The case is already proving sensitive for European governments.
The countries have been confronted for a few days with the dissemination of false health vaccination passes.
A phenomenon of which it remains difficult to measure the extent but which has already prompted several states, including France, to launch an investigation.
Explanations.
What happened ?
For several days now, some Internet users have been boasting on forums and social networks that they have secret cryptographic keys used to generate a valid QR code for the European health pass.
"Fraudulent manipulations" of which the European Commission admitted to be aware.
As Numerama reveals, several sites allowing the creation of QR Codes were accessible for several days on the web to anyone who had the link, without any verification step.
Concretely, anyone could obtain a valid pass by simply entering invented data (name, first name, date of birth, date of injection, which vaccine, etc.) in the form of these sites.
"It is not, however, strictly speaking of theft, because if the site generates real QR Code, the data of vaccinated people were not accessible", specifies in Paris, Gaëtan Leurent, researcher in cryptography at the Institute national research in digital sciences and technologies.
Thus, some users have had fun creating valid codes, by borrowing fanciful names, such as a certain SpongeBob, an Adolf Hitler (born in 1989) or a Mickey Mouse (born in 2001).
Spongebob oggi e 'potuto andare a lavorare con il suo pass!
Squiddi e 'sorpreso di vederlo a lavoro dopo la discussione dell'altro giorno sull'obbligo del pass per lavorare # nogreenpass #GreenPassBucato #LGBT pic.twitter.com/1qBU9wKAxw
- Justin Time 🧱 (@ JustinT37781594) October 28, 2021
How to explain such a European fault?
Several hypotheses are on the table, but before going any further, a small explanation is in order: each organization authorized to issue health passes (e.g. in France, the APHP, the Cnam ...) generates a registration key. private encryption, kept secret, as well as a public key associated with this private key, but disseminated as widely as possible, and which ensures the authenticity of the QR code. In each pass, we thus find by which key it was signed. And we understand where he comes from.
Several fraudulent passes were linked to a public key dating back to North Macedonia, a country outside the EU but integrated into the European health system, which raises the question of the porosity of certain Internet portals.
But two passes - including that of Adolf Hitler - also have a French public key.
Fraud has therefore indeed taken place in France.
Here too, several scenarios are being studied.
“It could first be an isolated act of a malicious caregiver, or even the hacking of a caregiver's computer or his Ameli Pro account that can generate QR codes”, explains the user and computer engineer @gilbsgilbs.
According to the Directorate General of Health, the National Health Insurance Fund (CNAM) has already been able to identify a health professional card, which would have allowed this fraud in France.
What suites?
The case is not completely closed because the origin of some fraudulent health passes remains unknown.
French and Polish authorities have launched an investigation.
While waiting to learn more, the member states of the eHealth network (European Union-wide public health) have agreed to "block fraudulent certificates so that they are considered invalid by verification applications" .
The Macedonian portal has also been deactivated.
In France, the TousAntiCovid Verif application was updated on Thursday morning.
“All the fraudulently issued passes have thus become retroactively invalid,” notes the engineer.
What precedents in France?
Already last September, the QR codes of the health passes of Emmanuel Macron and Jean Castex had been disseminated on social networks.
The first by caregivers who had consulted the President's vaccination record according to Health Insurance, and the second by Internet users who had managed to scan it from a press photo.
Read also Macron's QR code online: data protection, sanctions for perpetrators ... a leak that questions
These new flaws this time on a European scale obviously raise questions about the protection of our personal data, insists Gaëtan Leurent.
“The health pass was designed with a signature to prevent fraud.
But as we have seen, there are plenty of ways to get around the system (dishonest caregivers, server security issues…).
We are entitled to wonder: what do we really gain by putting it in place?
And above all, is this device really worth taking all these risks?
Nothing is less sure ".
