/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
2 min read
Mobile phones are increasingly vulnerable to hacking and fraud, presenting significant challenges for securing sensitive applications like the EUDI wallet. As the European Union rolls out the EUDI wallet, it must tackle one of the most pressing security issues: how to prevent hacking or tampering of the EUDI wallet. The EUDI wallet holds the promise of revolutionizing how both the public and private sectors manage digital identities, putting control of personal data squarely in the hands of consumers. However, a single breach could jeopardize the entire eIDAS framework, eroding trust and jeopardizing the entire initiative.
This post addresses the assumption that binding the EUDI wallet to hardware-based solutions like Wallet Secure Cryptographic Device (WSCD) will offer sufficient protection, including achieving AVA_VAN.5 certification—the highest level of vulnerability assessment typically reserved for highly controlled environments such as secure vaults. However, even AVA_VAN.5 certified chipsets are not foolproof; there has been cases they have been rooted. Today, it remains possible to root devices, compromising both the phone and its contents. Moreover, these techniques are becoming increasingly sophisticated and harder to detect. Simply certifying the chipset does not address the broader challenge posed by compromised operating systems.
the hardware security conundrum
Relying solely on hardware security to protect the EUDI wallet is fundamentally flawed. New security breaches at the hardware level cannot always be prevented, especially in an era where mobile phone manufacturing often takes place in countries with less transparent security practices. This raises the critical question: How can we be sure that secrets generated in secure enclaves or Trusted Execution Environments (TEEs) are truly secret? Even if a compromised chipset is identified, issuing a security patch would require re-certification under AVA_VAN.5, a process that is both time-consuming and costly. Worse yet, some vulnerabilities may be unfixable.
a layered security approach: introducing an independent cryptographic layer
The solution lies in creating an independent cryptographic layer between the EUDI wallet application and the WSCD. This layer leverages the secrets embedded in the hardware but enhances security by binding those secrets with its own cryptographic keys. This results in a cryptographic binding that is incredibly difficult to break, even on compromised devices.
The accompanying diagram (to be included) will illustrate how the storage of Personally Identifiable Data (PID), Electronic Authentication Attributes (EAA), and personal data can be secured within a tamper-proof location. Breaking into this storage would require overcoming three layers of security: the hardware keys, biometric keys, and middleware keys.
This multi-layered approach ensures that:
- Configuration Data: Remains secure and inaccessible to unauthorized modifications.
- Cryptographic Keys: Are safeguarded against extraction or tampering, even if the device itself is compromised.
- Documents and Personal Data: Are stored securely, ensuring their confidentiality and integrity, even in the event of a breach.
Conclusion
In conclusion, relying solely on hardware to secure the EUDI wallet is insufficient. A layered security approach, incorporating cryptographic bindings at multiple levels, is essential to protecting digital identities. As the EU moves forward with the implementation of the EUDI wallet, it must consider these advanced security measures to prevent compromising the very foundation of trust that eIDAS is built upon. By adopting a strategy that goes beyond hardware, the EUDI wallet can offer the robust protection necessary to safeguard citizens' personal data and maintain trust in the digital identity ecosystem.
how cryptomathic can help
Cryptomathic provides an SDK called Mobile Application Security Core (MASC) that addresses these vulnerabilities. If you plan to use the reference implementation contact Cryptomathic today to guide you in the mitigation strategy and how to best address these vulnerabilities. When it comes to protecting citizens and the personal data collected and shared from the wallet, there should be no compromises.
stay up to date
This blog is the third in a series from our mobile application security expert, Jan Lindquist, covering the security and privacy of EUDI wallets. Our next and final blog will cover:
- Assessing the lack of ENISA security requirements and the negative impact this may have on EUDI wallet future
To be among the first to receive these expert insights, simply fill out this form and we'll let you know when each blog is published: