Brussels launched an age checking app Hackers say it takes 2 minutes to break it POLITICO
p
Cyber experts say they have found holes in Brussels age verification app despite claims by the EU executive that it is technically ready ppAI generated TexttospeechppBRUSSELS The European Unions unveiling of a mobile app to check peoples age online has quickly turned sour as cybersecurity experts found glaring privacy and security problems with the codeppEuropean Commission President Ursula von der Leyen presented the ageverification tool in Brussels on Wednesday saying it was technically ready and will soon be available to use as countries move to ban kids from social mediappIt is fully open source Everyone can check the code von der Leyen said ppCyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the apps designppThe saga is turning into a PR disaster for Brussels But underneath the controversy over the code lie deeper divisions between privacy campaigners child rights groups tech firms and politicians over how to protect minors online as leaders promise to shield kids from social media and porn sitesppWithin hours of the EUs app release security consultant Paul Moore found it would store sensitive data on a users phone and leave it unprotected he wrote in a widely shared post on X Moore claimed to have hacked the app in under 2 minutes ppBaptiste Robert a prominent French white hat hacker confirmed many of the issues and told POLITICO it was possible to bypass the apps biometric authentication features meaning someone would be able to forgo entering a PIN code or using Touch ID to access the appppOlivier Blazy a cryptographic researcher who is part of a French task force on digital identity said Lets say I downloaded the app proved that I am over 18 then my nephew can take my phone unlock my app and use it to prove he is over 18ppThe European Commission on Friday stood by its statement that the app is technically ready Yes it is ready Maybe we can add and it can always be improved Chief Spokesperson Paula Pinho told reportersppDigital spokesperson Thomas Regnier said Now when we say its a final version its still a demo version He added the final product is not yet available for citizens and the code will be constantly updated and improved I cannot today exclude or prejudge if further updates will be required or notppThe European Commission on Thursday told POLITICO in a statement that the hackers were probing an earlier demo version of the app that was released for testing and development purposes The vulnerability was fixed it saidppBut both Moore and Blazy said they were conducting their tests on the latest version of the EUs code onlineppIts a good thing they made the app open source for experts to try and test it The problem is the released source code does not meet cybersecurity standards we would expect for such an important app Blazy saidppWe were worried that the Commission would launch its app in a hurry no matter its security issues and now we can see it wants to launch something that is not technically ready Blazy added Such a rushed launch could undermine trust in future digital identity walletsppInti De Ceukelaire a prominent Belgian ethical hacker said For open source code projects like this one it would be a good move to also publish any security assessments prior to launch so everyone can balance out the benefits versus the risksppThe online row over the EUs app reveals a fierce divide on how to handle internet users access to everything from porn sites to social media platformsppThe EU and many of its member countries are in the middle of rolling out ways to check peoples ages online driven by a political push to better protect kids on the internetppFrench President Emmanuel Macron gathered heads of state from across Europe for a video call on the issue on Thursday evening attended by von der Leyen Italys Giorgia Meloni Spains Pedro Sánchez Germanys Friedrich Merz and other leaders ppAustralia in December became the first country in the world to implement restrictions on kids use of social media effectively banning under16s from using popular platforms like TikTok and YouTube ppThe European Commission in 2024 opened a 4 million tender for the age verification app late last year which was won by Swedish digital identity company Scytáles and Deutsche Telekom ppThe app allows users to verify their age via their passport a national ID or via trusted providers like a bank Tech platforms can ask the app if a person is over a certain age but wouldnt have access to more personal data in whats known as a zeroknowledge proof method aimed at preserving privacyppNational governments can equally design their own apps and the apps are meant to work together to allow for smooth age checks across the bloc ppBut critics of age blocks say the technology to check peoples ages with proper privacy and data protections just isnt ready and even if it was internet users would easily bypass it with things like virtual private networks VPNs that mask their locationppBlazy was part of a group of more than 400 privacy and security experts who sent an open letter to the Commission in March to impose a moratorium on deployment plans until the scientific consensus settles on the benefits and harms that ageassurance technologies can bring and on the technical feasibility of such a deploymentppAccording to Markéta Gregorová a member of the Czech Pirate party in the European Parliament and the lead lawmaker on a new cybersecurity bill this process is being rushed under political pressure Europe should take a much closer look at the app to assess if all measures were taken for cybersecurity and privacy Gregorová saidppBirgit Sippel a prominent German centerleft lawmaker called the app a halfbaked app solution that doesnt live up to the EUs own standards in a comment to POLITICOppPiotr Müller a Polish lawmaker for the European Conservatives and Reformists said Brussels is once again pushing for a centralized EUwide technological tool The hastily announced age verification app poses a massive risk to the privacy of citizens We cannot agree to the stepbystep creation of a Chinesestyle internet in EuropeppLaurens Cerulus contributed reportingppThe government wants staff to shun Silicon Valley and shift to its homegrown Visio platform insteadppHundreds of women and teenagers have reported their photos published on social media have been undressed by GrokppFrance and Germany are not yet on the same page to detox from Big TechppFrances digital minister says she filed a complaint against Kick for dissemination of content constituting criminal offensesp
Cyber experts say they have found holes in Brussels age verification app despite claims by the EU executive that it is technically ready ppAI generated TexttospeechppBRUSSELS The European Unions unveiling of a mobile app to check peoples age online has quickly turned sour as cybersecurity experts found glaring privacy and security problems with the codeppEuropean Commission President Ursula von der Leyen presented the ageverification tool in Brussels on Wednesday saying it was technically ready and will soon be available to use as countries move to ban kids from social mediappIt is fully open source Everyone can check the code von der Leyen said ppCyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the apps designppThe saga is turning into a PR disaster for Brussels But underneath the controversy over the code lie deeper divisions between privacy campaigners child rights groups tech firms and politicians over how to protect minors online as leaders promise to shield kids from social media and porn sitesppWithin hours of the EUs app release security consultant Paul Moore found it would store sensitive data on a users phone and leave it unprotected he wrote in a widely shared post on X Moore claimed to have hacked the app in under 2 minutes ppBaptiste Robert a prominent French white hat hacker confirmed many of the issues and told POLITICO it was possible to bypass the apps biometric authentication features meaning someone would be able to forgo entering a PIN code or using Touch ID to access the appppOlivier Blazy a cryptographic researcher who is part of a French task force on digital identity said Lets say I downloaded the app proved that I am over 18 then my nephew can take my phone unlock my app and use it to prove he is over 18ppThe European Commission on Friday stood by its statement that the app is technically ready Yes it is ready Maybe we can add and it can always be improved Chief Spokesperson Paula Pinho told reportersppDigital spokesperson Thomas Regnier said Now when we say its a final version its still a demo version He added the final product is not yet available for citizens and the code will be constantly updated and improved I cannot today exclude or prejudge if further updates will be required or notppThe European Commission on Thursday told POLITICO in a statement that the hackers were probing an earlier demo version of the app that was released for testing and development purposes The vulnerability was fixed it saidppBut both Moore and Blazy said they were conducting their tests on the latest version of the EUs code onlineppIts a good thing they made the app open source for experts to try and test it The problem is the released source code does not meet cybersecurity standards we would expect for such an important app Blazy saidppWe were worried that the Commission would launch its app in a hurry no matter its security issues and now we can see it wants to launch something that is not technically ready Blazy added Such a rushed launch could undermine trust in future digital identity walletsppInti De Ceukelaire a prominent Belgian ethical hacker said For open source code projects like this one it would be a good move to also publish any security assessments prior to launch so everyone can balance out the benefits versus the risksppThe online row over the EUs app reveals a fierce divide on how to handle internet users access to everything from porn sites to social media platformsppThe EU and many of its member countries are in the middle of rolling out ways to check peoples ages online driven by a political push to better protect kids on the internetppFrench President Emmanuel Macron gathered heads of state from across Europe for a video call on the issue on Thursday evening attended by von der Leyen Italys Giorgia Meloni Spains Pedro Sánchez Germanys Friedrich Merz and other leaders ppAustralia in December became the first country in the world to implement restrictions on kids use of social media effectively banning under16s from using popular platforms like TikTok and YouTube ppThe European Commission in 2024 opened a 4 million tender for the age verification app late last year which was won by Swedish digital identity company Scytáles and Deutsche Telekom ppThe app allows users to verify their age via their passport a national ID or via trusted providers like a bank Tech platforms can ask the app if a person is over a certain age but wouldnt have access to more personal data in whats known as a zeroknowledge proof method aimed at preserving privacyppNational governments can equally design their own apps and the apps are meant to work together to allow for smooth age checks across the bloc ppBut critics of age blocks say the technology to check peoples ages with proper privacy and data protections just isnt ready and even if it was internet users would easily bypass it with things like virtual private networks VPNs that mask their locationppBlazy was part of a group of more than 400 privacy and security experts who sent an open letter to the Commission in March to impose a moratorium on deployment plans until the scientific consensus settles on the benefits and harms that ageassurance technologies can bring and on the technical feasibility of such a deploymentppAccording to Markéta Gregorová a member of the Czech Pirate party in the European Parliament and the lead lawmaker on a new cybersecurity bill this process is being rushed under political pressure Europe should take a much closer look at the app to assess if all measures were taken for cybersecurity and privacy Gregorová saidppBirgit Sippel a prominent German centerleft lawmaker called the app a halfbaked app solution that doesnt live up to the EUs own standards in a comment to POLITICOppPiotr Müller a Polish lawmaker for the European Conservatives and Reformists said Brussels is once again pushing for a centralized EUwide technological tool The hastily announced age verification app poses a massive risk to the privacy of citizens We cannot agree to the stepbystep creation of a Chinesestyle internet in EuropeppLaurens Cerulus contributed reportingppThe government wants staff to shun Silicon Valley and shift to its homegrown Visio platform insteadppHundreds of women and teenagers have reported their photos published on social media have been undressed by GrokppFrance and Germany are not yet on the same page to detox from Big TechppFrances digital minister says she filed a complaint against Kick for dissemination of content constituting criminal offensesp
