Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app.
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
-
R relay@relay.infosec.exchange shared this topic
M mttaggart@infosec.exchange shared this topic
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker@mastodon.social I'm not sure you can call it a hack. You can change the app pin from outside the app if you have access to the phone and it's unlocked.
-
System shared this topicR relay@relay.mycrowd.ca shared this topic
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker what do youcexpect with #Zensursula at the helm of @EUCommission ?
- Her biggest #FailToFame was insulting everyone who was more #TechLiterate than her (aka. able to change #DNS settings) as "hardened pedo criminal" almost 20 years ago, to the point that CSA victims had to tell her to 'STFU!'
- I still demand her personal apology to this day, with interest!!!
- Her biggest #FailToFame was insulting everyone who was more #TechLiterate than her (aka. able to change #DNS settings) as "hardened pedo criminal" almost 20 years ago, to the point that CSA victims had to tell her to 'STFU!'
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
RE: https://mastodon.social/@zackwhittaker/116420253095786124
@zackwhittaker
Yep, two minutes to hack or break.Bet my grandchildren ccould do it in one minute.
Age verifaction apps, software will never work for there intended purpose. And who alone knows their unintended consequences. Bad idea best left alone.
#ageverification -
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
Commission releases enhanced second version of the age-verification blueprint
The second version of the age verification blueprint introduces additional features, such as the use of passports and ID cards for onboarding.
Shaping Europe’s digital future (digital-strategy.ec.europa.eu)
"Work is ongoing to include zero-knowledge proof technology [...] this technology will further underscore the commitment to privacy-focused innovation.
From the documentation:
av-doc-technical-specification/docs/architecture-and-technical-specifications.md at main · eu-digital-identity-wallet/av-doc-technical-specification
European Age Verification solution documentation. Contribute to eu-digital-identity-wallet/av-doc-technical-specification development by creating an account on GitHub.
GitHub (github.com)
Zero-Knowledge Proofs
A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP) solution [...]
"A next version", "experimental", but fully committed to privacy-focused innovation.
It includes this gem:
This backward compatibility allows AVIs to gracefully fall back to traditional protocols in environments where ZKPs are not supported.
Not a cryptographer, but this backwards compatibility (on something that doesn't exist yet, but let's ignore that) feels like a downgrade attack waiting to happen.
-
Commission releases enhanced second version of the age-verification blueprint
The second version of the age verification blueprint introduces additional features, such as the use of passports and ID cards for onboarding.
Shaping Europe’s digital future (digital-strategy.ec.europa.eu)
"Work is ongoing to include zero-knowledge proof technology [...] this technology will further underscore the commitment to privacy-focused innovation.
From the documentation:
av-doc-technical-specification/docs/architecture-and-technical-specifications.md at main · eu-digital-identity-wallet/av-doc-technical-specification
European Age Verification solution documentation. Contribute to eu-digital-identity-wallet/av-doc-technical-specification development by creating an account on GitHub.
GitHub (github.com)
Zero-Knowledge Proofs
A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP) solution [...]
"A next version", "experimental", but fully committed to privacy-focused innovation.
It includes this gem:
This backward compatibility allows AVIs to gracefully fall back to traditional protocols in environments where ZKPs are not supported.
Not a cryptographer, but this backwards compatibility (on something that doesn't exist yet, but let's ignore that) feels like a downgrade attack waiting to happen.
Full disclosure: I am very much opposed to this very, very bad idea.
⠠⠵ avuko (@avuko@infosec.exchange)
Attached: 1 image Nee. “leeftijdscontrole” gaat niet werken. Het is ook een directe schending van Artikel 24 van het EU-Handvest van de Grondrechten: > 1. Kinderen hebben recht op de bescherming en de zorg die nodig zijn voor hun welzijn. **Zij mogen vrijelijk hun mening uiten.** […] En het is “Ausweis, bitte!” voor ons allemaal bij elke online handeling. — No. “Age verification” is not going to work. It is also a direct violation of the EU Charter of Fundamental Rights: > 1. Children shall have the right to such protection and care as is necessary for their well-being. **They may express their views freely.** […] And it is “Ausweis, bitte!” for us all with every online interaction. https://nos.nl/artikel/2610613-twijfel-bij-deskundigen-of-online-leeftijdscontrole-wel-gaat-werken #AgeVerification #Leeftijdsverificatie #Leeftijdscontrole #EU #Europe #EuropeanUnion
Infosec Exchange (infosec.exchange)
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker Don't fully understand the complaints. The app is just that: an app on your phone to simplify the verification process. I don't think it is even necessary to "hack" it, you could just write your own fork of the app, right?
The age verification process itself seems to be unrelated to that problem. -
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker isn't that the point of being open source? So that everyone can hack it and show where the flaws are? So that it can be improved. I'm not sure about your experience with apps, but I receive updates several times per week, sometimes multiple times a day. This project is not even in its released form yet and so many people have doomed it already. I don't understand the dooming as if everything is lost and over. You can never have perfect software from the first try.
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker HACK THE AGEVERIFICATION APPS!
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker I also now read your blog post and for me it seems that the eu age verification app seems to adresss all your concerns:
- it does not store private data (except for age)
- it does not use an ID
- it is not run by a private company
It is even open source!. -
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker by starting + get reviews and tips >> there will come something nice I guess
Comitees are also just people
-
@zackwhittaker I also now read your blog post and for me it seems that the eu age verification app seems to adresss all your concerns:
- it does not store private data (except for age)
- it does not use an ID
- it is not run by a private company
It is even open source!.It stores medical presciptions, driver's licences, educational qualifications
All exchanges of data with third-parties are tracked ie. it knows who you verified your data with
It uses the app stores to install on your phone ie. Google and Apple - so you know it's trustworthy. lol.
I examined the repo closely. I took out 6 key points. I also shot a highlight video if you're interested?
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker let's stop doing #europe 's work for them. Citizens of the #eu are going to need every single one of these exploits to circumvent this #euwallet
This is the single edge case in which ethical disclosure of software vulnerabilities works against the community. Let's STOP fixing this #software 🫡
-
E em0nm4stodon@infosec.exchange shared this topic
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker *crazed* hahahahahahaha
And these are the people that people in country keep putting in charge. Here in the USA, we are the example of what not to do. We should be a warning, not a model to follow.
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
Told you so…
-
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker
What I really don't understand, especially when it comes to security-relevant software, is why the code isn't reviewed and the software isn't tested by independent external experts before release? Such an embarrassing situation, just like in the case of the electronic patient record (ePa), could be avoided. -
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
@zackwhittaker
@EUCommission
@echo_pbreyerinstead of having age verification,
since we're supposedly pursuing online safety
why not take cues from industrial safety,
and mandate a BIG red button on a yellow background for every post/user/channel that when clicked,
immediately hides and unloads that post/user/channel's content for the person pressing it, with a pop-up to report the post/user/channel to the moderation staff of the service? -
Embarrassing times for the European Commission after security researchers found flaws within minutes of using its age verification app. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
(ICYMI: I have a blog post on why age verification laws are a bad idea to begin with: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/)
Awesome! The way I see it, an age verification app should be trivially breakable, and any kid who breaks it should have full adult privileges.
Start 'em Young!
