EU’s Green Pass Vaccination ID Private Key Leaked: updates
threatPost - Author: Lisa
Vaas - October 28, 2021 11:34 am
UPDATE: French & Polish authorities found no sign
of cryptographic compromise in the leak of the private key used to sign the
vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler,
et al.
As of Thursday morning Eastern time, Adolf Hitler
and Mickey Mouse could still validate their digital Covid passes, SpongeBob
Squarepants was out of luck, and the European Union was investigating a leak of
the private key used to sign the EU’s Green Pass vaccine passports.
Two days earlier, on Tuesday, several people
reported that they’d found a QR code online that turned out to be a digital
Covid certificate with the name “Adolf Hitler” written on it, along with a date
of birth listed as Jan. 1, 1900.
On Wednesday, the Italian news agency ANSA reported that several
underground vendors were selling passes signed with the stolen key on the Dark
Web, and that the EU had called “several high-level meetings” to investigate
whether the theft was an isolated incident.
The private key used to verify Hitler’s pass was
reportedly revoked as of Wednesday, but there were multiple reports of working
certificates still being sold online. Threatpost confirmed this on Thursday
morning by using the official Verifica C19 app to scan a
QR code that had been shared on Twitter by a penetration tester.
Try to scan
this QR code with the official government APP "Verifica C19"
2/3 pic.twitter.com/2y65c4vsc9
— reversebrain (@reversebrain) October 26, 2021
Adolf’s certificate got the green light, as shown
in the screen capture below:
Other QR codes posted to GitHub turned up
a validly signed certificate for Mickey Mouse, though SpongeBob’s certificate
has since been turned away as the key(s) gets revoked.
As of Thursday, the certificate for Adolf Hitler
was also still being accepted by Germany’s Covid app “CovPass,” where the
private certificate itself appears to originate from France.
Serious
Repercussions of a Leaked Private Certificate
Dirk Schrader, global vice president of security
research at New Net Technologies (NNT), now part of change management software
provider Netwrix, told Threatpost on Thursday that this leak is likely going to
be a big issue as travelers increasing require proof of vaccination.
“A leaked private certificate is a likely a big
issue as other nations, specially non-EU nations, might require additional
proof for any traveler, once the full scope of this incident unfolds,” he said
via email. “The market for such fake vaccination certificates seems to be
promising, as the use of Mickey Mouse and other fictitious and historic names
certainly is used as a proof and assurance for potential buyers.”
Authentic
EU Digital Passports Could Be Invalidated
The worst potential outcome of this, Schrader
pointed out, would be revocation of that private key – an outcome that
could affect 278 million EU citizens.
Joseph Carson, chief security scientist and
Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud
identity security solutions, said the news of the leak is “shocking,”
“It is a major concern that the private keys have
been reportedly leaked/sold and actively being used to create forged EU Digital
COVID passports,” he told Threatpost on Thursday. “This leak could, in fact,
invalidate existing authentic EU Digital Passports unless a full incident
response and root cause analysis is determined that could minimize any
potential damage this could cause.”
Carson pointed out that aach country is responsible
for their private keys, so one country being compromised “would not be a major
surprise.”
That, however, isn’t the case: multiple countries
are being reported, which is going to damage the trust that the EU Digital
Passport provides and which “could force a revamp on travel restrictions or
trust in the passport,” Carson said.
“The whole trust is based on keeping those private
keys secured and protected, and I just hope that the impacted countries have
minimized the risks and [are] not dependent on a single set of private keys for
all EU Digital Passports,” he continued.
“[Determining] how the private keys have been
compromised should be a top priority,” while reducing the risks of such a leak
reoccurring should mean that security and protection of the keys will be
significantly improved, he said.
A
‘Growing Black Market’ in Forged Vaccine Passports
Besides fictional or dead characters, the
penetration tester who shared the QR code – @reversebrain – noted that this is
no laughing matter. “This is worrying,” they said. “If the leak would be
confirmed, this means that fake EU Digital COVID Certificate can be forged to
any person.”
It wouldn’t be the first time. In June, Germany set
up a police task force to battle what the BBC called a growing black market in forged
vaccine certificates, as scammers communicated via the encrypted Telegram
messaging service to dupe people into paying about €100 (£86; $122) for a whole
lot of nothing.
Telegram is again featuring in the forged
certificates this time around. GitHub user Emanuele Laface said on
Tuesday that the encrypted messenger service is where most of the forged Green
Passes are being passed around:
“On various groups (Telegram mainly) are
circulating several forged Green Pass with valid signature.” —Emanuele Laface’s
Oct. 26 GitHub post
Laface suggested that the leak could encompass more
than just one private key. Rather, it could be that a database of private
keys was compromised: a possibility that “may [end] up in a break of the chain
of trust in the Green Pass architecture,” they noted.
That chain of trust could be broken in a lot of
places: According to BleepngComputer, the fake
certificates circulating online have been issued from countries including
France, Germany, Italy, Netherlands, North Macedonia, Poland, and more,
“indicating the issue could very well impact the entire EU.”
EU
(Slowly) Moves to Block Bogus Certificates
102821 13:05 UPDATE: The European Commission told
Threatpost on Thursday that it’s in contact with the relevant Member States
authorities that are investigating and which are putting remedial actions in
place.
A spokesperson said that Member States in the
eHealth Network decided on Wednesday to coordinate their actions on the
incident. As a first step, he said, “Member States have agreed to block the two
fraudulent certificates so that they will be shown as invalid by the verifying
apps.”
The Commission didn’t give a timeline for when the
certificates will be blocked, nor why Threatpost and others could still
validate some of the bogus certificates on Thursday.
But the Commission did say that Member States and
the Commission are working at the national and European level on improving
invalidation and revocation systems, “to be able to react to any such cases
even more quickly.”
The Commission condemned the private key theft:
“The Member States and the Commission condemn this malicious act in the
strongest possible terms, which comes at a time when health services in all
Member States are under pressure fighting the pandemic.”
Cryptographic
Keys Not Compromised
The Commission’s statement said that the certificates
were apparently generated “by persons with valid credentials to access the
national IT systems, or a person misusing such valid credentials.”
An investigation now being conducted by authorities
in France and Poland is looking into possible causes of the fraudulent
activity, including potential forgery of documents and identity theft.
At this point, the investigation has ruled out a
compromise of the cryptographic keys used to sign certificates, according to
the Commission:
“According to the information available, the
cryptographic keys used to sign certificates have not been compromised. This
incident is caused by an illegal activity and not by a technical failure.
Together with the Member States, we reaffirm our full trust in the EU Digital
COVID Certificate system.”
102821 13:23 UPDATE: Added input from the European
Commission.
102821 13:39 UPDATE 2: Added input from Dirk
Schrader, Joseph Carson.
Link originale: https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175857/
