Hacking mObywatel 2.0: exploring security challenges of digital identity apps

Hacking mObywatel 2.0: exploring security challenges of digital identity apps

In a compelling presentation at CONFidence 2024, Szymon Chadam delved into the security vulnerabilities of mObywatel 2.0, Poland’s innovative electronic identity application. This app, intended to revolutionize identity verification processes, comes with promises of convenience but also faces significant risks if not implemented securely. Below, we summarize key insights into the app’s functionality, vulnerabilities, and recommendations for improvement. Read our summary and watch the full lecture on YouTube.

What is mObywatel 2.0?

mObywatel 2.0 is a mobile application introduced as part of Poland’s compliance with the European eIDAS regulation. Its purpose is to provide a secure and interoperable digital identity solution across Europe. Key functionalities include:

  • Digital identity verification: mObywatel allows users to verify their identity digitally in place of traditional ID cards.
  • Cross-border usage: Designed for compatibility across European Union countries, enabling authentication in various contexts like banking and public services.
  • Legal protections: The app offers the same legal status as a physical ID card, with penalties for falsification matching those for physical document fraud.

Security and verification methods

The app employs three levels of identity verification, each with varying degrees of security.

Visual verification

This involves dynamic visual elements, such as moving eagles or changing timestamps, to prevent static screenshot fraud. However, screenshots or screen recordings can bypass this level if the dynamic elements are mimicked.

Functional verification

Users are required to perform specific actions within the app, such as reopening modules or navigating to other sections. Although more secure than visual checks, functional verification can still be bypassed using recorded sequences or custom scripts.

Cryptographic verification

The highest level involves scanning QR codes and securely exchanging encrypted data between the verifier and the app. This method ensures robust security and eliminates the risks associated with visual and functional verification. However, adoption across industries remains inconsistent.

Key vulnerabilities identified

Szymon Chadam highlighted several vulnerabilities in the implementation and use of mObywatel:

1. Insufficient cryptographic verification adoption

Many organizations, such as clinics or telecom companies, rely only on visual or functional verification, exposing them to phishing and identity theft risks.

2. QR code integrity issues

QR codes generated for data sharing lack cryptographic integrity, allowing attackers to manipulate data during sharing processes.

3. Companion app exploits

Third-party apps like „mHacker” enable attackers to edit data (e.g., names, PESEL numbers, and photos) within the mObywatel interface, effectively creating fraudulent digital IDs.

Exploitation scenarios

Chadam demonstrated how attackers could exploit mObywatel vulnerabilities in real-world scenarios:

  • Medical data theft: Using altered digital IDs to access another person’s medical records.
  • SIM swap attacks: Forging identities to obtain duplicate SIM cards and intercept SMS-based two-factor authentication codes.
  • Airline fraud: Using forged IDs to bypass security checks and board flights.
  • Banking exploits: Attempts to withdraw funds from accounts by impersonating account holders.

If you want to participate in more in-depth analyses of common resources, join the 2025 edition of CONFidence.

Recommendations for mitigating risks

Mandatory cryptographic verification

Organizations using mObywatel should adopt cryptographic verification as the default method for validating identity, ensuring maximum security.

Education and awareness

Users and organizations must be educated about the risks of visual and functional verification to minimize phishing and identity theft attacks.

Enhanced QR code security

Implement digital signatures for QR codes to ensure data integrity during sharing and verification processes.

Continuous penetration testing

Conduct regular security assessments to identify and patch vulnerabilities in app functionalities.

Conclusion

While mObywatel 2.0 represents a significant step forward in digital identity verification, its vulnerabilities highlight the challenges of balancing convenience with security. By prioritizing cryptographic verification, educating users, and improving QR code security, the app can fulfill its promise of providing a safe, efficient, and interoperable identity solution for the modern era.