Skip to content
The EU private key used to sign the vaccine passports was leaked & is being passed around to create fake passes for the likes of Mickey Mouse & Adolf Hitler.
As of Thur. morning, Adolf Hitler & Mickey Mouse could still validate their digital Covid passes, Sponge Bob Squarepants was out of luck, & the European Union was investigating a leak of the private key used to sign the EU’s Green Pass vaccine passports.
Covid Certificate
2 days earlier, on Tues., several people reported that they had found a QR code online that turned out to be a digital Covid certificate with the name “Adolf Hitler” written on it, along with a date of birth listed as Jan. 1, 1900.
On Wed., the Italian news agency ANSA reported that several underground vendors were selling passes signed with the stolen key on the Dark Web, & that the EU had called “several high-level meetings” to investigate whether the theft was an isolated incident.
Hitler’s Pass
The private key used to verify Hitler’s pass was reportedly revoked as of Wed., but there were multiple reports of working certificates still being sold online.
This was confirmed on Thurs. morning by using the official Verifica C19 app to scan a QR code that had been shared on Twitter by a penetration tester.
Adolf’s certificate got the green light.
Other QR codes posted to GitHub turned up a validly signed certificate for Mickey Mouse, though SpongeBob’s certificate has since been turned away as the keys gets revoked.
‘Growing Black Market’ in Forged Vaccine Passports
Besides fictional or dead characters, the penetration tester who shared the QR code – @reversebrain – noted that this is not a laughing matter. “This is worrying,” they stated. “If the leak would be confirmed, this means that fake EU Digital COVID Certificate can be forged to any person.”
It would not be the first time. In June, Germany set up a police task force to fight what the BBC called a growing black market in forged vaccine certificates, as scammers communicated via the encrypted Telegram messaging service to fool people into paying about €100 (£86; $122) for nothing.
Forged Certificates
Telegram is again featuring in the forged certificates this time around. GitHub user Emanuele Laface said on Tues. that the encrypted messenger service is where most of the forged Green Passes are being passed around:
“On various groups (Telegram mainly) are circulating several forged Green Pass with valid signature.” —Emanuele Laface’s Oct. 26 GitHub post
Database Compromised
Laface suggested that the leak could relate to more than just 1 private key. It could be that a database of private keys was compromised: a possibility that “may end up in a break of the chain of trust in the Green Pass architecture,” they noted.
That ‘chain of trust ‘could be broken in many places: According to Bleeping Computer, the fake certificates circulating online have been issued from countries including France, Germany, Italy, Netherlands, North Macedonia, Poland, & more, “indicating the issue could very well impact the entire EU.”
EU Investigating
An EU spokesperson told Bleeping Computer that officials are aware of “alleged fraudulent manipulations of EU Covid Certificate QR code.” Its statement continued:
“As a priority, we are following closely the developments of this incident and are in contact with the relevant member states authorities that are investigating a& putting in place remedial actions.
Sensitive & Strategic Area
We firmly condemn this malicious act, representing an interference in a sensitive & strategic area, at a time when health services in all Member States are under pressure fighting the pandemic.
The incident has no impact on the security & integrity of the EU Gateway managed by the Commission.” — EU statement, per Bleeping Computer.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/
