User Controls
Vaccine certificate security
-
2021-11-01 at 5:01 PM UTC
-
2021-11-02 at 10:02 AM UTC
Originally posted by Sophie Do we have a copy of the 'validator' app that will be used to check the QR code certificates? Having a copy of the app users are supposed to have with the Qr code and everything, plus having a copy of the app meant for the people that will be checking for it's validity will be useful.
I can set up an Android VM for instance, one for the user version one for the authentication version. I haven't really looked into it all that much but i'd like to perform some tests in a controlled environment.
Definitely getting our hands on the validator app will be helpful. I'm guessing it will be publicly available on the play/apple store. It comes out at the end of the month in my country and I can't wait to see how it works. Kinda pissed because I'm pretty sure they had a public beta test that I missed out on. -
2021-11-02 at 3:33 PM UTCgreat topic OP, this will be useful if our governments pull a hitler on us.
freedom fighters in the 2000s provided encryption for the masses to fight surveillance, now the masses could use forged vax certificates to protect their livelihoods while they sue their governments for violations of its most basic foundations of law. -
2021-11-02 at 4:55 PM UTC
Originally posted by Biff Understudy Definitely getting our hands on the validator app will be helpful. I'm guessing it will be publicly available on the play/apple store. It comes out at the end of the month in my country and I can't wait to see how it works. Kinda pissed because I'm pretty sure they had a public beta test that I missed out on.
It's going to be rolled out pretty soon here as well, i'll share what i manage to get my hands on. If you're in the EU, like i am having a way to examine implementations developed for travel within EU borders but to different member states might prove insightful. -
2021-11-24 at 11:38 AM UTCTech specs for New Zealand verifier app - https://nzcp.covid19.health.nz
App - https://play.google.com/store/apps/details?id=nz.govt.health.covidpassverifier
I've been looking at the tech specs for the last week. Even made an app to the specs in hopes to get a proper understanding of how it works. Private key(s) seems to be the only way, but then again I'm no expert at this stuff.
The Ministry of Health is releasing the source code for the app on github soon. Fingers crossed there might be something to work with.
On a side note(political sorry) - I'm kinda concerned that the NZ app is called "NZ Pass Verifier"(not "MyVaccine Pass Verifier") + the icon doesn't have anything vaccine related in it, which makes me wonder if the government is going to eventually transition it from "just a vaccine pass" into a general pass for everything. -
2021-11-24 at 12:54 PM UTCblood is thicker than covid pass app.
https://dailystormer.su/who-announces-mass-production-of-technology-to-detect-unvaccinated-people/ -
2021-11-24 at 1:17 PM UTC
Originally posted by Technologist If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.
You aren’t man enough to get a shot, man up and be honest about it pussies!
Ya if you arent man enough to get an experimental shot, wear it like a badge of honor -
2021-11-24 at 1:24 PM UTCthe reason birds stand bravely on high voltage cables is not because they are brave.
its because they know not of electricity, and how it kills.The following users say it would be alright if the author of this post didn't die in a fire! -
2021-12-01 at 2:31 AM UTCThe euro ones are encoded with a private RSA key it would seem. Some analysis shows the following encoding/signing schemes to be the most likely
[+] SHA-1
[+] Double SHA-1
[+] RIPEMD-160
When you decode the barcode element the text data that comes up kind of looks like it was encoded with GPG, like a certificate. If it has to make some sort of API call for verification it could be the data contained within is a little like a binary payload. The authentication app might only be there to decode said payload, and verify it was encoded with a government approved private key.
I'mma see if i can get Anbox up and running, and emulate scanning a valid QR Code, and MITM that bitch. -
2021-12-01 at 2:33 AM UTCOk I'll take the shot. But only if they will inject it directly into either my eyeball or my dick. And not my dick vein I mean like a gnarly muscle shot into the meat of my dick.
-
2021-12-20 at 3:15 PM UTCUpdate. I got full source code on the verification app, both for apple and Android. I also have a number of test domains and examples used for development, plus a script that will independently retrieve certain resources related to the verification process and the way in which the QR Codes are structured and encoded.
The app requires the phone to be connected to the internet to verify the QR Code in question that is being scanned. -
2021-12-20 at 3:16 PM UTCHit me up if you want the sauce in question.
-
2021-12-20 at 4:05 PM UTCWhile we're on the topic of QR codes i recently got tooling that allows for the fuzzing of various QR Code readers for vulnerabilities. It seems to be geared towards web apps that can read QR codes, but it provides capabilities to fuzz for command injection and allows you to include your own custom list of paylaods as well. It would be dope if we were able to have the verification app read a malicious QR code, that forces the app to always approve it no questions asked. But that seems rather unlikely, we may be able to simply crash the app or something of the sort. That would be cool.
In the last couple of weeks i have been gathering all the appropriate tooling for QR Code shenanigans, and reading up on the general security concepts surrounding it. Personally i think it's pretty fascinating. And with time i am sure i can comr up with at least some shenanigans with regards to this whole subject of research. That said i am far from an expert in this particular niche, so if anyone wants to collab on something of the sort at a secure venue, please feel free to hit me up as well.
