Quebec could make changes to vaccination passport after flaws in system exposed

The Quebec government says changes to its vaccination passport could be made, in light of reports of hackers and computer programmers easily bypassing the system.

Quebec could make obtaining QR code more complex in response to breaches, minister says

Éric Caire, the province's digital transformation minister says the vaccination passport apps will not compromise the safety of Quebecers. (Ryan Remiorz/The Canadian Press)

When Louis heard the province's digital transformation minister say on Tuesday that quick response (QR) codes "cannot be falsified, modified or copied," he took it as a challenge.

"There's always a flaw," he said. "It's just a matter of being patient enough to find it."

Louis has spent years working as a computer programmer. Radio-Canada agreed to protect his identity.

He is quick to point out that he is not a hacker. Yet, within six hours, Louis said he used external software to create fake proof of vaccination for people who don't exist. He then stored that proof into the province's VaxiCode app. 

Radio-Canada downloaded VaxiCode Verif — which allows businesses to verify customers' proof of vaccination in order to let them in — and according to the app, the fictional person by the name of "Monsieur Untel" was adequately vaccinated.

"Honestly," Louis said, "I am surprised that I was able to penetrate the system so easily."

Tell us what you think!

Help shape the future of CBC article pages by taking a quick survey.

Radio-Canada spoke with a computer programmer, who was able to generate fake QR codes on the province's vaccination passport app. (Radio-Canada)

The Journal de Montréal, meanwhile, reported Thursday that a group of hackers were able to obtain the QR codes of Premier François Legault, Mayor Valérie Plante, Quebec Health Minister Christian Dubé, as well as those of provincial opposition leaders Dominique Anglade and Gabriel Nadeau-Dubois.

The Journal also reported that hackers got their hands on the vaccination proof of Éric Caire, the digital transformation minister overseeing the security of the vaccination passport system.

The QR code contains a person's name, date of birth, the dates of vaccination as well as the type of vaccines received.

Vaccination passports become mandatory for various activities Wednesday, Sept. 1.

The VaxiCode apps have been downloaded more than 1 million times so far, including 127,000 downloads of the version for businesses that scans QR codes.

System 'remains secure,' minister says

Speaking with Radio-Canada on Friday, Caire maintained the vaccination passport system is safe.

"My last name, my first name, my sex, my date of birth are not really difficult to find, they are public," Caire said. "And I took a picture of myself getting vaccinated and I said what type of vaccine I was getting, so the date and the type of vaccine was also public information."

Caire said making the vaccination passport system as simple as possible — so that it would be widely adopted and used — was a top priority for the Quebec government.

In light of the breaches being reported however, the minister said the province could decide to make obtaining a QR code a more complex process.

"We will discuss it with the health minister, we will weigh the inconveniences and if we have to make obtaining the QR code more complex, well, we will do it," he said.

"But what I'm saying is, this [added] complexity, it will also be there for people that would want to get it for legitimate reasons. And that would possibly mean limiting the use of the QR code, and that's not what we want."

Louis, the computer programmer who spoke with Radio-Canada, says he was surprised how easy it was to generate fake QR codes on the vaccination passport app. (Radio-Canada)

As things stand now, Caire said even if someone generates a fake QR code, that person still needs to show photo identification to be able to go somewhere that requires a vaccination passport.

"The heart of the story is to prove your identity," Caire said. "I want to be very clear, the QR code has not been falsified, it has not modified and it remains secure."

The minister's comments did not address if it is possible for someone to assign a forged QR code to a real name, thereby allowing that person to go to bars, restaurants, gyms and other places without being adequately vaccinated.

Criminal complaint filed regarding leaks

In the wake of the reports, the province's Health Ministry issued a statement announcing that formal complaints have been filed with police regarding the leaks of "the proof from known personalities."

"The relevant authorities will investigate and determine if criminal charges have to be laid," the statement read.

"The QR code and the personal information it contains cannot be used without the consent of the people in question. Offenders that do not respect this obligation expose themselves to important sanctions that could lead to civil or criminal proceedings."

Gabriel Nadeau-Dubois, spokesperson for Québec Solidaire, described the flaws in the vaccination passport system as an "unforgivable mess." (Sylvain Roy Roussel/CBC)

The Health Ministry also said the vaccination passport system can still be tweaked.

'An unforgivable mess'

Québec Solidaire spokesperson Gabriel Nadeau-Dubois has written a letter to Quebec Premier François Legault, in which he described the vaccination passport's flaws as an "unforgivable mess."

In his letter, which he posted to Facebook, Nadeau-Dubois said Quebecers deserve a government "that treats their medical information seriously," and issued an ultimatum to the premier.

"I ask that you announce a plan to fix this worrisome security breach," he wrote. "Otherwise, suspending the vaccine passport until a long-term solution is found will need to be considered."

Based on a report from Radio-Canada's Camille Carpentier