally installed BKU is the “A-Trust BKU”, which has been around since November 2008.
I was wondering how the update mechanism worked and found that it uses HTTPS to fetch an “update.ini” which contains information about the latest version. I was curious and created an update.ini file, altered the hosts-file and…. it worked.
When A-Trust BKU thinks it has found an update it shows this window:
After the update has been downloaded it simply gets executed (UAC elevated!):
An update to version 126.96.36.199 fixes this problem.