Dozens of fraudulent health passes generated: investigation of a gigantic European fault – Cyberwar – Cyberwar

[Enquête Numerama] Numerama has discovered several publicly accessible sites that allow the creation of European health passes. Some QR Codes generated were considered “valid” by the verification applications. Internet users have had fun creating fake passes for SpongeBob or Adolf Hitler. If a public key linked to Macedonia is involved, it is not yet possible to measure the extent of such dysfunction.

This could be one of the most sensitive cases concerning the creation and use of health passes across Europe.

Several websites allowing the creation of QR Codes were, for a few days, publicly accessible on the web to anyone who had the link, without any verification step or additional security measures. At least one of them made it possible to generate certificates of vaccination authenticated in the European Union.

Numerama, for example, was able to access an English-speaking site and verify that it did indeed generate false health passes, which were certified as valid. We were also able to see that several other sites, similar in form, but in foreign languages ​​(Vietnamese, for example) were still online at the time of this publication.

During our investigation, we were able to verify that it was possible to generate functional QR Codes as well as PDFs similar to those in circulation in the European Union, called European COVID Digital Certificate. All the information entered in the form was however invented, and no proof was requested at each stage of the filling.

Several of them were displayed as being “valid” when scanned by the TousAntiCovid-Verif application, which is used to verify the authenticity of a certificate. As it stands, this would allow anyone to access places open to the public subject to the obligation to present a valid health pass in France, or to travel freely with a fake pass.

A site of maddening simplicity, without any verification

The site we accessed, flocked with the “European Union” flag, is surprisingly banal: a home page allows you to choose whether you want to generate a vaccine certificate, a certificate of reinstatement or a certificate attesting to a negative test for covid. These are the three different elements that can constitute a valid health pass.

The form used to create a QR Code requires several mandatory fields: last name, first name, date of birth, date of injection, which vaccine and by which issuing country. Then… the turn is played. No additional validation step or identity verification is required: you have direct access to a health pass, in order.

How was a publicly accessible and unprotected site able to create certified and validated health passes? We have traced the trail of this incredible story, which still contains its areas of vagueness.

What is Macedonia doing in this story?

The site that Numerama accessed allowed until this morning to create functional health passes with a public key, which we have identified going back to North Macedonia. Several fake health passes, which had been circulating online since the day before and which we have found (including an Adolf Hitler born in 1989, a SpongeBob and a Joe mama), had the same Macedonian signature key. They were most likely issued from the same site as the one we accessed.

Fortunately, this site is no longer accessible today, since 10:30 am. A very important modification has taken place: the Macedonian public key in question has been modified.

Consequently, the TousAntiCovid-Verif application, which reported our fraudulent health pass as “valid” in the morning, now claims that the QR Code is invalid. According to the information @Gilbsgilbs shared with us, one of the implicated Macedonian keys, which was added on September 15, was indeed revoked on October 28.

Other evidence can be traced back to Macedonia: the site we used on October 28 now links to an official Macedonian site dedicated to vaccination.

What is a public key?

The QR codes of the health passes contain more information than that revealed by TAC Covid. The use of scripts or of a site such as sanipasse.fr makes it possible to access it, and in particular to obtain information on the electronic signature certificate.

This certificate is the public key used to verify the authentication of a QR code, thanks to its signature, as explained last June in a Twitter thread by the engineer in IT @gilbsgilbs, which has been dissecting the security details of the health pass for several months. Each authorized organization issues these public keys from private keys. We can access these public keys contained in the QR Code through scripts, or more simply sites like Sanipasse, and therefore understand where the health pass comes from. But these public keys do not reveal their private keys, which remain confidential.

I will explain with the example of France because it will be simpler, but it is the same for all the member states. Each organization authorized to issue health passes generates a private key and a public key associated with this private key. pic.twitter.com/NFhXIjMAhR

– Жильбер гилбс (@gilbsgilbs) June 28, 2021

“I offer European Covid passports at 300 dollars”

Where the story gets more complex is that some fake health passes circulating online are not identified as being related to Macedonia, but to other countries. They would therefore not have been generated from the same site as the one to which Numerama had access. This could mean that there are several different points of vulnerability in this matter.

It all started several days ago, on October 24, on a forum specializing in the sale of stolen data, well known to hackers. the thread in English, started in July, is soberly titled “Making EU Green Pass”, in reference to the European health pass. A user posts a message, since deleted: ” I offer European covid passports with entry as vaccinated in Poland. The price is $ 300 per unit. »An interested person offers him to buy 5, but first asks him to make one named« Adolf Hitler », to prove that it is not a scam. What the seller does.

Numerama scanned this QR Code in TousAntiCovid Verif, the official French verification application: we discover a pass deemed valid, born in 1930, and vaccinated in Poland with a dose of Janssen vaccine.

However, this Polish key is not the same as the Macedonian key. When you scan this fake “Polish” health pass with TousAntiCovid-Verified, the app still says that the pass is valid. However, it was reported, by hand, as fraudulent, which seems logical given that the QR Code in question has been circulating on many forums for several days.

What hypotheses?

Without counting this fake health pass, linked to a Polish public key, we have identified two other health passes created in recent days, which appear to be fraudulent, and have them… the same French public key. A third Adolf, born 1900, and a Mickey Mouse, born 2001. These are also still valid at the time of this writing, but they have also been manually flagged as fraudulent.

Several hypotheses, more or less probable, coexist to explain this situation.

For a few days now, hackers have been claiming on stolen data sales platforms to have obtained one or more European private keys, which would therefore make it possible to create health passes valid as they see fit. This compromise would jeopardize the legitimacy of all the public keys linked to these private keys, and could go as far as forcing the authorities to cancel and then redo all the passes concerned.

This is particularly what happened in North Macedonia, whose private key was not compromised, but had to be revoked because false passes were freely produced with the latter. But @Gilbsgilbs nuance with Numerama: “ It is not possible to know how many people are affected by the deletion, maybe 0, maybe thousands. The revoked (Macedonian) key was fairly recent The technical difficulty of a hack that would allow access to the keys makes it possible to seriously doubt this possibility (a bruteforce seems for example highly unrealistic). Here, it is more likely the finding of a poorly secured public site than a compromise that has given rise to such a decision by the authorities.

One characteristic that leans towards another possibility is that none of the passes generated precede the year 1900 – the smallest value of forms such as that which Numerama could consult in the Macedonian case. For example, impossible to enter the real date of birth of the German dictator. What, on the other hand, could technically have been done by a hacker with direct access to the private keys.

For the French and Polish cases, there is no certainty. These passes could for example simply come from caregivers who have created person profiles, but they do not exist. In France, for example, it is possible for a caregiver to create a profile for a person who is not insured by health insurance. As the health insurance guide explains, a caregiver must in principle verify information from an identity document when creating a health pass, but nothing prevents a malicious act.

However, temporality raises questions, because all the passes were generated in a few days. Worse than a joking caregiver, it is possible that computers with access to these forms could have been hacked. This is what a group of hackers claims on one of the forums we consulted, without Numerama having been able to verify this assertion.

Asked about the subject on the evening of October 27, the Ministry of Digital and the National Agency for the Security of Information Systems have not yet returned to us with a comment.

This article was produced in collaboration with Marie Turcan

If you have any information on the subject, you can contact us at [email protected] or [email protected]