- Thierry Spanjaard
When secret keys go public…
According to several reports, EU Green Pass certificates, the ones that are used in the form of QR codes to prove one's Covid vaccination or negative tests, are now on sale on hackers' forums and even on Telegram. The fraudsters generated certificates in the name of Adolf Hitler with a birthdate set at January 1st, 1900, and also in the name of Mickey Mouse, Sponge Bob and a few others. The issue is that these certificates are recognized as valid by the official Green Pass verification apps.
The EU Green Pass is the result of a quick and efficient standardization work completed in the first half of 2021 by EU authorities, it is standardized all across the EU and also supported by 18 other countries including Albania, Israel, Morocco, Panama, Turkey and the UK among others. In this system, when a person recovers from Covid, or when he/she receives the necessary vaccines, his/her certificate is valid starting 14 days after the latest injection, and when a person receives a negative PCR test, he/she gets a certificate valid for 3 days. Each issuing body (e.g. a hospital, a test center, a health authority) has its own secret key. These secret keys are stored in a secure database in each country. Public keys are exchanged between all stakeholders thanks to an EU Gateway. As of October 18th, 2021, the EU Commission published a release stating that more than 591 million certificates had been generated in 43 countries. The Green Pass certificates are needed to travel across the EU and also used for domestic purposes to grant access to large events, museums, restaurants and bars, etc. Verification of the certificate can be completed offline as long as the up-to-date public keys have been downloaded in the verification app.
The question soon became: how could fraudsters issue fake certificates, recognized as valid by the verification infrastructure. The forged certificates examples appear as having been issued by France or Poland. According to Kaspersky, several theories arose as to how the certificates were generated. One theory alleges that the fraudsters had access to at least one secret key from France and one secret key from Poland. This would mean that French and Polish databases of private keys were compromised, or a brute force attack had successfully been run, but this sounds highly unlikely. This would mean, as a consequence, that all the Green Pass certificates issued by these two authorities should no longer be systematically considered as authentic, and consequently that the corresponding authorities would need to revoke the compromised private keys and to reissue all the legitimate certificates. The Member States and the Commission are said to be working at the national and European level on improving invalidation and revocation systems.
Another theory supposes that the fraudsters have accomplices in France’s and Poland’s healthcare systems; in this case, it would be up to law enforcement agencies in both countries to find and arrest them.
According to Threatpost, a US-based publication specializing in the cybersecurity landscape, “French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al. ” The Commission’s statement said that the certificates were apparently generated “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials,” as quoted by Threatpost. "The incident has no impact on the security and integrity of the EU Gateway managed by the Commission," they added.
The black market of Covid certificates had already been in existence for a few months, but so far, they were either copies of authentic certificates, certificates unduly generated by authentic authorities or just scams…. Already in June 2021, German authorities had set up a special team to combat proposals of certificates that could go for EUR 100 on Telegram.
A part of the issue comes from the verification procedure. Paying with QR codes is common in China and many other locations, but the principle of these payment applications is that they only work in all online environment as all of the security controls are performed on the server side. Having all verification apps online in Europe was obviously impractical, so the offline solution had to be chosen. Also, the Green Pass certificate contains elements of the certificate holder identity that could be used to verify a presented certificate is not simply a screenshot of someone else's. But it is impractical to verify the identity of each certificate holder at the entrance of a stadium or concert hall….
The current situation brings grist to the secure transaction industry mill when we reaffirm that an active chip is always more secure than a passive QR code….