Threats to the EUDI Wallet App

The European Digital Identity wallet (EUDI wallet) is proposed by the European Commission to provide a secure, safe and standardized digital identity for all EU citizens. It is based on the European Standard for Electronic Identification and Trust Services (eIDAS) and part of the proposed eIDAS 2.0 regulation. The EUDI wallet will be made available to its users as a mobile app that allows them to securely store and selectively share, locally or remotely, on request and under their sole control, identification data based on their national electronic IDs (eIDs), as well as other attestations of attributes such as digital travel credentials (ePassports), driver’s licenses, university diplomas, and also personal information including medical records or bank account details. The wallet should also allow them to access a variety of online services and sign documents with qualified electronic signatures and seals (QES).

With such valuable data stored on an app, the threats to the EUDI wallet will come from multiple diverse sources, all with varying motives. This article explores the threat landscape and considerations for protecting the digital wallet's sensitive data against threats.

Threat Landscape and Actors

In its latest annual Threat Landscape Report, ENISA provides a thorough analysis on the status of the cybersecurity threat landscape, including identification of top threats, major trends, threat actors and attack techniques, impact, and motivation analysis as well as relevant mitigation measures. The report states that threat actors are increasing their capabilities, having frequent access to previously unknown (0-day) exploits, developing their hacker-as-a-service business model, and developing novel and hybrid threats.

Modeling Threats to EUDI Wallet

When modeling threats, there are several techniques from which to choose depending on the modeling perspective as well as the required level of sophistication.

Organizations will likely have their own approaches but this example will use the Microsoft-developed STRIDE model to categorize different types of threats as it takes an asset-centric approach to describing them and is a relatively straightforward model to apply. The name itself is a mnemonic where each letter corresponds to one of the six threat categories as detailed in the following table.

It is worth noting that the EUDI wallet must work offline and must therefore store sensitive data like keys, and personal identity documents. This requires that documents, cryptographic keys and other private information be present on a mobile platform which may be exposed to loss, hardware failures, malware, hackers and thieves. Protecting the digital wallet's sensitive data against copying and viewing by unauthorized parties, while at the same time providing controlled access to authorized parties, is paramount.

The mobile platforms (iOS and Android) are owned by US commercial companies that are not subject to EU legislation. The mobile hardware is mostly manufactured in the Far East and mainland China, therefore, relying solely on the hardware and OS platform’s security measures may be risky for vital identification documents like passports and driver’s licenses.

The threat actors will then seek vulnerabilities in:

• The people that support the EUDI wallet ecosystem as well as the EU citizens that use the wallet.
• The processes associated with the scheme.
• The technologies with which the EUDI wallets have been implemented and the methods used to implement them.

Broadly speaking, when considering the EUDI wallet itself, there are two attack vectors:

• Attacks against the mobile app itself – Mobile apps published on platforms like the Apple App Store and Google Play can be installed on unmanaged devices. This opens the EUDI wallet up to countless attacks via the app or the device itself, such as using reverse engineering tools, exploiting device memory, altering the user interface or creating similar apps to confuse the user. While mobile app developers can use security features of the OS and run pen tests, this may not provide adequate protection for the EUDI wallet.
• Attacks against APIs and communication channels – Such attacks will focus on the interfaces between the EUDI wallet and the participants in the wallet scheme primarily to expose person identity data and personal attributes. Additional attacks could focus on attempting to obtain application logic by probing the interfaces.

Threat agents can be considered an extension to the definition of threat actors and are typically tools, techniques and assets used to exploit vulnerabilities. They will be used in an attempt to exploit the attack surface of the EUDI wallet via one of the two attack vectors.

Examples of threat agents are numerous and include:

• Lost/stolen EUDI wallets in the hands of a threat actor.
• Malware installed on the device which can interact with the EUDI wallet in a malicious manner to log user credentials, output, or probe the app to act in an unintended manner. This included malicious overlays and screencasting tools.
• Jailbroken/rooted devices. A jailbroken device offers less OS guarantees and a rooted device.
• Repackaged apps on the mobile device hosting the wallet that interact with the wallet.
• Mobile apps that incorrectly implement security mechanisms of the underlying mobile app platform (e.g. iOS, Android).
• A compromised or monitored network that allows eavesdropping or altered network
  communications.
• Development and test tools that can interact with the mobile app at a low level to gain a detailed understanding of how the app’s security mechanisms work to obtain sensitive information contained within it or change the way in which the app operates.
• Poor code quality can lead to the discovery of vulnerabilities that the attacker can exploit.

Launching a EUDI wallet without device and API assurance is not recommended.

For more in-depth insights, download the white paper "The European Digital Identity Wallet: Implementing Best-Practice Security for a High-Risk Asset".

Cryptomathic is a leader in eIDAS solutions and strong mobile app defense mechanisms - our Mobile App Security Core (MASC) provides a comprehensive security solution for apps that store sensitive data. Download the white paper on mobile app security or contact us for more information.