Hackers playing the role of whistleblowers have uncovered with bewildering speed two flaws in obtaining vaccine proof and the QR code that confirms it from the Ministry of Health and Social Services.

The first, which is not really one for Éric Caire, the Minister for Digital Transformation and responsible for the Protection of personal information, consists in downloading the vaccine evidence of public figures whose date of birth and whose names were known. vaccination dates – information often disseminated by key stakeholders, too happy they were to say they were vaccinated to encourage people who were not already vaccinated to receive their doses. With the name and date of birth, the hackers only had to generate two missing digits to get the full health insurance number and, from there, receive the QR code.

It was embarrassing, it sounds amateurish, but it hardly has any consequences since another document with a photo – a health insurance card or a driver’s license – must be provided in addition to the QR code to enter the places where the vaccination passport is required. Obviously, presenting such a forged document is a criminal act which, in this case, was not committed and of which we do not see what interest anyone would have in perpetrating it. In the government, we explain that we wanted the steps people to take to obtain this QR code to be very simple. It is indeed simple, too simple, even simplet. Simplicity is no excuse for faltering security.

The other flaw is serious. A pirate, who fears retaliation and to whom Radio-Canada gave the name of “Louis” to preserve his anonymity, discovered that it was possible to create a fake QR code and associate it with an identity. The VaxiCode Verified application, with which merchants are equipped, saw nothing but fire and accepted these invented codes.

Not only does this suggest that the hacker may have broken into the government system, but it is conceivable that some unvaccinated people would benefit from using false codes to outsmart the authorities. Once read by the verification software, this QR code is sesame which allows you to take part in certain activities.

The Caquista government refuses to immediately grant immunity to this pirate, to whom, however, he owes a lot of credit. Underpants, the Ministry of Health and Social Services said it had lodged a complaint with the Sûreté du Québec, while, on Friday, Minister Cairo brandished threats of criminal and civil proceedings.

It goes without saying that these threats were poorly received by a group of computer security professionals, the Hackfest, which had informed the government of one of the flaws as soon as it appeared to them. Regrouping has therefore decided to stop collaborating with the authorities.

Tuesday, Eric Cairo was more conciliatory. No complaint has been filed against the pirate “Louis”, assured the minister. Investigations are underway, understandably. However, the government wishes to “work and collaborate with citizens and cybersecurity experts,” he continued, adding that Quebec must be inspired by best practices and that “new technologies are a new reality with which we must compose “.

But these so-called ethical or benevolent pirates are part of this reality. The US government and major tech companies are accepting the assistance of these hackers independent workers who, for a fee or not, flush out the flaws in their computer systems, which allows these organizations to fix them promptly.

If the Caquista government has a minister dedicated to the digital transformation of the State, it is because it has great ambitions aimed at the computerization of services to the population. The cross-use of data held by ministries and public bodies is on the menu, as is the digital identity of citizens.

Several requirements correspond to this ambition, in particular the strengthening of the protection of personal information and computer systems. The VaxiCode software and its QR code are just the beginning, a stammering of sorts; there is room for improvement. Instead of threatening these benevolent pirates who seek to collaborate with him with prosecution, the Legault government has every interest in formalizing its relations with them, as is done elsewhere in the world.

Watch video


Leave a Reply

Your email address will not be published.