Hackers claim they cracked Quebec's vaccination QR codes; government says they're 'completely secure'
MONTREAL -- There are new privacy and security concerns over the QR codes given out to Quebecers as proof of vaccination.
A cyber security team of experts tested whether or not it could crack the codes and they say they were able to do so fairly easily.
While the roll-out of the QR codes has already begun, only a few details have been released about how and when they will be used.
Health minister Christian Dubé has said that if the epidemiological situation deteriorates in Quebec, the QR codes will be required for residents to access some non-essential services, such as bars and gyms.
The government said it hopes to never have to use the digital proof of vaccination for such a reason and is instead relying, quite desperately, on the population to get their two doses of the vaccine by Aug. 31.
Recently, a team of cybersecurity experts got together to test the security and safety of the QR codes sent to hundreds of thousands of Quebecers so far.
The so-called “ethical hackers” were able to crack the codes using a fairly rudimentary program that decodes the visual symbols.
Those involved in the hack are asking why the government did not opt for a more robust security method involving encryption, which is far more difficult to crack.
“There are a lot of people that say, in social media, we’re already giving that (kind of personal) information. The thing is we’re giving this information voluntarily to a private company,” said Patrick Mathieu, co-founder of Hackfest, billed as the largest hacking event in Canada.
“(But) now it’s the government forcing us to access a public space or private event. Facebook doesn’t require you to give your information when you want to go to a cinema, but the government might ask you to do so.”
Even if the QR codes are never needed to be used within the province, they can be shown abroad when travelling to countries, such as those in Europe, that require proof of vaccination for entry.
In a statement, the ministry of health said the QR code is “completely secure and the government would “never put Quebecers’ data at risk.”
“The Ministry of Health is studying and following international standards in this major operation. And for double authentication, the QR code will have to be accompanied by a proof of identity on site. The QR code is designed to be read and is unencrypted, in accordance with the international standard determined by the WHO, a position supported by the VCI (Vaccination Credential Initiative) for Smart Health Card (a group of public and private organizations),” the statement read.
“The QR code is not forgeable. It contains an encrypted signature from the Quebec government. It does not constitute proof of identity. Therefore, to avoid fraud or identity theft, the QR code must be combined with proof of identity.”
The ministry added that there are still several weeks of testing left to iron out technical details of the QR code program.
Mathieu said the current codes were relatively easy to create and that encrypted codes would require more elaborate set-ups, but would require more people and more money to develop.