Episode 79: How the German Immunity Passport Was Hacked

The certificate infrastructure of the German digital immunity passport, based on an EU-wide system, has been completely undermined by a hack that’s so easy to pull off that probably any twelve year old with a computer can accomplish it.

When the German immunity passport infrastructure was launched in June, The Private Citizen reported on it and I explained why I think this whole thing is a bad idea. I also suspected that this system, like any system (especially digital ones), could be manipulated. This has now happened and in this episode, we’ll look at how security researchers managed to hack it with minimal effort.

But first off, some housekeeping. I’ve been contacted by several people in regards to the recent floods in North Rhine-Westphalia and Rhineland-Palatinate. At the time, I was in the Vosges, happily riding my motorbike around mountain roads in excellent weather. Flooding in Düsseldorf was minimal and my place was not affected in the slightest. I thank everybody who was thinking of me and all of those who contacted me in various ways (or tried to and didn’t get a response because I was way from my computer for a few weeks). I can assure you that everything is fine!

The Sunshine Pharmacy #

Episode 74 of this show explains the EU-mandated certificate infrastructure that was implemented in Germany last month to deploy the nationally recognised immunity passport for SARS-CoV-2 vaccinations. When I explained the technical details of this system, I noted that there are probably security issues in there somewhere – just based on a general understanding of complex IT systems and in light of how fast this was implemented – but I did not concentrate on this aspect of the story in detail. Rather, I chose to explain once again, why the whole thing is conceptually flawed and a bad idea.

About a month later, we now have to talk of the concrete security issues with the system as it has already been hacked , causing the server that German pharmacies use to create vaccination certificates to be taken offline .

The flaw that was discovered by two German security researchers, André Zilch and Martin Tschirsich, is not a flaw in the certificate system itself. Instead, it’s a rather simple hack of one of the infrastructures used to sign vaccination certificates. German pharmacies are allowed to inspect paper immunity passports (see the show notes for episode 74) and the create a digital certificate with an accompanying QR code that can be scanned and stored in several smartphone apps. German pharmacies are organised in a trade organisation called the Deutsche Apothekerverband (DAV). The DAV created a server with a web portal that pharmacy employees can use to create these certificates. This web portal uses little to now validation and that’s where the security of the whole system falls down.

The two security researchers invented a fictional Sonnen-Apotheke (“Sunshine Pharmacy”) located at a residential address they could receive mail at. They registered that with the DAV portal. To verify that they were indeed running a pharmacy, the security researchers needed three things: A license to operate a pharmacy, a letter from the DAV’s Nacht- und Notdienstfonds – a financial organisation subsidising the costs of running pharmacies outside of the normal opening hours – and the so-called “Telematik-ID”, which is an ID number administered by the company Gematik assigned to operators in the German healthcare system that is used in that system’s IT backend (which is run by Gematik).

The two documents were easy to fake. As it turns out, many pharmacies in Germany display a copy of their license online and the letter from the Nacht- und Notdienstfonds is simply a piece of paper the two researchers could fake easily by asking a neighbour who runs a real pharmacy some questions. For the Telematik-ID, they just made up a random number of appropriate length. Two days later the security researchers got a letter with a sign-on link and were able to issue SARS-CoV-2 vaccination certificates of their choosing. As a prove of concept, they created two fake certificates for themselves and then contacted the DAV.

The Security Issues Probably Still Exist Today #

The DAV shut the certificate creation server down pretty much immediately, preventing hundreds of pharmacies in Germany from creating digital vaccination certificates for about a week. To this day they maintain that the certificates and their infrastructre is secure and that the researchers only managed to get the fake certificates by “committing professional-grade fraud”. To do so “requires considerable effort and criminal energy”, according to the DAV.

The DAV certificate creation infrastructure is now back online . There is no indication, however, that the underlying problem has been fixed. In fact, it’s highly unlikely. With the DAV maintaining that access for non-DAV members to the portal – the security researchers had used such an account for their fake pharmacy – is “routinely monitored”. But the researcher’s fake pharmacy was not caught during this monitoring.

In fact, there are indications that, even before the researchers started their work, criminals were selling fake SARS-CoV-2 vaccination certificates on the web. It looks very much like these came from the same source as the researcher’s fake certificates.

According to the DAV, more than 25 million digital certificates were issued using their infrastructure. There is no way to determine which of those are legit and which aren’t. And since the certificates can’t be individually pulled, the only save option would be to invalidate the signing keys and retract all certificates issued by German pharmacies. Meanwhile, the DAV maintains that there are only two fake certificates in the wild , meaning the ones issued by the two security researchers.

Producer Feedback #

Producer Martin says:

Hi Fab! You recently reported that a video of your podcast got censored by YouTube and restored after your complaint. You are not alone. Someone complained by suing. YouTube was forced to restored the video. They didn’t. As a consequence, they have to pay € 100k.

→ Der Spiegel: Gericht verhängt offenbar 100.000 Euro Ordnungsgeld gegen Youtube

Another Martin comments:

I am in agreement with most of what you’ve said over the last few shows. I just have a few things to say about the intertwined topics you’ve brought up:

Regarding copyright, as both a creative professional and the director of a media organisation, I want control over how my work is used and at the very least it would be nice if other professionals in the industry respected that. I was therefore very annoyed to find a picture of mine being used without permission by a British newspaper as the headline image on one of their articles. I regard this particular outlet as a political enemy, and so even though the image was worth very little by nature, I decided to fight them on principle.

The response was very interesting. At first I was completely ignored, then told a load of incorrect lies about copyright law in a hostile, rude, and badly spelled manner. Finally, after I copied in the news group which owns them, threatened legal action, and promised to inform the Intellectual Property Office, they gained a sudden understanding of the law, became very contrite, and paid me my due (more than the going rate but less than the bill I originally sent for violating my intellectual property rights).

On the subject of propaganda, since 2014 British state propaganda has ramped up to an incredible degree. Union flags are on everything in the supermarket now. An official government campaign has been running called Welcome To GREAT which rebranded everything Scottish as British. It’s all in aid of One Nation British Nationalism, and deeply sinister in my opinion. Brexit has only amplified it.

The British army has a very active troll division called 77 Brigade who are all over social media. British Government presence in Scotland has increased by orders of magnitude. In 2014 the “Scotland Office” had only a handful of employees. Now it has over 1000, a massive new premises, and it’s been rebranded “the UK Government in Scotland.”

Incidentally you may or may not be aware that we in the Precious Precious Union are also losing the right to peaceful protest. People (such as Craig Murray) are being sent to jail for reporting the truth.

Your point about the usefulness (or not) of Creative Commons licenses was interesting by the way.

Producer m0dese7en sends in some feedback on episode 76:

You touched on the topic of a proposed German law that would require OS makers to restrict web content for the purpose of protecting minors. Ironically, Utah did a very similar thing, but only for “smart phones” (hand computers) and “tablets” (bigger hand computers, but more appropriately named).

You may or may not be aware of it, but there is a podcast called Sex with Emily. I think that she is doing a good job of trying to bring sex topics out into the public sphere of conversation so that the taboo around it goes away and people can begin discussing it like adults. It is good that you bring up pornography in the way you did. You obviously pointed out the freedom issues surrounding it but the ethical problems surrounding its production. As you pointed out, if more people were open to discussing these things like adults, it is quite possible that the awareness surrounding the production of porn might allow for some serious changes.

I also had some very interesting discussions about sex and porn with some listeners of the show. Naturally, I will keep these confidential, but suffice it to say that sex and porn in a relationship is something many people seem to struggle with, which doesn’t surprise me. I feel a lot of these troubles would go away if we’d stop making such things taboo and would just talk to each other about them. Much like Dr. Emily Morse seems to think as well.

If you have any thoughts on the things discussed in this or previous episodes, please feel free to contact me. In addition to the information listed there, we also have an experimental Matrix room for feedback. Try it out if you have an account on a Matrix server. Any Matrix server will do.

Toss a Coin to Your Podcaster #

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits #

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show. This is why I am thankful to the following people, who have supported this episode through Patreon and PayPal and thus keep this show on the air:

Georges, Steve Hoos, Butterbeans, Jonathan M. Hethey, Michael Mullan-Jensen, Dave, 1i11g, Jackie Plage, Michael Small, Vlad, Philip Klostermann, Jaroslav Lichtblau, ikn, Kai Siers, Bennett Piater, Fadi Mansour, Joe Poser, Dirk Dede, Larry Glock, tobias, David Potter, Matt Jelliman, m0dese7en, Mika, Martin, Sandman616, MrAmish, avis, Dave Umrysh, Rhodane the Insane, Rizele, drivezero, RikyM, Barry Williams, Jonathan Edwards, Captain Egghead, Cam, D, RJ Tracey, Philip, Rick Bragg, Robert Forster, Superuser and noreply.

Many thanks to my Twitch subscribers: mike_thedane, sandman616, flash_gordo, m0dese7en_is_unavailable, indiegameiacs, epochsky and l_terrestris_jim.

I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

Podcast Music #

The show’s theme song is Acoustic Routes by Raúl Cabezalí. It is licensed via Jamendo Music. Other music and some sound effects are licensed via Epidemic Sound. This episode’s ending song is Black Vulture by Static Rush.