ESET’s cybersecurity expert Marc-Étienne Léveillé has analyzed Quebec’s vaccine-proofing apps VaxiCode and VaxiCode Verif and found apps can be forced to recognize fake QR codes as valid.
His analysis came as last week, security researcher Ben Davis warned about the flaws in the QR code mechanism of Quebec’s Android app. Then a hacker group claimed to have obtained the codes of several politicians, including Premier Franois Legault. Also, a programmer showed Radio-Canada that it was to fool the app into giving proof of vaccination.
Léveillé found a problem in the iOS version of the app, but he says Android version likely uses identical code and therefore was also flawed. He couldn’t verify it was the same bug that was presented to Radio-Canada.
Over the last weekend, Léveillé notified the developers of the VaxiCode and VaxiCode Verif apps, Akinox, who fixed the issue a couple of days after that.
The link in the QR code relies on a specification known as the SMART Health Card, which is a standard developed by the Vaccination Credential Initiative and used to exchange information about a person’s vaccination status.
The SMART Health Cards specification was designed to allow for the possibility of multiple vaccine evidence issuers. The vulnerability lies in the lack of key validation.
“Akinox has chosen to include the Quebec government’s public key in VaxiCode and VaxiCode Verif. The application uses this key when the issuer is the Quebec government. However, the code to download third party issuer keys is still in the application, even though it is not required. Once a public key is downloaded, it is used to validate any other passport, without checking if it matches the content of the issuer field (iss),” explains Léveillé.
To verufy a fake vaccine passport, the attacker would first present their QR code and VaxiCode Verif would reject it, but also the application would download the attacker’s public key and add it to its trusted keychain. The attacker would then try the second QR code, which would then be accepted as legitimate by VaxiCode Verif.
“As a result of this analysis, I believe that, although VaxiCode Verif had some problems at its release, the technologies on which the system is based are solid,” Marc-Etienne Léveillé of ESET said on Tuesday.
“Quebec government may have missed a good opportunity to publish the source code of the applications it produced for the sake of transparency. The publication of the source code and its analysis by experts might have avoided scandals that could affect the public’s confidence since the whole population would have been able to check the security by itself,” said Léveillé.
However, the fact that the problem was fixed in just a few days shows that the parties want a secure system, noted the researcher.
