Ontario should prevent the 'hack' that hit Quebec's vaccine passport app, expert warns

A QR code for Quebec's vaccine passport. (Source: Ministry of Health and Social Services)

Ontario’s vaccine passport app should learn from an episode in Quebec where some people created their own QR codes and spoofed the identity of several Quebec politicians, says a Toronto cybersecurity expert.

Quebec’s government has complained to police about so-called hackers who were able to appear to obtain the QR codes of Quebec leaders -- including Premier Francois Legault -- something that should be avoided here, says Claudiu Popa.

“I like QR codes as much as anybody else. You can flash them and scan them on the fly. But they should be only used to transfer and communicate secure information and the best way to protect confidentiality is to use encryption,” he said.

Quebec has defended its system, saying the alleged breach exploited a small vulnerability that is being fixed.

“It’s a really precise loophole that is being corrected right away,” Eric Caire, Quebec’s minister for government digital transformation, told CTV Montreal last week.

“We will think about it if it’s a good idea to put more obstacles in the system, more constraints,” he said.

QR codes are short for “quick response” codes and are often used to store a string of characters such as a website or some names and dates in a speedy, machine-readable format.

In Quebec, the QR codes contain a person’s name, date of birth, and information about the vaccinations they have received.

Those codes are a central feature of the Quebec government’s vaccine passport system, which launched on Wednesday.

It appears the so-called hackers were able to obtain publicly available information such as the name and the birthdate, and used whether the politician had already disclosed his or her vaccination status.

Then it appears the person made their own QR code, which could be read by the vaccine passport app.

In Ontario, the vaccine passport will first be a printed or shown vaccine receipt, and an app is scheduled to come in only on October 22.

Ontario’s Associate Minister of Digital Government Kaleed Rasheed told a news conference that the government is aware of the issue in Quebec.

“The provincially designed app is going to be very secure and privacy protected,” he said.

If the QR code displayed by a customer contains an encrypted code which only the QR reader can decode, the app would be more secure, Popa said.

He also advised that people should not flash around their QR codes, and keep them private as they would with a credit card or a drivers’ licence.

“We have so many tools that could scan QR codes from a distance,” he said.