The Strange Case of Spongebob's GreenPass

(To Marco Rottigni)
02/11/21

A couple of days ago, while I was having breakfast, I get a message on my smartphone that says "Good morning. It seems that they have leaked the keys to create the green passes ...

If confirmed, it means that in theory anyone can produce valid GreenPasses ”.

The news immediately caught my attention, making me instantly surface an alarming thought: if the news were true, we would have nullified one of the most important control tools on which the post-pandemic plans of economic, social and human restart are based!

A moment later, an even more terrifying second thought, albeit made up of only three words: across Europe!

In the midst of the whirlwind of processes and interactions that characterize my days, I tried to dedicate an attention slot to the evolution of the news, which by noon from a couple of online newspapers in which it appeared had been transferred to the national news.

The proof offered was quite tangible: a QR Code which - if validated with the official VerificationC19 app - returned a greenpass valid for… Adolf Hitler, complete with date of birth 1900; however, the date is wrong, since the character was born in Austria in 1889.

The problem, beyond the student spirit, remained very serious: how it was possible that they had stolen cryptographic keys valid for the generation of Green pass, which should have been handled absolutely accurately by ministerial or governmental entities with processes dominated by security at the highest levels?

The fictitious news, the hypotheses, even some clearly unlikely promises aimed perhaps at lowering the alarm level have been chasing each other throughout the day, starting to combine with an echo from abroad where the problem appeared on well-known sites such as bleepingcomputer. com.

These sites also spoke of probable theft or otherwise exfiltration of private keys, making it even more worrying due to some rumors who hypothesized that the stolen keys concerned several Member States of the European Union.

The rumor of the news spread further, together (fortunately) to the reaction of the managers who proceeded to invalidate both the Green pass valid in the name of Hitler that some unlikely others generated in the meantime, such as that of Spongebob squarepants which I report at the opening (distorted, ndd), with relative proof of invalidation.

On the evening of the 28th the column "Hello Internet" by Matteo Flora on the YouTube channel offered a more plausible and - frankly - more reassuring explanation from a certain point of view: someone has found a way to abuse the keys.

More specifically, the abuse seems to have occurred through the dgca-issuance-web code - easily available because it is shared on the GitHub site by the European Union - combined with a valid signature key in the possession of a user.

The code in question represents the program useful for generating the GreenPasses, which are in all respects compared to paper certificates of vaccination, swab or recovery, transposed in digital form.

As with paper certificates, digital certificates must be signed to take on value. The signing process, not being able to use a pen, use a private digital key which is combined with a public digital key inserted in the certificate. This public digital key it is the object of verification that allows to confirm the originality of the certificate.

The somewhat unlikely thing, therefore, is to use a valid private key - since the signature keys are given at the rate of one per nation.

To make matters worse, some countries, including Italy, cannot only invalidate some certificates signed with the national key… but they should invalidate the key; operation that would require the reissue of the millions of Green pass true, official and valid issued so far; forcing the owners to request a copy through the well-known traditional channels: online site, pharmacies, etc.

The matter evolved towards a further explanation valid at around 13:40 pm on October 28th. According to the site The Disinformatician in fact, at least six valid access points to portals capable of generating have been identified Green pass valid in mode Preview using fictitious data which is not then saved.

By saving that image, which represents a valid certificate, it is possible to generate certificates that have appeared on the web with unlikely owners. After saving the image, the operation can be safely canceled without leaving any trace of the generation; of a certificate that remains - in any case - valid.

What is happening therefore seems to be the result of an important, enormous in scope and dimension, process vulnerability. Which combined with a human factor of dubious lawfulness, it created the conditions to potentially cancel one of the most successful processes to recover from the devastating effects of the pandemic.

No theft of keys therefore, at least in the state in which things have evolved so far.

Only one bad digital hygiene in the implementation of an IT process.

This fact should make us reflect on an aspect that often unites many cyber incidents, including the one we are talking about.

The technology used to generate the Green pass it is certainly solid: in fact, it combines digital certificates, information visualization via QR Code that makes everything usable in a simple way, uniformity of acceptance and interoperability of implementation between several states.

The flaw, the vulnerable part in an important way, is more about the implementation process and implementation. There is very little technological here, because the topic concerns the management and safety of a process.

From what has been noted so far, it is evident that serious mistakes have been made at this stage.

An example is to allow the generation of a preview of the certificate valid in all respects, without making sure - for example - that the preview was only controllable by an application other than the one that would have checked the final version.

Another example concerns the management of confidentiality.

If the issuance of a Green pass belongs to an official government body and affirms an incontrovertible truth - like a notary who certifies a deed of real estate sale between two subjects - should have been restricted to traced, authorized operators, whose privileges should be granted precisely in the face of a specific authorization.

Not to mention that any application, before being "put into production", should be tested and validated by security experts called Penetration Tester. These aim to study the potential flaws in the application, but also the way to use it ... and the potential way to abuse it.

If all these steps had been carried out in advance and remedied in a workmanlike manner in case of leaks, today we would not have to face an accident.

More importantly, we shouldn't even bear the costs of responding to this incident, which risk being truly devastating in terms of economic and credibility of a truly fundamental support tool for economic and social recovery.