"Is there anything like this in the Department of Document Forgery of Seoul National University?


Do you remember this scene from the beginning of director Bong Joon-ho's film Parasite?



Gi-woo, who needed a'fake certificate' to get a tutoring job at a rich family.

Kijeong-eun makes Gi-woo a prestigious university student in an instant with the so-called'four-shop quality'.

Laughs appear in the rich family who are easily deceived by the'poor' manipulation and this'poor' fake.



By the way, what about our government?

Certificates with government stamps should be particularly secured and thoroughly verified.

Unfortunately, until some time ago, our government was no different from the rich family in the movie.



It was on Sunday morning that reports of security vulnerabilities in government-created applications came in.

The electronic vaccination certificate released by the Korea Centers for Disease Control and Prevention on the 15th of last month, called'COOV', allows you to manipulate fake facts as if they were hit without getting a vaccine.




The disease administration publicized the launch of this app while distributing a press release at the time.

He firmly explained that'we fundamentally prevent forgery and alteration of certificates'.

They said they applied'blockchain', which is popular these days, and'distributed identity authentication (DID)' technology, which is difficult to name.


▶ Shortcut to the Korea Centers for Disease Control and Prevention Press Release While



reading the technical details written on how the app works, I thought,'You did some work', at the time.

As much as I remembered this,'Ah, no way...

Of course, I had to think about it first.



Even so, I asked for a few fake QR codes to be sent on the fly to prove that I was vaccinated.

When I was about to wake up to go to the bathroom for a while, the messenger window rang.




I pointed the recognition camera in the app to the hot fake QR code that just arrived.

It was the first time I saw with my own eyes that government apps could easily penetrate.

My mind flashed.

'Can this be so lax?'

Even a cold sweat flowed from the collapse.



We also requested cross-validation from professors who study related fields and specialized companies that provide blockchain security technology.

The result was the same.

"It's a part that I didn't pay attention to because I thought it couldn't be."


"Honestly, I was very disappointed. Still, it was made by the government..."


This is what the informant confessed to me after meeting in person and finishing the demonstration of manipulating fake certificates.

I didn't know it was literally'this much'.




The procedure for proving vaccination with a government app can be summarized in 4 steps below.


1) Download the'COOV' app.


2) Turn on the app and authenticate yourself.


3) Click the issue button to download the vaccination certificate.

(People who have not been vaccinated will say'There is no certificate available')


4) Open the QR code of the certificate and authenticate with another person's mobile phone camera.

(Same as reading the QR code for access registration when entering the restaurant)


As of this writing, I haven't been vaccinated yet, and if I follow the formal procedure, I shouldn't be able to proceed further in step 3.

However, you can easily create a fake certificate, and the app will recognize it just like a formal certificate.

The fake certificate was simply generated by using the'source code' released by the government and private companies affiliated with the government.

Since we did not verify who issued the certificate or the'issuing entity', even a fake certificate issued by anyone could pass the verification process.



Suddenly, I like curry.

It's difficult to cook and eat from scratch, so I enjoy instant curry.

Making a'fake certificate' with a government stamp on my own was possible faster than making a 3-minute curry.




On the day of May 2nd, SBS quickly created'Fake Kim Deok-Hyeon' who received the AstraZeneca vaccine. As I figured out what was wrong, and as I sorted it out in easier terms, the collapse grew. Of course, there was no such thing as a very common sense process.



I also talked about it on the 8th news that day, but all of this was possible with a college undergraduate who majored in computer science.


▶ [Exclusive] He said that forgery or alteration is impossible...



Why is it getting more and more heartbreaking whether to commend the whistleblowers for the excellence and prospects of discovering this surprising fact that is

easily possible and can't be filtered

out?



** In the second report file that follows, I will focus on the government that has not confirmed the loopholes left after the app was updated after the SBS report, the reaction they showed when they announced this, and the direction for improvement in the future.