Between tonight and this morning, a QR code appeared in the network’s maze, and if it was scanned by the VerificationC19 processor, the valid green pass with the date of birth 1/1/1900 in the name of Adolf Hitler was revoked. However, instead of being funny in bad taste: this is evidence that the private keys to creating and signing European green passports have been distorted.
Before proceeding with the risks associated with this data exploitation and the possible consequences for all of us, it is good to explain how Green Pass verification keys work (or at least how they work) at the internal security level.
The security system for Covid-19 certificates is based on a two-level authentication system: secret keys and pass data belonging to the certification bodies (certificate type and validity). In this context, identifying every healthcare institution certified at the European level is strictly particularly important.
The VerificationC19 application, and similar applications to other countries, verifies Green Passes by processing the data locally, but also downloads a list of valid certificates from the servers each day, as well as a sequence of rules governing their validity. If the verification apps do not recognize one of the keys associated with the certified companies, Green Pass will be recognized as invalid regardless of the nature of the data contained therein.
I think the private keys used to sign the EU Digital Govt Certificate, at least in Italy, have been leaked in some way.
1/3
– Reverse brain (@reversebrain) October 26, 2021
We now turn to Adolf Hitler’s Green Pass: the existence of this code proves that the first level of health certificates is distorted in security, i.e. private keys. After analyzing the certificate, it reports the French national social security agency Caisse Nationale d’Assurance Maladie as an entity, but it provides explicit damage to data that could virtually come from anyone. Initial rumors suggest that this fake green pass was created using Polish keys, but France and Italy have not ruled it out.
What are the implications of this attack? First, read that creating false green passes is correct, as at present it may already be in circulation with names associated with real persons and less provocative motives than the Nazi dictator – and is not valid when scanning with verification C19 starting late this morning.
Duplicate certificate not recognized now (thankfully)
4 / N pic.twitter.com/clfYnp8er9
– Reverse brain (@reversebrain) October 27, 2021
The main problem for regular Green Pass holders lies in the preventive measures that can be taken instead: the protection of European health certificates has already taken into account such attacks, but the solution lies in re-issuing all certificates so that they are not even valid. In accordance with the law. Therefore, it would be a significant inconvenience to some undoubtedly Green Pass holders and those in charge of control.
Recent developments in the matter, at least in Italy, certification security officials are aware of this data damage, but officials have not yet commented on the incident.
Do not run the risk of battery depletion? This 20,000mAh charger now comes with a USB Type-C connector In advertising on Amazon.
Professional bacon fanatic. Explorer. Avid pop culture expert. Introvert. Amateur web evangelist.
More Stories
What Does the Future of Gaming Look Like?
Throne and Liberty – First Impression Overview
Ethereum Use Cases