Be careful not to share your QR Code online. And the media should be just as careful. Because a mishap happened to Prime Minister Jean Castex, whose health pass went online … before being invalidated.
This advice has been repeated for months: it is really not advisable to share your health pass on social networks. This contains personal information, but also medical indications, which are by nature sensitive. By leaving a clear image of the QR Code, individuals could use it for themselves or, more seriously, seek to harm you.
But what happens when you are a public figure like Jean Castex, whose movements are followed by the media, and his actions do not escape the eye of cameras and cameras? Even if you are careful not to share anything online, you can find yourself at the mercy of others. This is the somewhat embarrassing scenario that has happened to the Prime Minister these days.
A photo of the Prime Minister’s smartphone screen
During a trip on September 13 to a nursing home in Clamart, in Hauts-de-Seine, Jean Castex had complied with the ritual of presenting his health pass before entering the establishment, to show that he does like everyone else. The press was there and a photographer took a snapshot showing the screen of Jean Castex’s smartphone before a breathtaking view of the QR Code (or to be more exact, its 2D-DOC code, which we will come back to below on the principle. ).
For a few days, no one really paid attention to the existence of this photo. Its author also did not consider, at the time, that there was a problem, since it was published on its website without any blurring – it has since been withdrawn, but some research via specialized sites allows to find the trace and to recover it in very good quality.
It was on social networks that the rest was written: the cliché ended up being spotted and Internet users spoke about it, especially on Twitter. Thus, Mathis Hammel, a specialist in computer security, took up the subject on September 18. The interested party follows these subjects closely: at the beginning of June, he had discussed TAC-Verif, the application which is used to verify the data of the health pass, when it had been talked about.
“I have the Prime Minister’s vaccination QR code”
” Game over, I have the Prime Minister’s vaccination QR code. Jean Castex, promise I got it legally and won’t do anything with it, call me if you want a helping hand in cybersecurity », He had launched, accompanying his message with a largely blurred QR Code, as well as a capture showing in clear elements on Jean Castex and his vaccination status (type of vaccine, number of doses).
He then showed an email exchange with the French center for monitoring, alerting and responding to computer attacks (CERT-FR), which depends on the National Agency for the Security of Information Systems (ANSSI), him – even the General Secretariat for Defense and National Security, and therefore the Prime Minister. CERT-FR said they saw his tweet and wanted to know more.
The person has since deleted his Twitter account. His message sparked some controversy among cybersecurity specialists, with criticism of his staging, some criticizing him for not having been more responsible in the way he communicated publicly. Among the politicians, too, it was felt that this was blunted, or that it was, in any case, not a loophole.
” The 2D-Doc used to release the personal information of Jean Castex coming more than very likely from a press photo, you have to be strong to talk about cybersecurity. At best, we could call him Osint [Renseignement d’origine source ouverte, NDLR]. We are very far from a system or app flaw “, observed the deputy Éric Bothorel, who follows these issues in Parliament.
At the very least, a media blunder
Beyond the issues that this raised on the best practices to have in terms of computer security, the case also turns out to be a media blunder: the photo should not have been uploaded by the photographer or, at least , not without proper blurring. Likewise, it should not have been picked up by the media. This is the sign that a relative ignorance still persists on what it is possible to make say to the photos, in the metadata or the snapshot itself.
The visibility of the code should fade quickly enough: the snapshot has also been removed from the photographer’s site and the media have now heard about this affair: where it appeared an edited photo with a blurred area should appear instead. . It could still circulate online, especially on social networks, but its interest should quickly dissipate.
We have also managed to find the photo in question and, according to our findings, the QR Code visible on the photo no longer triggers anything in particular, neither in TousAntiCovid nor in TAC-Verif. What is surprising, however, is that the Prime Minister was still using a 2D-Doc, which is an old and neglected version of the device. In principle, a shift has taken place to standardize the system at European level.
A QR Code placed on the blacklist
Either way, the case should very quickly end. Liberation reports that Jean Castex’s QR Code would have been placed on a blacklist, so as to prevent it from being converted into a QR Code or readable in the TousAntiCovid or TAC-Verif application. The Prime Minister should be able to benefit from a new QR Code in order to be able to continue to access the places where it is requested.
The health pass system has been based on a blacklist since this summer. This is not surprising: we know that there is an effort to fight against fraud against false passes, but also against the traffic of valid passes. Fines and prison terms are provided for in law to penalize the production or possession of these documents. This falls under, among other things, the penalties for forgery and the use of forgery.
Thus, the law provides for three years in prison and a fine of 45,000 euros for forgery or use of forgery. Anyone who makes and uses false documents faces the same penalties. These are of course ceilings provided for by law. In the event of a trial, the judges will assess individual situations on a case-by-case basis. However, current events have shown that the sanctions are not necessarily benign.
This blacklist is not entirely new and its existence is in fact consistent with this anti-fake pass policy. On August 8, Cédric O, who is in charge of digital issues within the government, indicated ” that those who present a pass which is not theirs incur heavy fines. Passes improperly used will be blacklisted and rendered unusable. “
In force since this spring, the health pass follows an operating schedule that takes it until November 15, 2021. The device should however be extended for a still indefinite period: a bill is planned, which will be presented to the Council. ministers on October 13, to shift the end date. The text would have to be approved by Parliament to enter into force.