From Tuesday 26 October he started circulate online, first in specialized forums and then on Twitter, a valid but obviously false Green Pass: it is in the name of Adolf Hitler and shows as a date of birth January 1, 1900. What at first glance might seem like a simple photomontage, is actually the result of a more complex operation because the QR code from which Adolf Hitler’s Green Pass was verified is fully functional.
Many Green Pass verification apps, including the Italian VerificationC19, issued by the Ministry of Health, consider this Adolf Hitler certificate to be authentic: when the QR code is scanned, a green frame appears on the screen, signaling its validity. It is a problem because it means that someone has managed to generate an obviously fake Green Pass, but recognized by the verification apps and therefore functional. At the moment it is not easy to understand what happened, identify the causes of the problem and above all evaluate how the whole procedure for the European generation of Green Passes comes out in terms of reliability.
I QR codes – the squares with various black and white patterns inside them – of the Green Passes, which are shown for access in any place where the certificate is mandatory, are generated from different personal information that form a unique combination. They are given as the name and surname of the vaccinated person, the country of vaccination, the number of doses received, the date of administration, the institution that issued the Green Pass, the manufacturer of the vaccine administered, the total number of doses, the disease covered by the vaccine, the expiration of the code and the date of generation. This data is not encrypted: this is why if the QR code is shared online, they expose their health data.
The encrypted part, the cryptographic key, is a string of numbers, letters and symbols that functions as a signature that certifies that the QR code has not been forged. This type of encryption uses an algorithm called “asymmetric”: the private key kept by the entity that issued the certificate must match the key contained in the certificate itself. The apps to check the Green Pass verify that the two secret keys, that of the institution and that of the certificate, are completed correctly.
Come explained by the IT journalist Paolo Attivissimo, in theory only authorized health organizations have private cryptographic keys that allow them to generate valid Green Passes. But the fact that someone created a working Green Pass in the name of a historical figure who died over seventy years ago suggests that someone got hold of these keys and used them to produce a fake certificate. It is the hypothesis put forward in one discussion took place on a specialized forum, Radiforums.
According to the first analyzes on the fake Green Pass attributed to Hitler, the body that would have issued the certificate is the CNAM, the Caisse Nationale d’Assurance Maladie, the French equivalent of the Italian INPS. Since this information can also be forged, it cannot be ruled out that the cryptographic key of another entity was used.
Among other things, it is not clear whether the private keys came into the possession of cybercriminals who managed to gain access from the outside or whether the perpetrators of this possible violation are operators of the body or bodies involved. “Whether it was a leak or at least an abuse of signature keys is not debatable, it is quite evident”, he wrote on Twitter Stefano Zanero, professor of IT security and forensic IT at the Politecnico di Milano.
To prevent anyone from generating a Green Pass, the immediate technical solution is relatively simple and consists in revoking the validity of the compromised keys and generating new certificates for all the people who had obtained the Green Pass from the infringing body. It will be more complex, however, to assess what the consequences of this possible violation will be on the reliability of the verification system and on the credibility of a tool that in Italy is indispensable for working, going to restaurants, entering stadiums, attending concerts and shows.
–