Real fake QR codes ... Since Wednesday, some Internet users have claimed on forums and social networks to have secret cryptographic keys used to generate a QR code valid for the European health pass.
This code contains the identity of its holder and information on his vaccination status or immunity.
As proof, these users have created valid codes with fanciful names, such as Adolf Hitler or SpongeBob.
It is possible to generate valid and signed #PassSanitaire for # COVID19 through exposed servers.
This is how the real-fake QR Codes of Adolf Hitler, SpongeBob or Mickey Mouse were generated ..
Example of a valid QR, pic.twitter. com / jLDcPoqkgS
- Xiloe (@Xiloeee) October 28, 2021
Spongebob oggi e 'potuto andare a lavorare con il suo pass!
Squiddi e 'sorpreso di vederlo a lavoro dopo la discussione dell'altro giorno sull'obbligo del pass per lavorare # nogreenpass #GreenPassBucato #LGBT pic.twitter.com/1qBU9wKAxw
- Justin Time 🧱 (@ JustinT37781594) October 28, 2021
Faced for a few days with the dissemination of these real fake health vaccination passes, European countries have ended up revoking poorly protected cryptographic keys, while the French and Polish authorities have launched an investigation.
"We are well aware of suspected fraudulent manipulation of the QR code of the European Covid certificate," said a spokesperson for the European Commission on Friday.
A fault in North Macedonia
The private encryption keys were not compromised, however assured the European Commission, which rejects the track of the technical failure and denounces rather an "illegal activity".
In some cases, “the certificates were generated by people with valid credentials to access national IT systems,” says the institution.
But according to experts, Internet portals including that of North Macedonia (a country outside the EU but integrated since August into the European health system) also lacked the most basic protections and have generated many fraudulent codes.
"Each country has one or more signatures, and in each pass, we find the key by which it was signed," explained Gaëtan Leurent, cryptography researcher at the National Institute for Research in Digital Sciences and Technologies.
For the system to work, all the servers used to sign the pass must be properly protected.
"If a service stays open and signs anything, in practice it's a bit the same thing" as if the key had been stolen, he added.
A mysterious vaccination certificate in the name of Mickey Mouse
To remedy the flaw, the member states of the eHealth network - European Union-wide public health - have agreed to "block the two fraudulent certificates so that they are considered invalid by verification applications".
The Macedonian portal has also been deactivated.
In France, the TousAntiCovid Verif application was updated on Thursday morning.
The case is not completely closed because the origin of some fraudulent health passes remains a mystery.
A vaccination certificate in the name of Mickey Mouse seems to have been signed by the French authorities, others by the Polish services, perhaps thanks to complicity among health professionals.
The two countries have launched an investigation, the European Commission said.
In September, the QR codes of the real health passes of Emmanuel Macron and Edouard Philippe had been disseminated on social networks, the first by caregivers who had consulted the President's vaccination file according to Health Insurance, and the second by Internet users who had managed to scan it from a press photo.
By the Web
Coronavirus: Beware of this fake police email whose goal is to steal your health pass
Seine-Saint-Denis: A juicy traffic of fake health passes on Snapchat dismantled in Villepinte
By the Web