March 24, 2023

The Queens County Citizen

Complete Canadian News World

Vaccine Passport | QR codes of many compromised elected officials

Vaccine Passport |  QR codes of many compromised elected officials

A hacker Unidentified individuals to the hackfest community on Thursday succeeded in illegally obtaining QR codes containing vaccine information from several elected officials of the National Assembly, including Minister Eric Cairo, who is responsible for the protection of personal information.

Tristan Poloquin

Tristan Poloquin

According to a post published Thursday on the Crypto.Québec Facebook page, but it was removed in the evening, the vaccination data of Prime Minister Franకోois Legalt was also compromised. Minister of Health and Social Services, Montreal Mayor Christian Dubey, Valerie Plante, Quebec Solidair Gabriel Nade-Dubois co-spokeswoman and Liberal Party leader Dominic Angled were also present.

Hackfest, a group of computer security experts, immediately notified the government of the problem, said its co-founder Patrick Mathew.

The security breach used by the hacker allowed him to bypass the government self-service portal by gathering information that could be easily found on social media about his targets.

Asked by Tap In connection with this error, the office of Minister Eric Khair said that the matter was taken very seriously and inspections were carried out. “Any misrepresentation or theft of the QR code is also punishable by a fine [un acte] The culprit, ”recalled its spokeswoman Nathalie St. Pierre.

QR codes issued by the Ministry of Health and Social Services (MSSS) serve as a vaccine passport from 1Is September. To get them, vaccinated Quebecs must enter their name, date of birth, their first vaccination date against COVID-19, the vaccine brand received, as well as their Social Security number.

READ  Thousands of Quebecans make appointments for the first dose

Since all the victims selected for the hack advertised their vaccine by posting their photos on social networks, the hacker was able to easily confirm their first vaccination date. Then all he has to do is find their date of birth on the internet and guess the last two digits of their health insurance number.

“Badly designed” system

During a technical presentation earlier this week, the Associate Deputy Minister of Government Information Technology assured that personal information contained in the QR Code was limited to “absolutely necessary”. Additional information that hackers can find is the date of vaccination of the second vaccine, the sites where these vaccines were administered and the batch numbers of doses. In some cases, they may even find out if the hack victim has ever tested positive for Kovid-19 or if there are clinical contraindications to vaccination.

There is no particularly sensitive information such as the social insurance number, the home address of the vaccinated person or their telephone number.

According to Hawkfest Patrick Matthew co-founder, the system set up by the government shows an error that is “badly designed from A to Z”.

The security of the system is based on information that is easily accessible to anyone around you. Anyone can compromise.

Patrick Matthew, co-founder of HackFest

According to him, the technology that allows the government to produce these QR codes is not designed to make them a large-scale authentication tool such as a vaccine passport. “We have told the government many times that this is a bad choice of technology,” he said.

READ  CH in the final: A Joke Challenge feeds 3,200 homeless people

Liberal MP Marwa Rizki, who also circulated the QR code on the internet yesterday after the hack, wondered why the government did not put an additional firewall on its portal to prevent the hack. She feared that merchants who were called upon to verify QR codes, as provided in the protocol submitted by Quebec, would seldom have time to verify the identity of their customers by asking for a driver’s license or health insurance card. “Fortunately, there is only one Marwa Rizki in the country. I wonder if anyone would try to deceive me. But if I had a generic name like Region Tremble, it would be easy to use a fake QR code, and it’s worrying,” she believes.

“The government has been talking to us about the vaccine passport since May. They have time to make sure security is right, but they underestimate any issues raised by people who know about security. It is unfortunate,” the MP added.

With Alice Girard-Boss With, Tap