Safety checks reveal severe vulnerability in authorities’s One Login digital ID system

Exterior safety checks on the federal government’s flagship digital identification system, Gov.uk One Login, have discovered severe vulnerabilities within the reside service, Pc Weekly has discovered.

A “crimson teaming” train carried out in March by IT safety consultancy Cyberis found that privileged entry to One Login could be compromised with out detection by safety monitoring instruments.

In accordance with Cyberis, crimson teaming checks the resilience of programs by simulating the ways, methods and procedures of cyber attackers to point out how nicely an organisation can detect and reply to an incident.

Pc Weekly has been requested by the Division for Science, Innovation and Expertise (DSIT) to not reveal additional particulars of the vulnerability whereas the Authorities Digital Service (GDS) seeks to repair the issue.

Compromising the best ranges of entry to a system dangers exposing private knowledge and software program code to any cyber attackers capable of exploit the vulnerability.

A authorities spokesperson stated: “Delivering finest follow, we routinely conduct crimson teaming workout routines to check safety infrastructure. The place points are discovered, we work urgently to resolve them.”

The existence of a severe present vulnerability will elevate additional considerations over the safety of One Login, which is meant to be the way in which that residents show their identification and log in to most on-line authorities providers.

There are already six million customers of the system, and it’s used to entry greater than 50 on-line providers.

Final month, Pc Weekly revealed that GDS was warned by the Cupboard Workplace in November 2022 and the Nationwide Cyber Safety Centre (NCSC) in September 2023, that One Login had “severe knowledge safety failings” and “vital shortcomings” in info safety that would enhance the danger of knowledge breaches and identification theft.

GDS stated the considerations had been “outdated” and arose “when the know-how was in its infancy in 2023”, regardless of One Login getting used at the moment to assist reside providers. “We now have labored to handle all these considerations as evidenced by a number of exterior impartial assessments. Any suggestion in any other case is unfounded,” stated a spokesperson, on the time.

A whistleblower first raised safety considerations about One Login inside GDS as way back as July 2022. The problems recognized included system administration being carried out via non-compliant units with a danger of transmitting safety vulnerabilities, equivalent to malware or phishing assaults, that would compromise the reside system.

The NCSC recommends that system administration for key authorities providers ought to be carried out from a devoted machine used just for that goal, generally known as a privileged entry workstation (PAW), or alternatively to make use of solely “browse down” units, the place the safety degree of the machine is all the time the identical or better than the system being managed. The whistleblower warned {that a} lack of PAWs and use of browse-up administration had been vital dangers.

Pc Weekly subsequently revealed that the One Login staff has but to totally meet NCSC pointers – the system solely complies with 21 of the 39 outcomes detailed within the NCSC Cyber Evaluation Framework (CAF) – an enchancment on the 5 outcomes it efficiently adopted a 12 months in the past.

The One Login growth staff can be but to totally implement the federal government’s Safe by Design practices, though GDS stated the system “meets these ideas”.

Earlier this week, we additional revealed that One Login had misplaced its certification towards the federal government’s personal belief framework for digital identification programs, after a key know-how provider allowed its certification to lapse and, because of this, One Login was faraway from the official accreditation scheme.

In a gathering with non-public sector digital identification suppliers this week (Wednesday 14 Could), DSIT secretary of state Peter Kyle defined how One Login will underpin the forthcoming Gov.uk Pockets, which can be used to ship digital variations of key authorities paperwork, equivalent to driving licences.

Kyle talked concerning the “speedy journey” he hopes the federal government will soak up delivering digital identification providers for residents and confused the significance that such programs are “delivered safely [and] securely”.

The federal government spokesperson added: “Gov.uk One Login follows the best safety requirements for presidency and personal sector providers – together with devoted 24/7 eyes-on monitoring and incident response. As the general public rightly expects, defending the safety of presidency providers and the information and privateness of customers to maintain tempo with the altering cyber menace panorama is paramount.”

Questions are additionally being requested in Parliament concerning the safety of One Login. In current weeks, Liberal Democrat peer and digital spokesman Tim Clement-Jones and Conservative peer Simone Finn have individually submitted Parliamentary inquiries to DSIT asking for reassurances concerning the system.

Finn requested whether or not the federal government has “quantified the chance and potential influence of insider threats, unauthorised privileged entry, and manufacturing atmosphere compromise inside One Login”.

In response, DSIT minister for the longer term digital economic system and on-line security, peer Maggie Jones, stated: “The Gov.uk One Login staff collaborates intently with the NCSC to evaluate and mitigate dangers related to insider threats, unauthorised privileged entry, and manufacturing atmosphere compromise, aligning with the Cyber Evaluation Framework outlined within the Authorities Cyber Safety Technique 2022-2030.

“Whereas assessments of insider threats have been made, copies of those assessments is not going to be positioned within the Library of the Home, as they’re a part of ongoing safety measures and inside governance processes.”

Clement-Jones requested: “What steps [the government is] taking to handle safety points within the One Login digital identification system?”

Jones replied: “One Login follows the best safety requirements for presidency and personal sector providers. As the general public rightly expects, defending the safety of presidency providers and the information and privateness of customers to maintain tempo with the altering cyber menace panorama is paramount.

“Safety finest follow is adopted with quite a few layered safety controls which embrace: Safety clearances for workers with ‘Safety Examine’ clearance required for all builders with manufacturing entry; identification and entry administration controls that block workers from viewing or altering private info; a safe by design and compartmentalised system structure; technical controls round constructing and deployments; logging and monitoring to alert on entry to environments that comprise personally identifiable info; and strong procedures for addressing any unauthorised or unaccounted for entry.”

Chatting with Pc Weekly concerning the safety considerations, Clement-Jones stated: “How is the federal government’s flagship digital identification system failing to fulfill requirements so badly, on condition that it’s anticipated to shortly type an important a part of our immigration controls? We’d like solutions and shortly.”