A series of security breaches in the European Union’s vaccine passport system has resulted in fraudulent health passes being awarded to the likes of Spongebob Squarepants, Adolph Hitler, and Mickey Mouse.
A European Commission spokesman admitted the flaw in the vaccine passport system on Friday, saying that Brussels is aware of “alleged fraudulent manipulation of the QR code of the European Covid certificate”.
On Wednesday, internet users claimed to have access to the supposedly secure cryptographic keys used to generate the QR codes for the bloc’s vaccine passport, also known as the Digital Green Pass.
In order to poke fun at the security flaw, some sleuths generated health passes with fanciful names such as SpongeBob SquarePants and Adolph Hitler, France’s La Chaîne Info reported.
One of the breaches in the system is believed to have originated from a web portal in North Macedonia, which although not part of the European Union has been integrated into the vaccine passport system since August.
To stop further breaches, EU member states participating in the vaccine passport system have agreed to “block the two fraudulent certificates so that they are considered invalid by verification applications” and to shut down the Macedonian web portal, which is believed to have lacked the standard security protocols.
A cryptography expert at France’s National Institute for Research in Digital Science and Technology (Inria), Gaëtan Leurent said that the Macedonian portal was able to be identified because “each country has one or more signatures, and in each pass, we find the key by which it was signed”.
Leurent added that it is critical that each server with the ability to sign off on the creation of vaccine passports must be properly secured for the system to work.
Yet, the security flaws within the health pass system are believed to extend beyond North Macedonia, with some fake passports, including one generated for Mickey Mouse, appearing elsewhere. The Disney icon’s health pass appears to have been created in France and others are said to have been forged in Poland.
It is thought that for these passports to have been generated, health officials in the countries would have had to have been involved in their creation. In response, authorities in Paris and Warsaw have opened up investigations.
The security of vaccine passports in France has already come into question, with the personal vaccine passports of President Emmanuel Macron and Prime Minister Jean Castex’s both being leaked online last month.
While the latest security breaches do not appear to have compromised any citizen’s data, concerns have been raised over the EU and other governments being able to keep such information private.
In an interview with Breitbart London in March, DeleteMe CEO Rob Shavell said: “Time and time again governments say that they are providing a data service to their citizens and claim that it will be protected, but what we see is this information ending up in data profiles available on Google searches.”
The privacy expert explained that “the systems we have are too complicated and once that data gets digitised and out there and replicated in the country’s database that you are travelling to, with its own set of privacy protocols, you are looking at an expanding universe” of data that is impossible to secure.
Follow Kurt Zindulka on Twitter here @KurtZindulka