The former supreme leader of 1940s Germany would appear to be alive and well, if the European Union’s digital vaccination certificate program is to be believed. Actually, he’s doing better than “well” — he’s been vaccinated for covid-19.
Yeah, no, Hitler is still dead — don’t worry. But it would appear that someone has gotten their hands on the private cryptographic key used to certify digital covid-19 vaccination cards in certain European countries and has been forging bullshit certificates for real people.
Cybercriminals on the dark web were recently spotted selling access to what they claimed were forged digital vaccination certificates for $400 a pop. When asked by journalists what they were doing, one criminal provided them with a working vaccine certificate for Adolf Hitler. In addition to the former dictator, approved vaccine passports for “Mickey Mouse” and “SpongeBob Squarepants” were also apparently being hawked.
The fake but approved certificates were recently viewed by Bleeping Computer, which was able to verify that Hitler’s was still working, as of Thursday.
The fake certificates appear to have been sourced from some kind of compromise of the EU’s digital vaccination certificate program, which is Europe’s recently instituted effort to ensure that all citizens are vaxxed before they travel or attend most recreational events. Also called “Green Pass,” the certificate can be attained through a variety of methods — either via health agencies or testing centres, following vaccination — and is pretty much a requirement if you want to see a movie, eat at a restaurant, or do anything that involves fun. According to the European Commission, the pass contains “a QR code with a digital signature to protect it against falsification.”
However, it would appear that the private key responsible for validating those certificates has either been leaked or misused by someone with legitimate access to it.
When reached for comment by Threatpost, the European Commission told the outlet that the certificates were created by “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials.” They further added that this whole episode has been caused by “illegal activity and not by a technical failure.” Since it’s not super clear what any of that actually means, we reached out to the European Commission for clarification and will update this story if they respond.
If private cryptographic keys have, in fact, been leaked, it would pose a whole assortment of bureaucratic and public health challenges and could cause a lot of chaos in affected countries. With a fabricated certificate, unvaccinated people would largely be able to elude sensible health restrictions and, hypothetically, could pose substantial health risks to their communities. At the same time, a leak of this magnitude could force affected governments to rescind the legitimacy of particular vaccination certificates.
All that said, it’s not 100% clear yet what has happened or why these forged certificates are actually popping up. But, uh, so far this does not seem great.