Reversing into the depths of Turkish ID Cards

December 21, 2020

tl;dr Unobfuscated Compiled Java APIs = Jackpot

Now that Ave wrote about TCKK, its time to talk about my side of things.

I was able to sniff out my TCKK certificate back in 2017 but haven't gotten much deeper ever since.

...till 18th of December, 2020. Within 12 hours, I was able to supersede all my previous work with extremely deep work.

Screenshot of a Java Console Applet (what's not shown: Card Verifiable Certificates and Identity Hashes)

So, how did that happen? Cue e-Government portal logins.

The e-Government portal, e-Devlet, has a login method with TCKK; which I actually use.

The login method is basically a Java Web Applet (fancy way to say dynamic jar download/execution) that interfaces with e-Devlet and the TCKK to sign a challenge nonce and crosscheck the signature.

However, this app is not obfuscated.

And there's a tar like jar packager called jar.

Remove the GUI applet, repackage the rest and there you have it. The basic (and technically the enterprise) API is now accessible to you. Use the TS 13679 standard or decompile the API with FernFlower (included with IntelliJ IDEA) to understand it.

Reading the standard and looking up the API functions it looks like these are accessible without authentication:

ID Number
ID Serial
Name and Surname
ID ((Verification)) Certificate
ID ((Verification)) Sub-Root Certificate
Chip Serial
Chip Version Info
Hashes of the Identity Security Objects (and salts of the first 3 items of this list)
TCKK Version
TCKK Template Version

Rest either requires PIN1 (which you know) with Role Authentication (which the reading party has to have), or PIN2 (which you don't know and is only used for the other Electronic Signature Applet.)

This is all I dug up within 2 days! I hope to find more.

Contact

If you're from TUBİTAK and somehow ended up here, feel free to contact me at tckk <kuyruklu a> linuxgemini <nokta> space!