EU's Age Verification App Compromised Within Minutes of Launch
The European Union's newly launched Age Verification application has reportedly been hacked with minimal effort, raising serious concerns about its security infrastructure. The app, introduced by European Commission President Ursula von der Leyen, was designed to standardize age checks across online platforms throughout the 27-nation bloc.
Official Purpose and Implementation
"This application will enable users to demonstrate their age when accessing digital platforms, similar to how physical establishments request identification for age-restricted purchases," von der Leyen explained during a Brussels press conference. The initiative represents part of the European Commission's broader strategy to create harmonized digital protections, particularly for minors navigating online spaces.
The technical framework mirrors the model developed during the COVID-19 pandemic, when Brussels created digital vaccination certificates to facilitate international travel during reopening phases. According to EU officials, users would download the application from official stores, configure it with their passport or national identification card, and subsequently utilize it to verify meeting age requirements for various online services.
The European Union maintains some of the globe's most stringent digital regulations, with multiple investigations examining how platforms including Instagram and TikTok impact younger users. "We have an obligation to safeguard our children in the digital realm just as we do in physical environments, and achieving this effectively demands a coordinated European methodology," von der Leyen emphasized.
Security Vulnerabilities Exposed
Merely days following its official unveiling, cybersecurity researcher Paul Moore demonstrated that he could penetrate the application's defenses in under two minutes. Moore identified glaring security deficiencies, revealing that passport photographs were stored without encryption and that PIN protection mechanisms could be circumvented using basic text editing tools.
In a comprehensive analysis, Moore outlined fundamental architectural flaws in the EU's age verification concept. He presented a hypothetical scenario where the application functioned perfectly according to design specifications, yet still remained vulnerable to relay attacks that undermine its core purpose.
Critical Design Flaws Identified:
- The system cannot prevent verification-as-a-service operations where remote Android devices provide valid attestations
- The application returns "someone is over 18" rather than verifying the specific user's age
- Neither verifiers nor the application can link session identifiers to physical devices
- The architecture fails to consider users as potential threat actors seeking to bypass restrictions
Moore highlighted that the European Commission applied an incorrect threat model, focusing primarily on external threats while neglecting the reality that users themselves—particularly minors motivated to access restricted content—might attempt to circumvent the system. "Ironically, those under 18 who cannot pass verification are precisely the individuals most incentivized to bypass it," Moore noted.
Relay Attack Vulnerability
In subsequent social media posts, Moore further elaborated on the application's weaknesses, particularly emphasizing the relay attack vulnerability. Even with perfect implementation, the verification process remains entirely decoupled and anonymous, allowing age verification requests to be redirected to any device worldwide.
"The architecture presumes requests will be sent to your personal device containing your biometric information," Moore explained. "However, these requests can be routed to any device globally, and since the phone cannot identify who initiated the process, minors can still pass age verification."
The fundamental issue, according to Moore, is that the application confirms the device owner's age rather than the actual user's age. This design limitation transforms the verification from "I am over 18" to "someone is over 18" without guaranteeing the statement's accuracy for the specific individual accessing content.
Despite incorporating technical safeguards like CTAP 2.2 and hardware attestation, these measures primarily protect against external attackers rather than users attempting to bypass the system themselves. Once users successfully verify their age initially, websites are unlikely to request re-verification, creating a persistent vulnerability for new account creations.
The security revelations raise significant questions about the application's effectiveness in protecting children online and whether organizations could still face legal consequences for inadequate age verification despite these inherent architectural limitations.
