· 3 min read

EU Investigating Private Key Leak in Forged COVID Passports

Francis Tuffy
Francis Tuffy · Editor
EU Investigating Private Key Leak in Forged COVID Passports

According to reports on ‘threatpost’, ‘BleepingComputer’ and other online platforms, the private key used to sign EU Digital COVID certificates has been leaked and is being circulated on messaging apps and online data breach marketplaces.

The platforms claim that the key has also been misused to generate forged certificates, such as those for Mickey Mouse and Sponge Bob -both of which were being recognised as valid by the official government apps.

The Digital COVID certificate, or the ‘Green Pass’, is the European Union’s equivalent of a vaccine passports, enabling EU residents to travel across borders seamlessly by proving that they have either been vaccinated against COVID-19, received a negative test result, or successfully recovered from COVID-19.

Users reported seeing the private key used to sign the EU Digital COVID certificates circulating on messaging apps, like Telegram.

Threat actors who can get their hands on the private key could possibly forge digital certificates or QR codes that may then be recognised as ‘legitimate’ by the official government apps.

Such is the case for a fake Green Pass certificate which is being recognised valid by Verifica C19, the Italian government’s official app, according to penetration tester ‘reversebrain’.

The penetration tester later reported that the forged certificates were no longer being recognised , indicating the leaked private key had been revoked. However, tests by ‘BleepingComputer’ conducted later revealed both the Android and iOS versions of the Verifica C19 app were still treating the QR code for the certificate as valid.

EU vaccination passports on sale for $300

BleepingComputer also observed multiple users posting private keys on underground forums and discussing methods to ‘make EU green pass’.

‘Recently the European Union is making the green pass mandatory for many activities, I see that there are several sites that can perfectly read the QR code by decrypting it, I wanted to know if someone is able to re-encrypt data and generate QR code in short, generate a false green pass,’ asked one forum member.

Some traders are seen offering ‘COVID European passports with the entry as vaccinated in Poland,’ each at a price of $300.

The QR codes contained in the EU Digital COVID Certificates include a digital signature to protect against their falsification. When the certificate is checked using the official apps, the QR code is scanned and the signature is verified.

Official government documents state that each issuing body, such as a hospital, a test centre, a health authority, has its own digital signature key. All of these private keys are stored in a secure database in each country.

But it is also not clear if the key compromise impacts every single EU country or issuing bodies from select countries only.

According to the QR code data seen by BleepingComputer, the fake certificates circulating online have been issued from different countries - France, Germany, Italy, Netherlands, North Macedonia, Poland, indicating the issue could very well impact the entire EU.

EU investigating the malicious act

BleepingComputer reached out to computer emergency response teams of different EU nations and it seems the issue is being investigated:

‘We are aware of alleged fraudulent manipulations of EU COVID Certificate QR code and have seen the reports’, an EU spokesperson said.

‘The incident has no impact on the security and integrity of the EU Gateway managed by the Commission,’ concluded the Commission.

Subscriber content

Read the full article

Full access to ID & Secure Document News articles, newsletters and archives.

Sign Up to ID & Secure Document News Weekly

Receive regular updates on the latest news and articles posted on our website.

Verity

Verity

AI search assistant

Ask me anything from the ID & Secure Document News archives.

free questions remaining