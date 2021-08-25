Our health pass contains a lot of data, which can sometimes be misused. Here are the risks they run, and some solutions to remedy them.

Generalized since August 9 for French citizens, the health pass has brought QR code technology up to date. In this small digital checkerboard resides the information necessary to move freely in the establishments or means of transport concerned, but also to travel abroad. And in fact, our pass contains a lot of information.

In addition to the identity -names, first names, date of birth-, for the vaccinated the number of doses received, the number of doses needed to complete the vaccination cycle, the status of the vaccination cycle (complete or not) are found there. , the date of the last injection, the brand and name of the vaccine, and its prophylactic agent. In short, a sort of health book that speaks volumes, and can be worth gold in certain unscrupulous markets.

According to cybersecurity specialist Florian Maury, “health passes themselves continue to pose personal data security problems, since they contain data contrary to the law of May 31, and that of August 5. In fact, they do not follow the precept of data minimization required by the GDPR and mentioned in the Cnil opinion of May 12. ” Concretely, the cybersecurity specialist specifies that the pass contains too much information compared to what is asked of him.

In fact, immunization information can sometimes be necessary, for example to travel abroad. The government has opted for the use of a single pass for technical reasons, although this vaccine information is unnecessary for daily activities (bars, cinemas or restaurants).

In France and in everyday life, the law of August 5 effectively provides that “the presentation, on paper or in digital format, of documents (here, the health pass) is carried out in a form which only allows authorized persons or services to ensure the control of knowing the data strictly necessary for the exercise of their control. “Who, then, can have access to this information?

Guardrails

To enable QR codes to be checked, the government has proposed the TousAntiCovid Verified application. It was developed by IN groupe, the former national printing press, wholly owned by the State. This application was created to meet specific criteria: to allow controllers to check the validity of the pass, without having access to all the information it contains.

Thus, when a restaurateur scans a QR code with TousAntiCovid Verified, he only sees the first and last names, date of birth, and the words “valid” or “invalid” displayed. He therefore does not have at his disposal any of the information related to a possible vaccination, necessary for certain border controls: some destinations indeed require to know the type of vaccine to let people enter their territory.

On August 7, the government announced the possibility of using other apps to run pass checks. Primarily intended for airlines or the SNCF so that they can set up a system pooling ticket and pass controls, this relaxation immediately made the CNIL react. For the Commission, accepting the use of other control applications requires guarantees.

Check the controls

On August 10, the CNIL urged the government to “ensure that alternative reading devices to the TousAntiCovid Verified application comply with the conditions set by order of the Minister responsible for health before use by those in charge of control”. Among these provisions, we find the prohibition to post more information than necessary. A third-party application intended for restaurateurs will therefore not be able to display data related to the vaccination.

“Companies wishing to access alternative control applications to TousAntiCovid Verified will be able to call on service providers to develop them. The latter will have to comply with the Ministry of Health and Solidarity, which is due to publish shortly. specifications to supervise these applications “, clarifies to BFMTV Armand Heslot.

If the entities issuing control systems must actually register with the ministry, nothing strictly speaking prevents an establishment from using a QR code reader which can read all the data contained in the pass.

Towards a lighter pass?

The problem does not always lie in checking the QR code itself. As the cybersecurity specialist showed Florian Maury or our colleagues from Release, the manipulation to access this data is elementary.





The data contained in the QR code is not encrypted. Anyone, with a little research, can use – illegally – an alternative QR code reader, then decode the data it contains with a specific script, which developer Gilbsgilbs presents here:

For a few weeks now, the TousAntiCovid application has itself made it possible to directly scan a QR Code serving as a health pass to save it and use it later. Until then, it was imperative to scan a second dedicated QR Code, displayed on the test or vaccination results, now useless. In fact, the use of TousAntiCovid (by mistake or to “siphon” passes) constitutes an additional risk, accentuated by the possible confusion with the TousAntiCovid Verif application.

“There are always abuses and malicious people,” regrets Eric Fleury, director of the Inria research center in Paris. “Obviously, these questions push us to move towards a pass that would contain less information”, continues the director.

The user must remain in control of his data

Despite all the recommendations of the CNIL, the first step to secure their personal data must be undertaken by the user. It is therefore essential to never disclose your QR code on social networks, or to check the application used during a control.

Precautions that even the government can forget to take: on August 10, during the last update of the TAC application, a “witness” pass in the name of Jean-Specimen Barbier was proposed. If the TousAntiCovid application specifies that this pass appears to be fraudulent, no mention is made of it when it is scanned with TousAntiCovid Verified. A situation which could however change soon with new protective measures.

The revocation list

With the proliferation of fraud identified since the generalization of the health pass, measures are needed. It is in this context that Cédric O, the Secretary of State in charge of digital, mentioned a “blacklist” listing the passes used illegally. A database which would be regularly sent to the servers of TousAntiCovid and TousAntiCovid Verif in order to cancel the validity of QR Codes used fraudulently.

Since this announcement, Piotr Chmielnicki, cybersecurity consultant, has kept a list of digital fingerprints of revoked passes based on information provided by the government: only 12 have been identified to date.

In fact, lists are well implemented in application code. Only, they are still not deployed. “Without the green light from the CNIL, we cannot set up blacklists”, explains Eric Fleury, director of the Inria research center in Paris.

On August 12, more than 200 fake health passes were reportedly generated by hackers who infiltrated Medicare accounts held by doctors. They are still in the wild to this day. According to Piotr Chmielnicki, cybersecurity consultant, “the difficulty in identifying these passes is one of the causes that may prevent their revocation”. It remains to be seen what measures the ministry will take to ensure that these passes are, as Cédric O announced, rendered unusable.