Embarrassing data protection risk: EU age verification app already cracked
Expensive, flawed and quickly cracked: the EU’s planned app for age verification is currently proving to be a gigantic security risk. By simply interfering with configuration files, attackers can easily undermine data protection.
EU age test under criticism
The European Commission is planning an app for age verification on social networks. Commission President Ursula von der Leyen announced that the application could be launched shortly. It is intended to serve as a digital identification document and is based on the zero-knowledge proof process. Platforms only receive information about whether an age limit has been reached, but not the identity of the user. However, security experts express considerable doubts. They criticize the architecture of the open source application and point to security gaps.
A central point is the local storage of sensitive data on the end devices. A hasty start could damage trust in future digital identity projects such as the EUDI wallet. The IT security consultant Paul Moore shows in an article X Cancel that the system can be quickly bypassed. A PIN is assigned during setup. Although this is stored encrypted, it is not cryptographically linked to the identity information data store. This is considered a significant data protection risk. By removing certain values in the configuration file, the PIN can be reset after a reboot while the verified ID data remains valid. Other vulnerabilities relate to the rate limit for PIN entries, which can be bypassed by resetting a counter. Biometric authentication can also be disabled by changing a single value.
Improvements are mandatory
The open source code allows for quick analysis by independent experts. The EU Commission defends the project, which costs around four million euros and is being developed by Scytales and Deutsche Telekom. Identity solutions of this type require complex cryptographic procedures, errors in implementation of which have repeatedly led to security incidents. According to the Commission, this is not yet a final version and is being continually revised.
Zero-knowledge systems are considered particularly demanding because they are designed to exclude conclusions about original data. The now known vulnerabilities primarily concern the interaction between local storage and cryptographic verification. Critics also doubt the effectiveness of technical age controls. Country restrictions can be circumvented using VPN, for example.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
