The Dutch authorities have begun investigating how cybercriminals have been able to produce an apparently genuine CoronaCheck QR code for Adolf Hitler, which indicates that he’s had both vaccine jabs and is clear to attend events requiring a Covid pass.
The fact that the Hitler code works when checked using a legitimate test-for-entry scanner indicates that it was made using real digital “keys” – and because these QR codes are part of an EU reciprocal arrangement, once they work in one country, they work in all 27.
The scam first came to light when the seller of the codes advertised on an online hacker forum to make a working QR code in any name for €300, although trading in the codes is illegal across the European Union.
When the seller was contacted by Dutch broadcaster RTL, he produced the Hitler code as an example. He said he could generate codes from France or Poland only – although they would, of course, work anywhere in the EU.
French or Polish keys
The Hitler code worked perfectly in the Netherlands even though its creator gave the dictator an incorrect birth date of January 1st, 1900, indicating that in all other ways it was the genuine article.
RTL passed the details of their contact with the hacker to the Dutch health ministry, which confirmed it was examining the possibility that this could mean that either the official French or Polish keys had been compromised or stolen.
If that turned out to be the case, the broadcaster was told, then all of the codes produced by the country involved could be rendered invalid. That’s because the fake codes would have to be blocked for safety but it would be impossible to tell the fake ones from the real ones.
There was no suggestion that the Dutch digital keys had been compromised, the ministry told the broadcaster.
Implications of fraud
The availability of the codes means that not alone could an unvaccinated person have a code made in his or her real name and use it to go to events restricted to those vaccinated, but it could also be used to work in catering, for instance, without vaccination or a negative test.
The codes show whether their holders are vaccinated against coronavirus, have recovered from an infection or have had a negative test within the previous 24 hours.
This isn’t the first time the test-for-entry system has been compromised. In the Netherlands, a 20-year-old man was arrested and several health service staff were suspended last month on suspicion of falsifying vaccination codes. “There’s a market for this; the instances are increasing”, said a health service spokesman.