Security audit Berichtenbox & DigiD

As part of the Laboratory for Quality Software at the Radboud University Nijmegen I have performed technical peneration tests of pre-release versions of the Berichtenbox and DigiD apps. These apps provide the digital identity and messaging services to all Dutch citizens.

During these project I performed the technical penetration tests, black box assembly analysis, development of Proof of Concept attacks, writing of the technical sections of the security audit reports and in-person meetings to detail our findings. My team was successful in finding and exploiting critical vulnerabilities that were not found by at least two other ‘reputable’ companies that normally perform security audits for government organisations.

These attacks included brute force computation using consumer GPU’s and OpenCL, as well as exploiting zero days for Android and iOS.