PSA: Vaccine certificate QR code contains easily decoded personal information - don't post it on social media

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,398
So how trivial is it to create a fake one then? Aren't they just checking that id from scanning QR code matches your id book?
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,326
Wait. Will we have to produce our ID alongside the vaccine certificate???(Otherwise how will they know we are who we say we are?)
I’ve lived in this era before and it did not end well)
That's exactly what nobody is addressing. It may work at places like an airport but nobody is going to bother checking if the person with the certificate is the person who's details are in the certificate. That's if anyone even bothers checking if the certificate is real. Other countries have shown how completely ineffective this is and they have way better technical expertise and policing.

Then there's the potential POPI nightmare as well.
 

shearder

Expert Member
Joined
Aug 22, 2007
Messages
1,006
Luckily I won't be needing that shackle. That's only for subjects and slaves not free citizens.
Kry vir jou and enjoy the prison it puts you it
 

konfab

Honorary Master
Joined
Jun 23, 2008
Messages
30,561
So how trivial is it to create a fake one then? Aren't they just checking that id from scanning QR code matches your id book?
They will need to have a webservice which will allow the scanner to validate it to do that. But like masks and the temperature scanning business, the government just wants the theatre of doing something, so I doubt they would ever set it up.
 

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,398
They will need to have a webservice which will allow the scanner to validate it to do that. But like masks and the temperature scanning business, the government just wants the theatre of doing something, so I doubt they would ever set it up.
I thought the webservice wasn't happening? That they were just scanning the QR code with no link back to the database itself?
 

konfab

Honorary Master
Joined
Jun 23, 2008
Messages
30,561
I thought the webservice wasn't happening? That they were just scanning the QR code with no link back to the database itself?
Well if that is the case, then anyone can generate a fake certificate.
 

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,398
Well if that is the case, then anyone can generate a fake certificate.
I say that, not because I know, but because .... well have you ever tried getting something from the gov and you get the response "the system is down"?
 
  • Like
Reactions: Swa

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
45,969
Odd that when I brought concerns like this up into discussion here that some peeps wanted to take a swing.

“The QR code will have cryptographic signature linked to public key infrastructure (PKI) to prevent any fraudulent production of vaccination cards,” explained Wolmarans.

yeah...
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
45,969
Well if that is the case, then anyone can generate a fake certificate.

There is the odd scenario where, say someone has a good idea about how this is being implemented, can brute their way into 'bricking' the system. I am sure several penetration attacks will be launched at this system, though within a lab environment. Hashes are hashes, computers are computers.
 

hj007

Expert Member
Joined
Aug 30, 2006
Messages
1,398
There is the odd scenario where, say someone has a good idea about how this is being implemented, can brute their way into 'bricking' the system. I am sure several penetration attacks will be launched at this system, though within a lab environment. Hashes are hashes, computers are computers.
Eskom is Eskom.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
45,969
Eskom is Eskom.

Mentioning this, in order to authenticate the user document against the EVDS database, an internet connection will be required...

Because,


6. Data transfer

Anonymised data will be transferred to the NDOH database for reporting. No personal data will be transferred from the EVDS, without the required legislative provisions to do so.

so this would also require EVDS to always be available and accessible.

The system is already buckling under multiple queries, think about this being introduced where multiple events are being held, many at the same time, where people are proactively being scanned into the public/private venue.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,326
Incorrect. There's actually nothing stopping you from crossing the road and cars are even expected to stop for you. You can ride a car without a license. You have to pay to use public transport but don't need a pass, passes ended with apartheid. You can enter any private property where the owner gives you permission but the state is trying to dictate against that now. Actually not having restriction wrt private property would go against individual freedoms. Guess what though, universities are not private property unless it's Sol-Tech as they are state funded. The constitution applies and the constitution is against forced medical procedures so I look forward to the :popcorn: regarding the court cases.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,326
Well if that is the case, then anyone can generate a fake certificate.
You don't need one. Everyone knows someone that's been vaccinated so just use theirs. This is even better as you can keep downloading a new one once you have their details.

But it won't come to that. In order to validate this you'll need a data connection and few places will bother with setting that up. You also won't have your ID checked in everyday life. Just like with temp scanning they will not bother implementing it correctly and instead scan on your arm to get a "correct" temp. The idea is stillborn.
 

JHS1

Member
Joined
Mar 17, 2018
Messages
16
So how trivial is it to create a fake one then? Aren't they just checking that id from scanning QR code matches your id book?
I have cracked the digital signature inside the qr code of the Version 2 certificate. Took a few hours but I have cracked it! Can decode the whole qr code and can generate a new one that will at this stage seem to be 100% compliant. So, back to the drawing board...
 
Last edited:
Top