Extremely simple hack can guess and block usernames in Danish MitID

Several experts are astonished by the weaknesses discovered in MitID. Illustration: Ingeniøren

The Danish platform for personal online identification, MitID, contains several serious design issues that make it possible both to guess tens of thousands of usernames and to lock users out of the system for days. In some cases, this may mean that attackers can log into victims’ MitID. MiID ensures identification of Danes for banks, the public sector in general and works as a way to sign documents digitally.

The design flaws were uncovered in an investigation into the security of MitID carried out by Version2. In just one night, Version2 managed to guess 11,000 valid MitID usernames with a very simple code snippet that guessed Danish first names. This opens the door for abuse of the system because MitID does not require a password.

After that, Version2 managed to keep up to 17 users—who had given us permission—out of MitID, 10 of them for several days, without encountering a single block anywhere in the process. In other words, there is nothing to suggest that the attack cannot be carried out against thousands of Danes at the same time, if one is willing to break the law and use the many usernames that are easy to guess.

“Damn. I knew it could be done, but I had no idea how easy it was. I really think MitID is a failure, and I think your investigation demonstrates it perfectly. Overall, it indicates that MitID’s security has not been properly thought through,” exclaims Jan Kaastrup, partner in cyber security company CSIS and member of the European Cybercrime Centre’s advisory board.

“It shouldn’t be that easy to figure out usernames in the first place, and the fact that it’s possible to lock people out of MitID is even worse. If you send requests to a certain percentage of the Danish population, many will surely swipe, and all hell will break loose. It’s an attack that a teenager could launch—it’s just crazy,” Jan Kaastrup says.

Where is the monitoring?

His opinion is backed by several experts from the industry, including Jacob Herbst, CTO of Dubex and member of the Danish Cyber Security Council:

“The large volume of requests that were systematically sent to the server in your investigation should have been detected, and they should have triggered a response. I am very surprised that it wasn’t caught by the automatic monitoring that a system such as MitID should have,” Jacob Herbst says.

The users who get locked out of MitID in the way Version2’s investigation demonstrated have no chance of figuring out what is happening to them. When they try to log in, they get an error message telling them that they have entered the username correctly too many times in too short of a period of time, and that they have to wait 30 seconds. But that does not work.

Regardless of whether they wait 5 minutes, half an hour, or a whole day, they cannot log in to MitID, which has already become the only way to log in to several online banking systems. A simple program keeps the gateway to digital Denmark closed.

If the frustrated victim opens their app to check what is going on, there will be a request ready to swipe. If the victim swipes out of frustration or curiosity, the attacker will get access to the highest level of authentication available in Denmark.

Carsten Schürmann, professor of information security at the IT University of Copenhagen, is just as worried about the investigation as the industry experts:

“It’s an incredibly simple code, and my students learn this type of attack during the first two or three weeks of my courses,” the professor says.

The Danish Agency for Digital Government, which is a co-owner of MitID, does not want to comment on the specific findings of the investigation, but assures that safeguards have been set up against this kind of attack.

The Danish Data Protection Agency informs Version2 that it will investigate the case, which they view as “exciting and certainly relevant to the Danish Data Protection Agency.”