FRAUD – France and Poland have opened an investigation after the dissemination of fake valid health passes, with the names, in particular, of Hitler and SpongeBob, in several European countries.

A security breach in North Macedonia made it possible to create valid health passes with the names, in particular, of Adolf Hitler and SpongeBob SquarePants. According to what said on Friday October 29, a spokesperson for the European Commission, the European Union “has knowledge of suspected fraudulent manipulation of the QR code of the European Covid certificate”. To stop this scourge, European countries ended up revoking poorly protected cryptographic keys and the French and Polish authorities opened an investigation.

Since Wednesday, October 27, Internet users have indicated on forums and social networks that they have secret cryptographic keys used to generate a valid QR code for the European health pass. The code is composed of the identity of its holder as well as information on his immunity vaccination status. To prove this security flaw, some have had fun creating valid codes with names that are surprising to say the least, such as Adolf Hitler or SpongeBob SquarePants. However, the European Commission has asserted that the private encryption keys were not compromised and ruled out the trail of technical failure by denouncing a “illegal activity”.

Poorly protected Internet portals are the source of this new flaw

According to experts, this new breach in the security of European health passes would originate from Internet portals, including that of North Macedonia, with a lack of protection that has allowed the creation of many fraudulent QR codes. Gaëtan Leurent, cryptography researcher at the National Institute for Research in Digital Sciences and Technologies, indicated that “each country has one or more signatures, and in each pass, we find out which key it was signed”. He added in particular that for the system to work, the servers used to sign the pass must be properly protected.

To stop this security breach, the member states of the eHealth network have planned to “block the two fraudulent certificates so that they are considered invalid by the verification applications” and the Macedonian Internet portal has also been deactivated. But the case is not yet closed. The origin of some fraudulent vaccination certificates remains a mystery. A health pass named Mickey Mouse seems to have been signed by the French authorities and others by the Polish services. Health professionals would be complicit. Paris and Warsaw have therefore launched an investigation. This is not the first time that flaws have appeared in the system for creating vaccination certificates. As a reminder, last September, the QR codes of the real health passes by Emmanuel Macron and Édouard Philippe were broadcast on social networks.

