Falsification of EU vaccination passports. Leaked private key?

Fake vaccination passports are a highly sought after commodity in the market. For some reason, people pay $ 300 to 400 euros for a fake certificate, if only not get a free vaccination. Comes to the point where it opens up anonymous vaccination centerswhere a person with a fake vaccination passport can go and get a real vaccine without revealing their real name. The situation is very strange. By world statistics, the residents of Russia (20% of the population) and the USA (19%) are most opposed to vaccination. But there is also a problem in the European Union, especially in Germany (10%).

October 2021 Italian sources reported about the leak of the private key that was used to sign EU Digital COVID Certificate (EU vaccination passports).

Allegedly, the stolen key was distributed on underground forums, and as evidence they presented fake certificates in the names of Adolf Hitler, Mickey Mouse and SpongeBob. For some time now, such certificates have been valid successfully passed the test in official applications Verifica C19 (Italy), TousAntiCovid (France) and other authorities of France and Poland launched an investigation incident.

Other fake QR codes published on Github repository…

A few days later, a representative of the European Commission explainedthat in fact the private keys were not compromised, and that these fake certificates were allegedly generated by “persons with valid authority to access national IT systems, or a person abusing such valid authority.”

You can believe the representatives of the European Commission or not. But in any case, this incident underscores the trend of 2021 and subsequent years – the increase in the use of digital IDs by governments and state bodies. They implement public key infrastructure (PKI) and public cryptography, but lack technical expertise. Unfortunately, time, resources and skilled people are limited resources. That is why such incidents occur.

Public Key Infrastructure (PKI) is based on several fundamental principles, one of which is:

The private key is known only to the owner

When a private key is compromised that could affect thousands or even millions of users, it is very important to re-emphasize the need for proper rotation, which is the foundation of any healthy key management practice.

GlobalSign remindsthat in our time it is no longer enough just to manage keys. It is necessary to envisage any options for the development of the situation and be prepared for any potential disaster.

It is highly recommended to follow best practices key management, including key rotation and the availability of an incident response mechanism when a cryptographic primitive vulnerability is detected.

Public Key Infrastructure (PKI) is a reliable and proven design that is a set of roles, procedures, policies and technologies required to create, manage, distribute, use, store and revoke digital certificates that are used to ensure communication security, identity verification , encrypting or signing data.

However, this structure is only as strong as the weakest link, so even the most careful precautions do not guarantee absolute safety. One wrong step and the house of cards will crumble.

And with the growing number of PKI certificates in use and ever-changing regulations, more and more companies are trying to do it right and sooner or later may fall into a key compromise scandal due to an oversight or lack of knowledge.

In such a situation, the main thing is to quickly rise and restore the ecosystem. If you can quickly restore the infrastructure, it can literally turn you and your company from a victim of a hack to a real hero, especially in the eyes of the media.

“They were able to get their systems back in no time” reads much better than “Their systems are still not restored after three weeks.” This does not negate the fact that a mistake was made, but shows the company’s ability to solve a critical problem and limit the impact on the business. And this is the decisive element – how the company reacts to such incidents.

In the end, it will also save you a decent amount of money while avoiding business downtime and brand damage.

The outgoing year 2021 has become one of the worst in human history. In this situation, the surest option is to hope for the best, but prepare for the worst. It is important to have a clear plan of action in case of trouble or outsource the PKI infrastructure to those who do it professionally.