- Messages
- 6,460
By Paul_Reviews (Paul Moore) and Pirat_Nation
Security researcher Paul Moore has demonstrated how the EU age verification app can be compromised in under 2 minutes with nothing more than physical access to a device.
By editing the app’s shared preferences file an attacker can remove the encrypted PIN values, reset the rate limiting counter to zero, and disable biometric requirements entirely.
The app then accepts a new PIN and grants access to the existing age verification credentials.
His earlier analysis of the open source code also revealed that the app stores NFC biometric facial data and user selfies as unencrypted lossless PNG files on the device.
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app encrypts it and saves it in the shared_prefs directory.
- It shouldn't be encrypted at all - that's a really poor design.
- It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
By editing the app’s shared preferences file an attacker can remove the encrypted PIN values, reset the rate limiting counter to zero, and disable biometric requirements entirely.
The app then accepts a new PIN and grants access to the existing age verification credentials.
His earlier analysis of the open source code also revealed that the app stores NFC biometric facial data and user selfies as unencrypted lossless PNG files on the device.
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app encrypts it and saves it in the shared_prefs directory.
- It shouldn't be encrypted at all - that's a really poor design.
- It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
