Criminals and managers of various activities will find it easy to circumvent the obligations of the green pass or even use them to their advantage to hoard personal data. It is possible through a “simple change to the official app Check C19: Anyone can do it and then use or put around the modified version of the app. With the effect of being able to make various types of scams ”, explains Pierguido Iezzi, founder of the cybersecurity company Swascan. He made a technical analysis to demonstrate the feasibility of the scam, possible due to the characteristics of the QR-Code of the green pass.
Recall that this “certificate” is a pass that from 6 August it will be mandatory for many activities, like staying in a restaurant indoors, attending games, shows, going to the gym; the pass requirement is already in force to travel to Europe and return to Italy without having to undergo swabs and quarantine.
Well, the problem is that this system has a leak. And nice big, “That surely criminals and unscrupulous managers will hurry to exploit. This is always the case when something digital of a certain importance has a flaw ”, adds Iezzi.
Why is cybercrime so fond of the Green Pass?
by Pierluigi Paganini
The modification of the app
By intervening with a new line of app code – publicly downloadable by all – Swascan was able create an app that is exactly the same as the official one but with important differences. The company has provided an image proof of the change: the app has accepted the pass of an elusive citizen Topo Lino.
The risks
The modified app can accept any green pass, even fake. “In this way, the manager of a gym, restaurant, etc., can be in compliance with the regulatory obligations but in reality accepting rigged passes”, explains Iezzi. It is useless to underline the problems that arise for public health and for those who – with legitimate passes – would frequent that place unaware of the scam in progress. “We can create a clandestine market for illicit passes and related apps that accept them,” he says. There is already a market for tarot passes, in fact. And, considering the anti green pass demonstrations, with thousands of “no vax” in the square, it is easy to imagine a market for this possible scam. The other risk is the theft of personal data. Those who use the modified app can stock up on all those present in the QR-Code of the Pass.
The details of the data present in the QR-Code are the following:
- Date of birth
- Last name
- Tax ID code
- Name
- Certificate ID
- Country of vaccination
- Number of doses performed
- Vaccination date
- Certified issuer
- Vaccine manufacturer
- Product ID vaccino
- Total number of doses (to be performed)
- Diseases to which one is subject
- Vaccine or Prophylaxis
- JSON Schema Version
- QR-Code issuer
- QR-Code expiry
- Data Rilascio QR-Code
Data that can be used for various scams, as normally happens with cyber attacks aimed at stealing those of users. To use them data would be the activity managers, but not only; even cybercriminals who may be putting out the modified version of the app aiming to circulate it instead of the authentic one. It is a scam technique already in vogue on the digital stores of Google and Apple, with alternative versions of official apps and equipped with malware or aimed precisely at stealing personal data.
How to fix
“To avoid the problem it would have been enough to encrypt the QR-Code, but the authorities preferred to focus more on simplicity to spread the green pass, putting risks in the background ”, explains Iezzi. It is not known if in the future there will be a remedy, in the race: it would mean replacing all the passes already widespread. You will probably live with the problem: users will need to be warned of be wary of Verification apps C19 (they will have to be careful to take the official one); authorities will have to check if businesses are using modified versions and if their users’ green passes are bogus by checking them with the official app.
Green pass, all the obstacles for the deadline of 6 August
by Alessandro Longo
.