Error found in implementation of verification method of Quebec COVID Passport App

A flaw in Quebec's VaxiCode Verif COVID-19 Vaccine Passport app poses the risk of not publishing the source code for external scrutiny before a government-backed application is released, a risk-averse researcher says.

"The Quebec government has missed a good opportunity to publish the source code of applications that are bred for transparency," ESET's Marc-Tien Leville said in a column on Tuesday. “After all, there is nothing to hide and nothing secret about these applications. The rapid discovery of flaws has shown that analysis by a large number of experts improves the security of this type of application. Source The publication of the Code and its analysis by experts would have avoided scandals that could affect public confidence, as the entire population would have been able to check security on their own.

Their analysis comes after two incidents last week that suggested vulnerabilities in security in the app's QR code mechanism, which was used to link provincial government URLs to an individual's vaccine health record. A Montreal newspaper said a group of hackers claimed they were able to obtain the QR codes of Premier François Legault and other politicians. Separately, a computer programmer was able to show Radio-Canada that it was easy to fool the app into giving a fake person proof of vaccination.

Leville found a problem with the iOS version of the app, though he couldn't verify that it was the same issue that caused those issues.

Over the weekend he informed the app's developer, Akinox, which fixed the flaw in an update to the iOS version of the app (v 1.0. Leville hasn't analyzed the Android version. But he noted that VaxiCode and VaxiCode are part of the Verif Expo framework. Which allows iOS and Android apps to be built using the same source code, so let's assume that the applications on both platforms are probably identical.

Leville's discovered flaw allowed the application to force it to recognize non-government-issued QR codes as valid.

The URL contained in the QR code uses the Smart Health Card (SHC) specification that defines the format created by the Immunization Certificate Initiative earlier this year for the exchange of information about an individual's vaccination status.

The SHC protocol requires a digital signature for verification. Digital signatures are based on asymmetric cryptography, which means that a private and public key pair is used. The Quebec government's server issues the private key for this app. The public key verifies that the signing has been done with the private key. The Smart Health Card specification was designed to account for the possibility of multiple vaccine evidence issuers because each country or region that adopts the standard would have to issue its own pair to sign and verify a passport. This way one app can be used in multiple jurisdictions.

Akinox contained the public key of the Government of Quebec in VaxiCode and VaxiCode Verif. However, the code for downloading third-party issuer keys was still in the application, even though it was not needed.

The vulnerability lies in the fact that once the public key is downloaded, it is used to verify another passport, without checking whether it matches the contents of the issuer field. So an attacker can generate a key pair and make the public key available on the Internet. They can then generate two smart health cards in the form of QR codes - one with arbitrary content, the other with the personal information of the person who wants to impersonate in the form of vaccinations. It will also include a field pointing to a valid government domain. It will be signed with the public key created by them.

During the verification of the vaccine passport, the attacker first presents the first QR code generated by him. This would be rejected by VaxiCode Verif - but it would force the application to download the attacker's public key and add it to its trusted keychain. The attacker will then present a second QR code created by them, which will be validated by Vaxicode Verify.

Levelell said the app update completely removes the functionality of downloading the public key from the issuer's URL.

Leville said ESET did not test the servers that allow the issuance of vaccine passports.

“As a result of this analysis, I believe that, although VaxiCode Verif had some problems with its release, the technologies on which the system is based are solid,” he said. “The idea of using existing standards and technologies is a good decision in my opinion. It ensures both signature security and interoperability between regions that use the Smart Health Card protocol. Denying a valid vaccine passport, in my opinion reverse a fault in the system Na will have a much more serious effect, and that's not the case here. "