fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

EU Investigating Leak of Private Key Used to Forge Covid Passes

EU Investigating Leak of Private Key Used to Forge Covid Passes

The private key used to sign EU Digital Covid certificates has been reportedly leaked and is being circulated on messaging apps and online data breach marketplaces.

The key has also been misused to generate forged certificates, such as those for Adolf Hitler, Mickey Mouse, Sponge Bob—all of which are being recognized as valid by the official government apps.

The Digital Covid certificate, or the “Green Pass” helps European Union residents travel across borders seamlessly by proving that they have either been vaccinated against COVID-19, received a negative test result, or successfully recovered from COVID-19.

Also Read: National Cybersecurity Awareness Campaign of Singapore: Better Cyber Safe than Sorry

Valid ‘Adolf Hitler’ Covid certificate generated

This week, users reported seeing the private key for EU Digital Covid certificates circulating on messaging apps, like Telegram.

The private key is used to sign “Green Pass,” European Union’s equivalent of a vaccine passport, and/or proof of negative COVID-19 status that can help travelers cross borders seamlessly.

“On various groups (Telegram mainly) are circulating several forged Green Pass with valid signature… There is the possibility that a database of private keys is compromised and this may [end] up in a break of the chain of trust in the Green Pass architecture,” stated GitHub user Emanuele Laface.

Threat actors who can get their hands on the private key could easily forge digital certificates or QR codes that may then be recognized as ‘legitimate’ by the official government apps.

Such is the case for a fake Adolf Hitler Green Pass certificate which is being recognized valid by the official Verifica C19 apps, according to penetration tester reversebrain:

The penetration testerlater reported, the forged certificates were no longer being recognized by the government’s Verifica C19 apps, indicating the leaked private key had been revoked.

However, tests by BleepingComputer conducted today reveal both the Android and iOS versions of the Verifica C19 app are still treating the QR code for the Adolf Hitler certificate as valid:

EU Digital Covid Certificate for Adolf Hitler recognized as valid
EU Digital Covid Certificate for Adolf Hitler recognized as valid (BleepingComputer)

Our tests were conducted via Verifica C19 app version 1.1.5, released October 19th on Google Play, and October 26th on the Apple App store.

Also Read: September 2021 PDPC Incidents and Undertaking: Lessons from the Cases

Additionally, forged certificates for “Mickey Mouse,” “Sponge Bob,” and other fictional characters were successfully recognized by the app, as seen by BleepingComputer.

EU vaccination passports on sale for $300

BleepingComputer also observed multiple users posting private keys on underground forums and discussing methods to “make EU green pass.”

“Recently the European Union is making the green pass mandatory for many activities, I see that there are several sites that can perfectly read the QR code by decrypting it, I wanted to know if someone is able to re-encrypt data and generate QR code in short, generate a false green pass,” asked one forum member.

Some traders are seen offering “Covid European passports with the entry as vaccinated in Poland,” each at a price of $300.

forum trade covid pass eu
Users trading keys and forged certificates on forums (BleepingComputer)

The QR codes contained in the EU Digital COVID Certificates include a digital signature to protect against their falsification. When the certificate is checked using the official apps, the QR code is scanned and the signature is verified.

The official government docs state that each issuing body, such as a hospital, a test centre, a health authority, has its own digital signature key. All of these private keys are stored in a secure database in each country.

But, it is also not clear if the key compromise impacts every single EU country or issuing bodies from select countries only.

According to the QR code data seen by BleepingComputer, the fake certificates circulating online have been issued from different countries—France, Germany, Italy, Netherlands, North Macedonia, Poland, and so on, indicating the issue could very well impact the entire EU.

EU Government aware and investigating the ‘malicious act’

BleepingComputer reached out to CERT teams of different EU nations and it seems the issue is being investigated:

“We are aware of alleged fraudulent manipulations of EU Covid Certificate QR code and have seen the reports,” an EU spokesperson told BleepingComputer.

“As a priority, we are following closely the developments of this incident and are in contact with the relevant member states authorities that are investigating and putting in place remedial actions.”

“We firmly condemn this malicious act, representing an interference in a sensitive and strategic area, at a time when health services in all Member States are under pressure fighting the pandemic.”

“The incident has no impact on the security and integrity of the EU Gateway managed by the Commission,” concludes the Commission in their statement to us.

The fact that anybody is able to forge cryptographically-valid COVID certificates brings into question the authenticity of even legitimate certificates issued by EU government bodies.

Should this be the case, the private key would need to be revoked by the government authorities for the entire EU, thereby invalidating both forged and legitimate COVID certificates.

As such, by the time the situation is resolved and the private keys are reset, holders of legitimate EU Digital Covid certificates will very likely need to generate fresh Green Passes.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us