Misc

Quebec Vaccination Passport can be easily by-passed

Underlabs strongly encourages everyone to get fully vaccinated against Covid-19, and fully support the 
Quebec Government's initiative of a Vaccination Passport. However, we believe that the verification App was poorly executed.

It has come to our attention via MTLBlog, that the Vaccination Passport is currently in Beta, a pilot project launched by the Quebec Government.

She scanned it [QR Code] with the government’s app, which she had on her phone, and a green checkmark appeared. The only information visible on her phone was my full name and the words “Certifié par le Gouvernement du Québec.”

If your credential is not accepted, a red box pops up instead of a green one and there’s a warning symbol instead of a checkmark.

Ilana Belfer

The Blog post went on to say that “all data is encrypted in the QR code and the apps do not connect to the internet. No data is stored on the business user’s device. He also said “Certifié par le Gouvernement du Québec” has the potential to change to certifications from other jurisdictions, potentially accommodating tourists.”

The issue we find is that this opens up the app for QR sharing. Anyone who is fully vaccinated, can ask a friend for their QR code and then would be able to present that QR Code for admission. As a worse case scenario, QR codes could be leaked on the internet, and be used by someone who is not vaccinated.

Anyone showing a valid QR Code (whether theirs or siphoned), could simply be scanned by the validation App, and would receive the green checkmark.

This gives everyone a false sense of security.

It would be better not to have a system in place than to have one that could be providing false / untrue information.

The workaround would be to confirm that the name displayed on the scanned app matches with a government issued ID, verify the photo of the person to be admitted, and double check the name on the ID against that provided by the QR code in the validation app.

However, since the App does not require an internet connection, means it does not verify the information with a central server, the vaccination status information is encrypted and encoded in the QR code. We estimate a sum check is in place as well. In this case, what could happen is that the data could be decrypted or the Android App could be decompiled in order to reveal the decoding algorithm in order to be used to (while not straight forward, but certainly possible) create newly generated QR Codes for people who are not necessarily vaccinated, and have their name be displayed since they can encrypt and re-encode new data.

A worse case, such QR Codes could be sold on a black market.

In Conclusion, we strongly encourage everyone to be vaccinated, and support a vaccination passport initiative as well, however if such a system would be in place, it should at least assure that malicious intentions do not by-pass the system. We believe the current system in place gives a false sense of security, and could be more dangerous than not having such a system at all.