Unidentified scammers are selling Green Passes (certificates required for travel and access to many public places and events in the European Union) on hacker forums and in Telegram channels. To demonstrate their capabilities and attract potential customers, they created a Green Pass issued in the name of Adolf Hitler. Perhaps most disturbing, the QR code passes app verification as valid. This raises a number of questions, which we will try to answer in this post.
What is Green Pass?
Green Pass is a certificate that verifies its owner either was vaccinated, recently recovered from COVID-19, or received a negative test result no more than 48 (for rapid test) or 72 (for PCR) hours ago. The certificate contains a QR code that can be validated with an application. Green Pass is a standard document in the countries of the European Union and some others — in Israel (where it was initially developed), Turkey, Iceland, Ukraine, Switzerland, Norway, and some others.
Usually, medical institutions issue Green Pass certificates. Depending on the country, a Green Pass may be required for travel; for visiting bars, restaurants, museums, and public events; in educational institutions; and even for work. The Green Pass also exists in paper form, but most often it is an application that displays a QR code to verify the certificate.
How attackers can sign fake certificates
Some shady traders on the Internet and Telegram channels in particular are selling forged Green Pass certificates apparently issued by health services in Poland or France. Several theories explain how they could succeed. According to one, criminals somehow got a secret cryptographic key enabling them to issue such certificates. If that’s the case, the legitimate Green Pass certificates will probably have to be reissued.
According to another theory, the sellers have accomplices in France’s and Poland’s healthcare systems. In that case, reissuing the cryptographic key is unlikely to help — law enforcement agencies will have to find the insiders.
Updated on November 2, 2021: According to the latest information from European Commission representatives, the incident wasn’t caused by a cryptographic issue with the generation of the certificates, or with the storage of the signing keys. Most likely, “persons with valid credentials to access the national IT systems, or a person misusing such valid credentials,” created the fake certificates.
Is the entire Green Pass system compromised?
For now at least, the Green Passes most EU countries issue remain as legitimate as before. Only certificates issued in Poland and France are under suspicion.
Will Green Pass certificates issued in Poland and France be revoked?
EU authorities are conducting investigations. In the worst case scenario, Poland and France will have to reissue certificates — but not necessarily all of them. If the malefactors cannot manipulate issue dates, then only some will have to be replaced.
Can you buy a fake Green Pass?
Well, there’s nothing stopping you from spending your money. However, visiting EU countries with a fake certificate is not a good idea. First, the fake certificates will be revoked, and although you’d most likely just lose some money, it is also possible customers will be caught in the same law-enforcement net as forgers. With a fake Green Pass, you have a good chance of winning a long conversation with European law enforcement agents.
We have reason to believe this is far from the last fraud scheme regarding the Green Pass system. Various scams will most likely appear quite soon. However, this incident will also draw more attention from law enforcement agencies. For that and other reasons, we do not recommend getting a Green Pass from anywhere but an official European medical institution.