Cybersecurity experts hack settled status app with devils’ horns to show security flaws
- Credit: Promon
A cybersecurity company has inserted a devil icon into the Home Office settled status app to show it is at 'serious risk of malware attack'.
Norwegian security company Promon said they found "no resistance" in their testing to find numerous security flaws in the EU Exit: ID document check app, which is used by EU citizens in the UK to confirm their identity as part of their applications.
Promon chief technology officer Tom Lysemose Hansen said the app, which is currently only available on Android, lacks "crucial" security measures.
The loopholes potentially allow hackers to steal passport information, passwords and facial scans, says Promon.
The company tested the app's resilience against basic and commonly used attack methods and tools.
You may also want to watch:
Lysemose Hansen told the FT: "The tools we used are typically very easily accessible and require very little technical skill to use.
"It means any type of bad actor could perform this attack, without sophisticated technical knowledge."
- 1 The greatest failure of government in our lifetime
- 2 James O'Brien schools Brexiteer who refuses to accept new EU-UK trade rules
- 3 Matt Hancock praises free school meals before being reminded he voted against them
- 4 Scottish fishing boats ditch UK waters for Denmark to escape Brexit red tape
- 5 The polling that signals the plight of the Union
- 6 The bigot we should have called out on day one
- 7 Tory candidate suspended by party over comments about ‘fat’ food bank user
- 8 Jacob Rees-Mogg claims fish captured after Brexit deal came into effect were 'British and happier for it'
- 9 Keir Starmer got it right with vote on Brexit deal
- 10 Katie Hopkins joins UKIP in time for leadership contest
He added that they had "experienced no resistance".
He continued: "There is very little the end user can do, since this is a government app. There is a lot of responsibility on the app makers to provide security measures here, because of this level of trust.
"Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps."
The company claims that the app doesn't meet the minimum security standards on resisting these attacks, as set by the Mobile Application Security Verification Standard, although the Home Office said it "adheres to industry best practice".
Promon's testing says that under a malware attack, the app would be vulnerable to data breaches, hijacking and injecting with new code, without the app even noticing.
Such an attack could also modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing - which is how Promon managed to insert the devil icon into the app while it was running.
"At this time of political uncertainty, the last thing that people who are applying to remain in the UK need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers," he said.
"As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave, it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating."
The app has been downloaded more than one million times.
Promon CEO Gustaf Sahlman called on governments "to realise just how dangerous and mobile malware is, and to offer their end users' protection".
The Home Office told the FT: "We take the security and protection of personal information extremely seriously. The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility.
"Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."