The private key used to sign EU Digital Covid certificates has been reportedly leaked and is being circulated on messaging apps and online data breach marketplaces.
The key has also been misused to generate forged certificates, such as those for Adolf Hitler, Mickey Mouse, Sponge Bob—all of which are being recognized as valid by the official government apps.
The Digital Covid certificate, or the "Green Pass" helps European Union residents travel across borders seamlessly by proving that they have either been vaccinated against COVID-19, received a negative test result, or successfully recovered from COVID-19.
Valid 'Adolf Hitler' Covid certificate generated
This week, users reported seeing the private key for EU Digital Covid certificates circulating on messaging apps, like Telegram.
The private key is used to sign "Green Pass," European Union's equivalent of a vaccine passport, and/or proof of negative COVID-19 status that can help travelers cross borders seamlessly.
"On various groups (Telegram mainly) are circulating several forged Green Pass with valid signature... There is the possibility that a database of private keys is compromised and this may [end] up in a break of the chain of trust in the Green Pass architecture," stated GitHub user Emanuele Laface.
Threat actors who can get their hands on the private key could easily forge digital certificates or QR codes that may then be recognized as 'legitimate' by the official government apps.
Such is the case for a fake Adolf Hitler Green Pass certificate which is being recognized valid by the official Verifica C19 apps, according to penetration tester reversebrain:
Try to scan this QR code with the official government APP "Verifica C19"
— reversebrain (@reversebrain) October 26, 2021
2/3 pic.twitter.com/2y65c4vsc9
The penetration tester later reported, the forged certificates were no longer being recognized by the government's Verifica C19 apps, indicating the leaked private key had been revoked.
However, tests by BleepingComputer conducted today reveal both the Android and iOS versions of the Verifica C19 app are still treating the QR code for the Adolf Hitler certificate as valid:
Our tests were conducted via Verifica C19 app version 1.1.5, released October 19th on Google Play, and October 26th on the Apple App store.
Additionally, forged certificates for "Mickey Mouse," "Sponge Bob," and other fictional characters were successfully recognized by the app, as seen by BleepingComputer.
EU vaccination passports on sale for $300
BleepingComputer also observed multiple users posting private keys on underground forums and discussing methods to "make EU green pass."
"Recently the European Union is making the green pass mandatory for many activities, I see that there are several sites that can perfectly read the QR code by decrypting it, I wanted to know if someone is able to re-encrypt data and generate QR code in short, generate a false green pass," asked one forum member.
Some traders are seen offering "Covid European passports with the entry as vaccinated in Poland," each at a price of $300.
The QR codes contained in the EU Digital COVID Certificates include a digital signature to protect against their falsification. When the certificate is checked using the official apps, the QR code is scanned and the signature is verified.
The official government docs state that each issuing body, such as a hospital, a test centre, a health authority, has its own digital signature key. All of these private keys are stored in a secure database in each country.
But, it is also not clear if the key compromise impacts every single EU country or issuing bodies from select countries only.
According to the QR code data seen by BleepingComputer, the fake certificates circulating online have been issued from different countries—France, Germany, Italy, Netherlands, North Macedonia, Poland, and so on, indicating the issue could very well impact the entire EU.
EU Government aware and investigating the 'malicious act'
BleepingComputer reached out to CERT teams of different EU nations and it seems the issue is being investigated:
"We are aware of alleged fraudulent manipulations of EU Covid Certificate QR code and have seen the reports," an EU spokesperson told BleepingComputer.
"As a priority, we are following closely the developments of this incident and are in contact with the relevant member states authorities that are investigating and putting in place remedial actions."
"We firmly condemn this malicious act, representing an interference in a sensitive and strategic area, at a time when health services in all Member States are under pressure fighting the pandemic."
"The incident has no impact on the security and integrity of the EU Gateway managed by the Commission," concludes the Commission in their statement to us.
The fact that anybody is able to forge cryptographically-valid COVID certificates brings into question the authenticity of even legitimate certificates issued by EU government bodies.
Should this be the case, the private key would need to be revoked by the government authorities for the entire EU, thereby invalidating both forged and legitimate COVID certificates.
As such, by the time the situation is resolved and the private keys are reset, holders of legitimate EU Digital Covid certificates will very likely need to generate fresh Green Passes.
Update Oct 29th 02:35 ET: Some forged certificates are (fortunately) no longer being recognized as valid.
Comments
rp88 - 2 years ago
All the more reason such stupid certificates should never have been invented, while the vaccines protect against serious disease they have minimal effect on transmission, so these passes do not reduce transmission, all they do is expose private personal data in a very risky way indeed. Sociologist Robert Dingwall said they were a "big tech solution looking for a problem they would actually be appropriate for", I might go further and suggest they are purely a big tech problem creating more problems.
4675636b207468652045 - 2 years ago
With social credit passports limiting free movement there's no more EU required at all.