Real fake QR code … Since Wednesday, some Internet users claim on forums and social networks have secret cryptographic keys used to generate a valid QR code for the European health pass. This code contains the identity of its holder and information on his vaccination status or his immunity.
As proof, these users have created valid codes with fanciful names, such as Adolf Hitler or SpongeBob.
It is possible to generate #Health Pass for the # COVID19 valid and signed through exposed servers.
This is how the real-fake QR Codes of Adolf Hitler, SpongeBob SquarePants or Mickey Mouse were generated.
thread: https://t.co/UClVYUCb6Z
Example of a valid QR, pic.twitter.com/jLDcPoqkgS
– Xiloe (@Xiloeee) October 28, 2021
Spongebob oggi e ‘potuto andare a lavorare con il suo pass! Squiddi e ‘sorpreso di vederlo a lavoro dopo la discussione dell’altro giorno sull’obbligo del pass per lavorare#nogreenpass #GreenPassBucato #LGBT pic.twitter.com/1qBU9wKAxw
– Justin Time 🧱 (@ JustinT37781594) October 28, 2021
Faced for a few days with the dissemination of these real fake health vaccination passes, European countries have ended up revoking poorly protected cryptographic keys, while the French and Polish authorities have launched an investigation. “We are well aware of suspected fraudulent manipulation of the QR code of the European Covid certificate,” said a spokesperson for the European Commission on Friday.
A fault in North Macedonia
The private encryption keys were not compromised, however assured the European Commission, which rejects the track of the technical failure and denounces rather an “illegal activity”. In some cases, “the certificates were generated by people with valid credentials to access national IT systems,” says the institution.
But according to experts, Internet portals including that of North Macedonia (a country outside the EU but integrated since August into the European health system), also lacked the most basic protections and have generated many fraudulent codes.
“Each country has one or more signatures, and in each pass, we find out which key it was signed by,” explained Gaëtan Leurent, cryptography researcher at the National Institute for Research in Digital Sciences and Technologies. For the system to work, all the servers used to sign the pass must be properly protected. “If a service stays open and signs anything, in practice it’s a bit the same thing” as if the key had been stolen, he added.
A mysterious vaccination certificate in the name of Mickey Mouse
To remedy the flaw, the member states of the eHealth network – European Union-wide public health – have agreed to “block the two fraudulent certificates so that they are considered invalid by verification applications”. The Macedonian portal has also been deactivated. In France, the TousAntiCovid Verif application was updated on Thursday morning.
The case is not completely closed because the origin of some fraudulent health passes remains a mystery. A vaccination certificate in the name of Mickey Mouse seems to have been signed by the French authorities, others by the Polish services, perhaps thanks to accomplices among health professionals. The two countries have launched an investigation, the European Commission said.
In September, the QR codes of the real health passes of Emmanuel Macron and Edouard Philippe had been disseminated on social networks, the first by caregivers who had consulted the President’s vaccination file according to Health Insurance, and the second by Internet users who had managed to scan it from a press photo.