Skip to main content


Showing posts from November, 2022

Understanding a chip-to-cloud 'eID' solution to find logic vulnerabilities

A relatively common approach to designing cost effective, user-friendly, chip-to-cloud solutions is to leverage the communication capabilities of the user's mobile phone. As a result, instead of endowing the device with all the required electronics and software that would enable it to autonomously transmit and receive data from the internet, the product is developed to use a short-range communication stack such as Bluetooth/NFC (something any modern mobile phone supports by default) and then an App in the phone will create a communication channel with the backend, thus acting as a bridge for both worlds. For instance, we can find this architecture in solutions for handling rental cars (virtual keys), electronic identity, authentication, and all kind of of IoT devices such as Electronic BagTags . In this post I'm covering the analysis of an eID solution, let's call it ' Honest eID ', that implements this paradigm.  I'm deliberately anonymizing/omitting certain te