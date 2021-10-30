Internet users claim to have the secret cryptographic keys used to generate a valid QR code for the European health pass

Faced for a few days with the dissemination of false health vaccination passes, European countries have ended up revoking poorly protected cryptographic keys. “We are well aware of suspected fraudulent manipulation of the QR Code of the European Covid certificate,” said a spokesperson for the European Commission on Friday.

Since Wednesday, some Internet users have claimed on forums and social networks to have the secret cryptographic keys used to generate a valid QR code for the European health pass. This code contains the identity of its holder and information on his vaccination status or immunity. As proof, these users have created valid codes with fanciful names, such as Adolf Hitler or SpongeBob SquarePants.

“Illegal activity”

However, the private encryption keys have not been compromised, assured the European Commission, which rules out the track of technical failure and denounces instead an “illegal activity”. But according to experts, internet portals, including that of North Macedonia (a country outside the EU but integrated into the European health system), also lacked the most basic protections and made it possible to generate many fraudulent codes.





“Each country has one or more signatures, and in each pass, we find the key by which it was signed”, explained Gaëtan Leurent, cryptography researcher at the National Institute for Research in Digital Sciences and Technologies. For the system to work, all the servers used to sign the passes must be properly protected. “If a service remains open and signs anything, in practice it’s a bit the same thing” as if the key had been stolen, he added.

A survey in France

To remedy the flaw, the member states of the eHealth network – European Union-wide public health – have agreed to “block the two fraudulent certificates so that they are considered invalid by verification applications”. In France, the TousAntiCovid Verif application was updated on Thursday morning.

The eHealth network will also work on “improving invalidation and revocation systems, in order to be able to react even more quickly to such cases”.

The case is not completely closed because the origin of some fraudulent health passes remains a mystery. A vaccination certificate in the name of Mickey Mouse seems to have been signed by the French authorities, others by the Polish services, perhaps thanks to complicity among health professionals. The two countries have launched an investigation, the European Commission said.

In September, the QR codes of the real health passes of Emmanuel Macron and Édouard Philippe had been disseminated on social networks, the first by caregivers who had consulted the President’s vaccination file according to Health Insurance, and the second by Internet users who had managed to scan it from a press photo.