(Paris) Faced for a few days with the distribution of false vaccination health passports, some of which bear the names of Adolf Hitler or SpongeBob, European countries have ended up revoking poorly protected cryptographic keys, while the French authorities and Polish have launched an investigation.
“We are well aware of suspected fraudulent manipulations of the QR Code of the European COVID-19 certificate,” said a spokesperson for the European Commission on Friday.
Since Wednesday, some Internet users claim on forums and social networks to have the secret cryptographic keys used to generate a valid QR code of the European health passport.
This code contains the identity of its holder and information on his vaccination status or immunity.
As proof, these users have created valid codes with fanciful names, such as Adolf Hitler or SpongeBob SquarePants.
However, the private encryption keys have not been compromised, assured AFP the European Commission, which rules out the track of technical failure and denounces instead an “illegal activity”.
In some cases, “the certificates were generated by people with valid credentials to access national IT systems,” says the institution.
But according to experts, internet portals – in particular that of North Macedonia (a country outside the EU, but integrated since August into the European health system) – also lacked the most basic protections and made it possible to generate many fraudulent codes.
“Each country has one or more signatures, and in each passport, we find the key by which it was signed”, explains Gaëtan Leurent, cryptography researcher at the National Institute for Research in Digital Sciences and Technologies.
Mickey mouse
For the system to work, all servers used to sign passports must be properly protected. “If a service stays open and signs anything, in practice it’s a bit the same thing” as if the key had been stolen, he added.
To remedy the flaw, the member states of the eHealth network – European Union-wide public health – have agreed to “block the two fraudulent certificates so that they are considered invalid by verification applications”. The Macedonian portal has also been deactivated.
In France, the TousAntiCovid Verified application was updated on Thursday morning.
The eHealth network will also work on “improving invalidation and revocation systems, in order to be able to react even more quickly to such cases”.
The case is not completely closed, because the origin of some fraudulent health passports remains a mystery. A vaccination certificate in the name of Mickey Mouse seems to have been signed by the French authorities, others by the Polish services, perhaps thanks to complicity among health professionals.
The two countries have launched an investigation, the European Commission said. Contacted, the Directorate General of Health was not able to confirm immediately.
In September, the QR codes of the real health passports of Emmanuel Macron and Édouard Philippe had been disseminated on social networks, the first by caregivers who had consulted the president’s vaccination file, according to the Health Insurance of France, and the second by Internet users who had managed to scan it from a press photo.