Europe’s age identification app that EU chief told world ‘will keep our children safe’ hacked in ‘under 2 minutes’; researcher tells what’s very wrong with the app
The European Union’s (EU) new Age Verification app has reportedly been hacked with little to no effort. The all-new app was launched by the European Union chief Ursula von der Leyen recently. “This app will allow users to prove their age when accessing online platforms. Just like shops ask for proof of age for people buying alcoholic beverages,” von der Leyen told journalists in Brussels. In simple words, the app is part of an initiative by the European Commission to standardise age checks across online services. The app reportedly uses the same model adopted during the Covid pandemic, when Brussels developed a tool allowing people to prove they had been vaccinated as countries reopened after lockdowns, she said.As per EU officials, once it becomes available, users would be able to download it from an online store, set it up with their passport or ID card and then use it to prove they are a certain age. The 27-country EU has some of the world’s strictest rules regulating the digital space, with multiple probes ongoing into the impact on children of platforms including Instagram and TikTok. “It is our duty to protect our children in the online world, just as we do in the offline world, and to do that effectively, we need a harmonised European approach,” she said.
Paul Moore tells what is fundamentally wrong with EU’s app
Just days after its official unveiling, security researcher Paul Moore has claimed to have hacked into it in under two minutes. Pointing to glaring security holes he said that passport photos were stored unencrypted and he was able to bypass PIN protection with a text editor.In a long post, Moore wrote what is fundamentally wrong with the EU’s age verification app. Let’s shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed.Assume:1. The production app is released.2. It’s 100% secure, 100% private (fantasy land, but stick with me)3. It cryptographically challenges every step, including hardware attestation which requires a physical device.4. Every single other attack vector in the surrounding environment is somehow magically patched.aka – it’s working exactly as intended/designed.It does not protect against a relay attack.This is a threat they considered and somewhat addressed here: https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/architecture-and-reference-framework-main.mdWith the current design, there’s nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it’s not returning “I am over 18”, it returns “someone is over 18”. Neither the verifier, nor the app has any way to link the session ID to a physical device.Their own docs state this clearly:Remote Cross-Device Presentation:“Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section.”This is a known & well-understood attack vector in all remote credential presentation models; it’s just not mitigated in this one… primarily because they can’t. CTAP 2.2 won’t work with all app flows, hardware attestation doesn’t mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don’t reveal anything useful… all the available options to resolve this break the core design; completely anonymous age verification.The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion.Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al… but that’s addressing external threats, it doesn’t protect the architecture from the user itself.In virtually every other scenario, the user and system’s interests are aligned; protect my biometric asset at all costs.Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can… and the architecture doesn’t consider this.Every single applied mitigation assumes the user is the protected party, not the threat actor.To those people claiming “it requires physical access to the device and root, this is BS/hyperbole”, you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven’t considered.You have your device.You can root your device.You can create a chrome extension, just as I did.Ironically, it’s precisely those under 18 who can’t pass verification who are motivated to bypass it.So where does that leave us?A system which replaces “I am over 18” with “someone is over 18”, with absolutely no guarantee that it’s true… which is the entire purpose of the app.
How EU’s app fails to keep users’ data safe
In another post on Twitter, Moore further went into what’s wrong with the app. He said, “It’s not easy to visualize the relay attack against the #EU #AgeVerification app from a user’s perspective, so here it is:”Even if the app works exactly as designed, the website & verification process is entirely decoupled & ‘anonymous’The architecture assumes you’ll send the request to your device, which contains your biometric data. But, it can go to any device, anywhere in the world… and because the phone has no way to know who initiated the process, the child still passes age verification.The assertion is the user is over 18. In reality, the app is responding to say the owner of this Android device is over 18. It doesn’t know who the user is… how can it know their age?This is the current design, not a bug.They thought the ISO/IEC 18013-7 Annex C/DC API upgrade would protect against this, but CTAP only protects against external attackers, not the user wanting to bypass the system themselves – hence my description that we’ve replaced “I am over 18” with “someone is over 18” and it’s supposedly better.If (more likely when) this is exploited, will company Directors/staff still face fines, legal action or imprisonment for not protecting children?Once you’ve signed in, websites are highly unlikely to ask for age verification again… so this attack, even if it could be mitigated in some way (I can’t see how) only applies to new verifications.
