From Tuesday 26 October, a valid but obviously false Green Pass began to circulate online, first in specialized forums and then on Twitter: it is in the name of Adolf Hitler and shows as a date of birth January 1, 1900 or 1930. at first glance it might seem a simple photomontage, in reality it is the result of a more complex operation because the QR code from which Adolf Hitler's Green Pass was verified was in effect functional until late Wednesday morning, when has been deactivated.
Many Green Pass verification apps, including the Italian VerificationC19, issued by the Ministry of Health, considered this Adolf Hitler certificate to be authentic: when the QR code was scanned, a green frame appeared on the screen, signaling its validity. It is a problem because it means that someone has managed to generate a Green Pass that is obviously fake, but recognized by the verification apps and therefore functional. At the moment it is not easy to understand what happened, identify the causes of the problem and above all evaluate how the whole procedure for the European generation of Green Passes comes out in terms of reliability.
The QR codes – the squares with various black and white patterns inside them – of the Green Passes, which are shown to access any place where the certificate is required, are generated from different personal information that form a unique combination. They are given as the name and surname of the vaccinated person, the country of vaccination, the number of doses received, the date of administration, the institution that issued the Green Pass, the manufacturer of the vaccine administered, the total number of doses, the disease covered by the vaccine, the expiration of the code and the date of generation. This data is not encrypted: this is the reason why if the QR code is shared online, they expose their health data.
The encrypted part, the cryptographic key, is a string of numbers, letters and symbols that works as a signature that certifies that the QR code has not been forged. This type of encryption uses an algorithm called “asymmetric”: the private key kept by the entity that issued the certificate must match the key that signed the certificate itself. The apps to check the Green Pass verify that the two secret keys, that of the institution and that of the certificate, are completed correctly.
As explained by the IT journalist Paolo Attivissimo, in theory, only authorized health organizations have the private cryptographic keys that allow them to generate valid Green Passes. But the fact that someone created a working Green Pass in the name of a historical figure who died over seventy years ago suggests that someone got hold of these keys and used them to produce a fake certificate. This is the hypothesis put forward in a discussion that took place on a specialized forum, Radiforums.
Things to know about the coronavirus The newsletter of the Coronavirus Post updates you on the latest news: it's free and arrives every Thursday at 18:00. To receive it, write your email address here and press the button below. Having read the information, I agree to send the Newsletter According to the first analyzes on the fake Green Pass attributed to Hitler, the body that would have issued the certificate is the CNAM, the Caisse Nationale d'Assurance Maladie, the French equivalent of the Italian INPS. Since this information can also be forged, it cannot be ruled out that the cryptographic key of another entity was used.
Among other things, it is not clear whether the private keys came into the possession of cybercriminals who managed to gain access from the outside or whether the perpetrators of this possible violation are operators of the entity or entities involved. “Whether it was a leak or at least an abuse of signature keys is not debatable, it is quite evident”, wrote on Twitter Stefano Zanero, professor of computer security and computer forensics at the Politecnico di Milano.
To prevent anyone from generating a Green Pass, the immediate technical solution is relatively simple and consists in revoking the validity of the compromised keys and generating new certificates for all the people who had obtained the Green Pass from the infringing body. It will be more complex, however, to assess what the consequences of this possible violation will be on the reliability of the verification system and on the credibility of a tool that in Italy is essential for working, going to restaurants, entering stadiums, attending concerts and shows.