UPDATE: French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al.
As of Thursday morning Eastern time, Adolf Hitler and Mickey Mouse could still validate their digital Covid passes, SpongeBob Squarepants was out of luck, and the European Union was investigating a leak of the private key used to sign the EU’s Green Pass vaccine passports.
Two days earlier, on Tuesday, several people reported that they’d found a QR code online that turned out to be a digital Covid certificate with the name “Adolf Hitler” written on it, along with a date of birth listed as Jan. 1, 1900.
On Wednesday, the Italian news agency ANSA reported that several underground vendors were selling passes signed with the stolen key on the Dark Web, and that the EU had called “several high-level meetings” to investigate whether the theft was an isolated incident.
The private key used to verify Hitler’s pass was reportedly revoked as of Wednesday, but there were multiple reports of working certificates still being sold online. Threatpost confirmed this on Thursday morning by using the official Verifica C19 app to scan a QR code that had been shared on Twitter by a penetration tester.
Try to scan this QR code with the official government APP “Verifica C19”
— reversebrain (@reversebrain) October 26, 2021
Adolf’s certificate got the green light, as shown in the screen capture below:
Other QR codes posted to GitHub turned up a validly signed certificate for Mickey Mouse, though SpongeBob’s certificate has since been turned away as the key(s) gets revoked.
As of Thursday, the certificate for Adolf Hitler was also still being accepted by Germany’s Covid app “CovPass,” where the private certificate itself appears to originate from France.
Serious Repercussions of a Leaked Private Certificate
Dirk Schrader, global vice president of security research at New Net Technologies (NNT), now part of change management software provider Netwrix, told Threatpost on Thursday that this leak is likely going to be a big issue as travelers increasing require proof of vaccination.
“A leaked private certificate is a likely a big issue as other nations, specially non-EU nations, might require additional proof for any traveler, once the full scope of this incident unfolds,” he said via email. “The market for such fake vaccination certificates seems to be promising, as the use of Mickey Mouse and other fictitious and historic names certainly is used as a proof and assurance for potential buyers.”
Authentic EU Digital Passports Could Be Invalidated
The worst potential outcome of this, Schrader pointed out, would be revocation of that private key – an outcome that could affect 278 million EU citizens.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions, said the news of the leak is “shocking,”
“It is a major concern that the private keys have been reportedly leaked/sold and actively being used to create forged EU Digital COVID passports,” he told Threatpost on Thursday. “This leak could, in fact, invalidate existing authentic EU Digital Passports unless a full incident response and root cause analysis is determined that could minimize any potential damage this could cause.”
Carson pointed out that aach country is responsible for their private keys, so one country being compromised “would not be a major surprise.”
That, however, isn’t the case: multiple countries are being reported, which is going to damage the trust that the EU Digital Passport provides and which “could force a revamp on travel restrictions or trust in the passport,” Carson said.
“The whole trust is based on keeping those private keys secured and protected, and I just hope that the impacted countries have minimized the risks and [are] not dependent on a single set of private keys for all EU Digital Passports,” he continued.
“[Determining] how the private keys have been compromised should be a top priority,” while reducing the risks of such a leak reoccurring should mean that security and protection of the keys will be significantly improved, he said.
A ‘Growing Black Market’ in Forged Vaccine Passports
Besides fictional or dead characters, the penetration tester who shared the QR code – @reversebrain – noted that this is no laughing matter. “This is worrying,” they said. “If the leak would be confirmed, this means that fake EU Digital COVID Certificate can be forged to any person.”
It wouldn’t be the first time. In June, Germany set up a police task force to battle what the BBC called a growing black market in forged vaccine certificates, as scammers communicated via the encrypted Telegram messaging service to dupe people into paying about €100 (£86; $122) for a whole lot of nothing.
Telegram is again featuring in the forged certificates this time around. GitHub user Emanuele Laface said on Tuesday that the encrypted messenger service is where most of the forged Green Passes are being passed around:
“On various groups (Telegram mainly) are circulating several forged Green Pass with valid signature.” —Emanuele Laface’s Oct. 26 GitHub post
Laface suggested that the leak could encompass more than just one private key. Rather, it could be that a database of private keys was compromised: a possibility that “may [end] up in a break of the chain of trust in the Green Pass architecture,” they noted.
That chain of trust could be broken in a lot of places: According to BleepngComputer, the fake certificates circulating online have been issued from countries including France, Germany, Italy, Netherlands, North Macedonia, Poland, and more, “indicating the issue could very well impact the entire EU.”
EU (Slowly) Moves to Block Bogus Certificates
102821 13:05 UPDATE: The European Commission told Threatpost on Thursday that it’s in contact with the relevant Member States authorities that are investigating and which are putting remedial actions in place.
A spokesperson said that Member States in the eHealth Network decided on Wednesday to coordinate their actions on the incident. As a first step, he said, “Member States have agreed to block the two fraudulent certificates so that they will be shown as invalid by the verifying apps.”
The Commission didn’t give a timeline for when the certificates will be blocked, nor why Threatpost and others could still validate some of the bogus certificates on Thursday.
But the Commission did say that Member States and the Commission are working at the national and European level on improving invalidation and revocation systems, “to be able to react to any such cases even more quickly.”
The Commission condemned the private key theft: “The Member States and the Commission condemn this malicious act in the strongest possible terms, which comes at a time when health services in all Member States are under pressure fighting the pandemic.”
Cryptographic Keys Not Compromised
The Commission’s statement said that the certificates were apparently generated “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials.”
An investigation now being conducted by authorities in France and Poland is looking into possible causes of the fraudulent activity, including potential forgery of documents and identity theft.
At this point, the investigation has ruled out a compromise of the cryptographic keys used to sign certificates, according to the Commission:
“According to the information available, the cryptographic keys used to sign certificates have not been compromised. This incident is caused by an illegal activity and not by a technical failure. Together with the Member States, we reaffirm our full trust in the EU Digital COVID Certificate system.”
102821 13:23 UPDATE: Added input from the European Commission.
102821 13:39 UPDATE 2: Added input from Dirk Schrader, Joseph Carson.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the SACUT community.