Fake vaccine qr code github reddit

TestVac QR Core

This is a proof of concept (PoC) for creating a QR code system for proving that one has had a valid vaccination record (FHIR, see https://fhir.org).

Key features to demonstrate are

  1. Show that it is possible to sign or otherwise make values shown (such as I was tested negative on Thursday) somewhat tamper resistent.
  2. Data minimisation – show that it is possible to selectively disclose only certain fields (depending on context) — whilst keeping things such as digital signatures intact.
  3. Unlinkability – make it impossible (or hard) to use the data shared to track a holder (citizen) (e.g. by the verifier simply recording all signatures shown, or by the issuering hearing of validations).
  4. Show that this can by largely done off-line; not requiring a connection by the holder.

The cryptographic technologies are based on Camenisch-Lysyanskaya signatures and Zero Knowledge Proofs in general, and those of Idemix / Identiy Mixer (and IRMA.app) in particular.

A method similar to this example is also used to convey a negative test result in the CoronaCheck apps currently being built in The Netherlands. For more information about that code base can be found in the repositories https://github.com/minvws/nl-covid19-coronacheck-app-coordination, https://github.com/minvws/nl-covid19-coronacheck-cl-core, https://github.com/minvws/nl-covid19-coronacheck-app-android, https://github.com/minvws/nl-covid19-coronacheck-app-ios.

Context

This PoC is part of a wider piece of work to map, assess and curtail the privacy and security risks associated with the use cases for a citizen being able to prove vaccination or the veracity of a negative test result. This is driven by the anticipated need for a COVID-19 proof of vaccination requirement internationally. Note that there is currently no national requirement for such proof.

In particular, the risks and mitigations are explored for both paper-based and digital versions of possible implementations for a proof of vaccination or negative test.

This document explores the realm of possible technical implementation options and the social and legal requirements that constrain which of the technical implementations may be chosen. As such, this interplay defines the envelope within which realistic solutions are likely to fit.

Description

The aim for this project is to be able to show the whole process of how the proposed system might work. There are three main individuals: issuer, holder, and verifier.

  • The issuer is a medical institute that has provided the vaccine or negative test result, and has been certified by a government to hand out such certificates.
  • The holder is an individual who has been vaccinated or negatively tested.
  • The verifier is an individual or organization who would like to verify that the holder has been vaccinated or negatively tested.

There is already a standard medical message for immunization in HL7 (both v3 CDA and FHIR) which can be re-used also for COVID-19 purposes. We use the work that was done in nl-eHealth-experimental repository to produce a FHIR record that has been encoded as a protobuf. We use a subset of the FHIR record that is in the draft version of the WHO requirements.

The records are signed with a Camenisch-Lysyanskaya signature, which allows the proof to be presented in an unlinkable way by means of a Zero Knowledge Proof.

Goals

This project is a work in progress. Below if is high level overview of what has been done and what still is being worked on.

Done:

  • Unlinkability: The holder creates a new QR code to present on every scan. QR codes cannot be linked between usages, to the issuance event or to an individual, by the signature itself.

  • Fits in a QR, can be done offline for the holder

  • Can contain FHIR(ish) data

    • Have the FHIR data from the WHO minimal data sets

Work In Progress:

  • One can mask values ‘at will’ (selective disclosure)
  • Multi-country example code
    • Generate a QR code from citizen in country A and scan by country B.

To Run

To run this proof of concept code run the following command in the directory:

go run ./

Example Output:

Testing issuer/holder/verifier packages:1) generate a new public key for the issuer Issuer is: <NL Public Health demo authority> 2) generate a holder key Holder is: 30903407693653827065565507804231738797510415673574501887342270311011859500140 3) generate issuer nonce for this holder; and create the credential. sign and issue.4) Citizen (Holder) gets the issuer its public key (<NL Public Health demo authority>) to check the signature.5) Citizen (Holder) now goes into the wild * An Encounter happens! Citizen selects the disclosure level (*Level 0*) for the Verifier Citizen generates a unique/new QR code and holds it up. The QR code contains: UO515 HFQYO+BO02MVQ$904HVU+6R4.... (5.5bit / QR alphanumeric mode encoded) Got proof size of 1378 bytes (i.e. the size of the QR code in bytes) Verifier Scans the QR code to check proof against <NL Public Health demo authority> (public key of the issuer) Valid proof (signature was correct) for time: 1612879359 (unix seconds since epoch) FHIR level Computed Hash : 58e01505581caa107821700293446ebcf55c298b34caa652451d510acdb60f9a FHIR level Stored Hash : 58e01505581caa107821700293446ebcf55c298b34caa652451d510acdb60f9a so this record was not tampered with. * An Encounter happens! Citizen selects the disclosure level (*Level 0*) for the Verifier Citizen generates a unique/new QR code and holds it up. The QR code contains: H:0K5ZT-:0BC2HO/K2-GK4A%.OP+EH.... (5.5bit / QR alphanumeric mode encoded) Got proof size of 1378 bytes (i.e. the size of the QR code in bytes) Verifier Scans the QR code to check proof against <NL Public Health demo authority> (public key of the issuer) Valid proof (signature was correct) for time: 1612879359 (unix seconds since epoch) FHIR level Computed Hash : 58e01505581caa107821700293446ebcf55c298b34caa652451d510acdb60f9a FHIR level Stored Hash : 58e01505581caa107821700293446ebcf55c298b34caa652451d510acdb60f9a so this record was not tampered with. * An Encounter happens! Citizen selects the disclosure level (*Level 1*) for the Verifier Citizen generates a unique/new QR code and holds it up. The QR code contains: 1TP**GBYES5HSTOUGR/L2394165EL.... (5.5bit / QR alphanumeric mode encoded) Got proof size of 1390 bytes (i.e. the size of the QR code in bytes) Verifier Scans the QR code to check proof against <NL Public Health demo authority> (public key of the issuer) Valid proof (signature was correct) for time: 1612879359 (unix seconds since epoch) FHIR level Computed Hash : d8c6278ce528602ef58a7accd3e68dfaf6fdda8609fe8e2d58982cae2eca8d46 FHIR level Stored Hash : d8c6278ce528602ef58a7accd3e68dfaf6fdda8609fe8e2d58982cae2eca8d46 so this record was not tampered with. * An Encounter happens with a Border Guard! Citizen selects the disclosure level (*Level 2*) for the Verifier Citizen generate a unique/new QR code and holds it up. The QR code contains: 8..7-**:T3SQTHWZWR-1FQ2A+83/JH.... (5.5bit / QR alphanumeric mode encoded) Got proof size of 1399 bytes (i.e. the size of the QR code in bytes) Verifier Scans the QR code to check proof against <NL Public Health demo authority> (public key of the issuer) Valid proof (signature was correct) for time: 1612879359 (unix seconds since epoch) FHIR level Computed Hash : 5ccd2e0f0accc1ad0051b317bdf2d222f757e7fc443e4c8db202d242a7115569 FHIR level Stored Hash : 5ccd2e0f0accc1ad0051b317bdf2d222f757e7fc443e4c8db202d242a7115569 so this record was not tampered with.

As provinces and employers across Canada increase restrictions on the unvaccinated or introduce vaccine passports, cybercriminals are attempting to cash in by offering fake vaccination certificates for sale online.

Sellers are offering phoney proof-of-vaccination documents for several provinces that apparently look just like the real thing. Some of them even claim to be able to enter the data from the fake certificates into official government databases.

Prices and promises vary, according to offers viewed by CBC News on platforms like Telegram. One seller is offering fake proof-of-vaccination cards or QR codes for several provinces — including Manitoba and B.C. — for $200, payable in Bitcoin or Ethereum cryptocurrencies. They promise to deliver the fake documents within 48 hours by mail or in ”just a few hours” if they’re being sent electronically.

Just minutes after CBC News reached out to the seller, they sent a picture of an Ontario proof-of-vaccination form that appears to be identical to those being issued by many Ontario vaccination clinics. Photos posted online by the seller of fake proof-of-vaccination documents for B.C and Manitoba also mirror official documents.

The seller boasted that information on the bogus cards is entered in provincial databases.

Protesters gather to protest COVID-19 restrictions including the new B.C. vaccine card outside of Vancouver City Hall on Sept. 8, 2021. (Maggie MacPherson/CBC)

Another seller claimed to be based in Montreal. His channel, which was being followed by 320,065 subscribers when it was viewed by CBC News, included offers of fake proof-of-vaccination from several jurisdictions around the world — and featured photos of an Alberta proof-of-vaccination certificate that resembles the real one.

There is no way to know how many fake vaccination documents are in circulation in Canada.

Provincial health authorities call into question sellers’ claims that they can ensure the fake vaccination data is inserted into government databases.

Provinces say they’re protecting their data

Marielle Tounsi, senior public affairs officer for British Columbia’s ministry of health, said the province has taken steps to protect the integrity of its vaccine card by using QR codes in addition to government-issued photo ID.

“There is a review process to confirm the validity of records that are uploaded online,” Tounsi said. “This helps to ensure that only valid records are recorded in the provincial system.

“Each record submission is reviewed and validated by qualified reviewers that verify the information. Any records that require additional validation are escalated for further review. Any suspicious activity from this review is referred to Information Security and would be reported to the appropriate authorities.”

Manitoba’s health department says data must be entered into the provincial PHIMS database by government officials, based on an individual’s address and immunization record. Anyone unvaccinated in Manitoba who enters a space where vaccination is required, or attempts to, can face a fine of $1,296.

Ontario Health Ministry spokesperson Bill Campbell said more than 80 per cent of Ontario residents over 12 years old already have received two doses and will have access to a secure certificate.

“In addition to the secure watermarked certificate available for download, QR codes will be available in October,” said Campbell.

Protesters outside of Foothills Hospital in Calgary hold signs comparing vaccine passports and other health measures to genocide. (Axel Tardieu/Radio-Canada)

Campbell didn’t address the question of whether someone could enter fake vaccination data in the provincial database. He did point out that providing false or inaccurate information to a business about vaccination status could result in a ticket for $750 or a penalty of up to $100,000 and up to a year in jail.

Cyber security experts say they are seeing a sharp increase in the number of offers of fake vaccine certificates in places like Telegram and the dark web — from people who claim to be able to enter the bogus data into official databases.

Liad Mizrachi, senior researcher with Check Point Software Technologies, looked into some sellers’ claims that they have access to the European Centre for Disease Prevention and Control’s website of vaccinated people across Europe and can register their customers there.

“The sellers then send false documentation from a fake European Centre for Disease Prevention and Control website, which might convince unwitting border officials or venue staff that a person is genuinely registered as fully vaccinated, which is clearly not the case,” Mizrachi told CBC News. “Our CPR team discovered this through a URL embedded in a QR code, which shows a link to the fake database.”

Mizrachi said governments around the world should come together on a unified global database to verify legitimate vaccination certificates.

“Not only do unvaccinated people have easy and cheap access to forged documents, but those documents now appear to link to credible-looking websites, making it even easier for fraudsters to slip through the net,” he said.

WATCH: Expert warns of a “dramatic uptick” in websites offering fake vaccination documents

Number of sites on the dark web offering fake vaccine passports for sale is rising, says expert

Duration

1:04

Robert Falzon, head engineer at Check Point Software Technologies Canada, says there has been a ‘dramatic uptick’ in sites selling fake vaccine documentation

Robert Falzon, head of engineering at Check Point Software’s Canadian office, said the company first saw offers to sell fake vaccination certificates emerge in the United States but has since seen ”a dramatic uptick” in such offers in Canada.

He said Canada’s decentralized approach — with each province running its own proof-of-vaccination system — has created an opening for the sellers.

“From a health care perspective, we’ve seen a sort of patchwork approach to how each of the provinces are going to address it,” he said. “And because of that, again, it’s created an opening … for various different groups across Canada to set up and specialize.”

Falzon said sellers on the dark web want to maintain their reputations for delivering on the promises they make.

“The dark web marketplaces, they’re just like a regular store in a lot of ways. They have reviews and they’re also trying to continue to do business for other things,” he said. “So you’ll find people leaving reviews for drug purchases and weapons purchases and saying this person was a wonderful seller and so forth.”

Using fake documents as bait

Derek Manky is the Vancouver-based chief of insights and global threat alliances at Fortinet’s FortiGuard Labs, a cybersecurity firm. He said his company is also seeing attempts on the dark web to lure people with offers of fake vaccination documents, targeting different regions in different languages.

“What we’re seeing on these marketplaces are a variety of services, including everything from as cheap as $5 for just selling essentially stock paper. So, fake blank vaccine passports in the U.S., as an example,” he said.

“We’re seeing things in Canada targeted for about $50 for harvested or stolen QR codes with people’s real identity on them, saying, ‘We’ll give you this for cheap for $50, but you have to create your own fake ID when you’re going in to verify.'”

WATCH: Expert warns of ‘nefarious sites’ luring the unwary with fake vaccination documents

Canadians should take care when visiting unknown online sites or links, says expert

Duration

0:58

Cyber security expert Derek Manky says some sites are used to gather personal information and it’s important for Canadians to have safeguards in place when coming across unknown sites or links.

Manky said his company has seen fake double-dose vaccine documents being offered in Canada at prices as high as $1,000 by sellers who claim the data will be entered into a national database.

Manky said cybercriminals should never be trusted and the risks involved in trying to buy fake vaccination certificates online are high.

“These are nefarious sites,” Manky told CBC News. “They’re phishing for information. They’re trying to infect you with pieces of malware so they can hold you for ransom, as an example. It can quickly spiral out of control.”

Police and health officials have reported very few cases of Canadians being caught with fake vaccination documents.

Jeff Thomson, senior RCMP intelligence analyst at the Canadian Anti-Fraud Centre, said the centre has received just four reports about false vaccination documents since July 1 — one anonymous report about a website selling fake certificates, one about fake certificates being sold on Instagram and Snapchat, one about a website selling vaccine and mask exemption paperwork and one case of a person approached on Facebook by someone with the same name asking if they were willing to sell their vaccination QR code.

If someone paid for a fake vaccination certificate and didn’t receive one, they would be unlikely to file a complaint with the anti-fraud centre, Thomson said.

Tammy Jarbeau, senior media relations adviser for Health Canada and the Public Health Agency of Canada (PHAC), said that as of Sept. 14, seven fines have been issued for falsified or fraudulent COVID-19 test results and two fines have been issued for suspected falsified or fraudulent vaccination documents presented at a point of entry to Canada.

“In addition, there are many cases that are still under investigation and are awaiting outcome,” Jarbeau wrote. “PHAC may also refer a case to police in the jurisdiction involved, with regard to potential criminal charges.”

Jarbeau said fines have been issued in British Columbia and Ontario for falsified documents and referrals have been made to police in Ontario and Alberta.

Elizabeth Thompson can be reached at [email protected]

Written by Jane