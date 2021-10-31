The case is already proving sensitive for European governments. For several days, countries have been confronted with the dissemination of false health vaccination passes. A phenomenon whose magnitude remains difficult to measure but which has already prompted several states, including France, to launch an investigation. Explanations.

What happened ?

For several days now some internet users boasted on forums and social networks to hold secret cryptographic keys used to generate a valid QR code of the European health pass. “Fraudulent manipulations” of which the European Commission admitted to be aware.

As Numerama reveals, several sites allowing the creation of QR Codes were accessible for several days on the web to anyone who had the link, without any verification step. Concretely, anyone could obtain a valid pass by simply entering invented data (name, first name, date of birth, date of injection, which vaccine, etc.) in the form of these sites.

“It is not, however, strictly speaking of theft, because if the site generates real QR Code, the data of vaccinated people were not accessible”, specifies in Paris, Gaëtan Leurent, researcher in cryptography at the Institute national research in digital sciences and technologies. Thus, some users have had fun creating valid codes, by borrowing fanciful names, such as a certain SpongeBob, an Adolf Hitler (born in 1989) or a Mickey Mouse (born in 2001).

How to explain such a European fault?

Several hypotheses are on the table, but before going any further, a small explanation is in order: each organization authorized to issue health passes (eg: in France, the APHP, the Cnam, etc.) generates a private encryption key , kept secret, as well as a public key associated with this private key, but disseminated as widely as possible, and which ensures the authenticity of the QR code. In each pass, we thus find by which key it was signed. And we understand where he comes from.

Several fraudulent passes were linked to a public key dating back to North Macedonia, a country outside the EU but integrated into the European health system, which raises the question of the porosity of certain Internet portals. But two passes – including that of Adolf Hitler – also have a French public key. Fraud has therefore indeed taken place in France.



Here too, several scenarios are being studied. “It could first be an isolated act of a malicious caregiver, or the hacking of a caregiver’s computer or their Ameli Pro account that can generate QR codes”, explains the user and computer engineer @gilbsgilbs. According to the Directorate General of Health, the National Health Insurance Fund (CNAM) has already been able to identify a health professional card, which would have allowed this fraud in France.

What suites?

The case is not completely closed because the origin of some fraudulent health passes remains unknown. French and Polish authorities have launched an investigation. While waiting to learn more, the member states of the eHealth network (European Union-wide public health) have agreed to “block fraudulent certificates so that they are considered invalid by verification applications” . The Macedonian portal has also been deactivated.

In France, the TousAntiCovid Verif application was updated on Thursday morning. “All fraudulently issued passes have thus become retroactively invalid,” notes the engineer.

What precedents in France?

Already last September, the QR codes of the health passes of Emmanuel Macron and Jean Castex had been disseminated on social networks. The first by caregivers who had consulted the President’s vaccination record according to Health Insurance, and the second by Internet users who had managed to scan it from a press photo.