EU Investigating Leak of Private Key Used to Forge Covid Passes
The private key used to sign EU Digital Covid certificates has been reportedly leaked and is being circulated on messaging apps and online data breach marketplaces.
The key has also been misused to generate forged certificates, such as those for Adolf Hitler, Mickey Mouse, Sponge Bob—all of which are being recognized as valid by the official government apps.
The Digital Covid certificate, or the “Green Pass” helps European Union residents travel across borders seamlessly by proving that they have either been vaccinated against COVID-19, received a negative test result, or successfully recovered from COVID-19.
Valid ‘Adolf Hitler’ Covid certificate generated
This week, users reported seeing the private key for EU Digital Covid certificates circulating on messaging apps, like Telegram.
The private key is used to sign “Green Pass,” European Union’s equivalent of a vaccine passport, and/or proof of negative COVID-19 status that can help travelers cross borders seamlessly.
“On various groups (Telegram mainly) are circulating several forged Green Pass with valid signature… There is the possibility that a database of private keys is compromised and this may [end] up in a break of the chain of trust in the Green Pass architecture,” stated GitHub user Emanuele Laface.
Threat actors who can get their hands on the private key could easily forge digital certificates or QR codes that may then be recognized as ‘legitimate’ by the official government apps.
Such is the case for a fake Adolf Hitler Green Pass certificate which is being recognized valid by the official Verifica C19 apps, according to penetration tester reversebrain:
The penetration testerlater reported, the forged certificates were no longer being recognized by the government’s Verifica C19 apps, indicating the leaked private key had been revoked.
However, tests by BleepingComputer conducted today reveal both the Android and iOS versions of the Verifica C19 app are still treating the QR code for the Adolf Hitler certificate as valid:
Additionally, forged certificates for “Mickey Mouse,” “Sponge Bob,” and other fictional characters were successfully recognized by the app, as seen by BleepingComputer.
EU vaccination passports on sale for $300
BleepingComputer also observed multiple users posting private keys on underground forums and discussing methods to “make EU green pass.”
“Recently the European Union is making the green pass mandatory for many activities, I see that there are several sites that can perfectly read the QR code by decrypting it, I wanted to know if someone is able to re-encrypt data and generate QR code in short, generate a false green pass,” asked one forum member.
Some traders are seen offering “Covid European passports with the entry as vaccinated in Poland,” each at a price of $300.
The QR codes contained in the EU Digital COVID Certificates include a digital signature to protect against their falsification. When the certificate is checked using the official apps, the QR code is scanned and the signature is verified.
The official government docs state that each issuing body, such as a hospital, a test centre, a health authority, has its own digital signature key. All of these private keys are stored in a secure database in each country.
But, it is also not clear if the key compromise impacts every single EU country or issuing bodies from select countries only.
According to the QR code data seen by BleepingComputer, the fake certificates circulating online have been issued from different countries—France, Germany, Italy, Netherlands, North Macedonia, Poland, and so on, indicating the issue could very well impact the entire EU.
EU Government aware and investigating the ‘malicious act’
BleepingComputer reached out to CERT teams of different EU nations and it seems the issue is being investigated:
“We are aware of alleged fraudulent manipulations of EU Covid Certificate QR code and have seen the reports,” an EU spokesperson told BleepingComputer.
“As a priority, we are following closely the developments of this incident and are in contact with the relevant member states authorities that are investigating and putting in place remedial actions.”
“We firmly condemn this malicious act, representing an interference in a sensitive and strategic area, at a time when health services in all Member States are under pressure fighting the pandemic.”
“The incident has no impact on the security and integrity of the EU Gateway managed by the Commission,” concludes the Commission in their statement to us.
The fact that anybody is able to forge cryptographically-valid COVID certificates brings into question the authenticity of even legitimate certificates issued by EU government bodies.
Should this be the case, the private key would need to be revoked by the government authorities for the entire EU, thereby invalidating both forged and legitimate COVID certificates.
As such, by the time the situation is resolved and the private keys are reset, holders of legitimate EU Digital Covid certificates will very likely need to generate fresh Green Passes.