An apparently functional EU Digital Covid Certificate bearing the name of Adolf Hitler has circulated online this week, before being invalidated. The incident raises questions about the security of the ‘vaccine passport’ system.
A QR code appeared online on Tuesday and, when scanned with several verification apps, revealed a working EU Digital Covid Certificate bearing the name “Adolf Hitler,” born on January 1, 1900. Several versions of the code were then noticed on tech forums, some with the name capitalized, others with a different birthday. But all would have granted the Fuhrer access to any indoor event off-limits to the unvaccinated.
The story was picked up by the Italian media, but it is unknown where the security keys necessary for generating Hitler’s QR code actually came from. Il Post reported that Hitler’s pass had been issued with a key from France, but noted that this information could also have been forged.
The Europe-wide Covid pass system works by pairing a public key (contained in the QR code and visible to anyone scanning the code with an app) with a private key (held by hospitals or other healthcare providers). Venues checking the validity of someone’s Covid pass scan the code and receive a green tick if it matches the private key, or a red cross if not.
As of Wednesday afternoon, the private key used to verify Hitler’s pass was revoked, but a Polish user on one tech forum still claimed to be selling working certificates, as did some posters on the so-called ‘dark web.’
Whether the private key used to validate Hitler’s pass was stolen or leaked remains a mystery. Alternatively a healthcare employee with access to the private key could have generated the fake certificate for the Nazi leader.
Leaked or stolen keys present a serious problem for the EU’s Covid certificate system. Any number of passes can be generated based on a single private key, meaning that revoking one of these keys would invalidate any pass based on it, real or fake. Re-certifying hundreds or even thousands of passes at a time could harm public confidence in the system, which is already unpopular in some countries.
Hitler is not the first high-profile name to get a fake Covid certificate. Earlier this month a French teenager was arrested earlier when he attempted to enter a hospital using the health-pass data of President Emmanuel Macron. The French president’s public data had leaked online, meaning anyone could use his QR code as their own and the code would read as valid. However, it would be immediately obvious to an official checking the code in person that the user was not, in fact, the president.