The Security of the QR codes in the Quebec vaccine passport app has been called into question.
In Quebec, residents will be required to produce proof of vaccination starting September 1st when entering businesses considered non-essential by the province, such as pubs, clubs, and restaurants. Vaccinated residents are provided with QR codes by the Health Ministry to prove their vaccination.
Apple devices will be able to run the vaccine passport system in Quebec by using the applications VaxiCode Verif for businesses and VaxiCode for consumers. Android versions are scheduled to arrive later this week.
But even without getting to the civil liberties and privacy issues surrounding the vaccine passports, there’s another problem.
Quebec’s mobile verification system for vaccine passports has been found to have many security flaws after research by security analysts and hackers.
QR code readers such as VaxiCode Verif check the authenticity of QR codes by scanning the data from the code, including a cryptographic signature. That reader will scan QR codes uploaded to VaxiCode, paper versions of codes, as well as snapshots or PDF files of codes.
A computer programmer heard the provincial minister for digital transformation declare on Tuesday that QR codes “cannot be falsified, modified or copied,” and he saw it as a challenge to try to test the security of the app.
It has been reported by CBC that Louis, the programmer in question, was able to manufacture a false vaccination certificate for a nonexistent individual.
He stated, “There’s always a flaw, it’s just a matter of being patient enough to find it.”
It appears that the non-existent proof was able to deceive VaxiCode Verif, the companion application that is designed to help businesses verify documents, after being placed in the app.
The Journal de Montréal also reports that hackers were able to obtain the QR codes of Premier François Legault, Mayor Valérie Plante, Quebec Health Minister Christian Dubé, as well as provincial opposition leaders Dominique Anglade and Gabriel Nadeau-Dubois.
According to the Journal, the hackers also gained access to the vaccination certificate of Éric Caire, the minister in charge of strengthening the security of the vaccination passport system; he is the same minister that stated that the QR codes could not be “falsified.”
Caire responded that the province may subsequently make it more difficult to obtain QR codes.
“We will discuss it with the health minister, we will weigh the inconveniences and if we have to make obtaining the QR code more complex, well, we will do it,” he said.
“But what I’m saying is, this [added] complexity, it will also be there for people that would want to get it for legitimate reasons. And that would possibly mean limiting the use of the QR code, and that’s not what we want.”
Regardless of whether someone created a fake QR code, the minister says that they must still produce picture identification before going anywhere that requires a vaccination passport. He did not address, however, whether a fake QR code could be associated with a legitimate name, permitting the person to enter clubs, restaurants, gyms, and other establishments without adequate vaccinations.
Who could have guessed?