France and Poland open probe into Hitler and Spongebob health passes
EU vaccination certificate were created under the fake names after individuals gained access to the cryptographic key used to verify the passes
It is thought that the creation of the fake certificates was enabled by an insecure portal in North Macedonia Pic: rarrarorro / Shutterstock
[Article updated on November 2 at 08:17]
A security breach thought to have begun in North Macedonia has enabled the creation of European Covid vaccination certificates created under fake names including Adolf Hitler and Spongebob Squarepants.
Some of the falsified passes seem to have been approved by authorities in France and Poland, who have now begun investigating the incident.
A spokesperson for the European Commission said on Friday (October 29) that it was aware of apparently fraudulent manipulations of the European Covid certificate QR code, which is presented in France through the TousAntiCovid app.
Since Wednesday, internet users had been claiming on forums and social media platforms to have access to secret cryptographic keys that could be used to certify a health pass.
A cryptographic key is a string of characters which contains specific information but uses an encryption algorithm to alter it so it appears to be random. In this way, it ‘locks’ up the data so only certain individuals or programmes can decrypt it.
Cybercriminals on the dark web were also recently found to be selling access to forged EU vaccination certificates for $300, proving their functionality by producing health passes for names such as Adolf Hitler and Spongebob Squarepants.
The European Commission stated that real people’s private cryptographic keys had not been compromised and said that the fake passes were the result of “illegal activity” rather than a system failure.
The Commission’s statement said that the certificates were apparently generated “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials.”
Experts also believe that the breach could have been made through unprotected internet portals in North Macedonia, where a lack of security allowed for the creation of various fraudulent QR codes.
To stop this, the EU states which are members of the eHealth network have “blocked the fraudulent certificates so that they will be considered as invalid by verification apps,” and the Macedonian portal has been deactivated.
The origin of some certificates remains a mystery to officials, especially as certain passes appear to have been verified by the French and Polish authorities, suggesting complicity on the part of a health professional.
The two countries have therefore launched an investigation.
This is not the first time that France has faced issues with the system which creates its vaccination certificates. In September, the QR codes of President Emmanuel Macron and of Mayor of Le Havre and former prime minister Édouard Philippe were shared on social media.