Reversing SMART Health Cards

https://twitter.com/mareMtl/status/1393264869726621696

High Level Analysis

Decode QR Code
shc:/567629095243206034602924374044603122295953265460346029254077280433602870286471674522280928613331456437653141590640220306450459085643550341424541364037063665417137241236...
SMART Health Cards Framework

Analysing the SHC Framework

  1. Create a JWS payload with the patient information.
  2. Sign the JWS.
  3. Transform JWS into a numeric QR.
  4. Generate the QR code.
https://datatracker.ietf.org/doc/html/rfc7515#section-3
  • Why are we subtracting 45 to the decimal value of each char?
  • What does .flatMap((c) => [Math.floor(c/10), c % 10]) do?

Writing a decoder

  1. Split all the digits in groups of two characters.
  2. Convert each group to an integer.
  3. Add 45 to retrieve to the original char code
  4. Cast it as a char.

Data Analysis

"entry": [{
"fullUrl": "resource:0",
"resource": {
"resourceType": "Patient",
"name": [{
"family": "Anyperson",
"given": [
"Johnathan",
"Biggleston III"
]
}],
"birthDate": "1951-01-20"
}
},
'vaccineCode': {
'coding': [{
'system': 'http://hl7.org/fhir/sid/cvx',
'code': '207'
}]
},
"occurrenceDateTime": "2021-01-29",
"performer": [{
"actor": {
"display": "ABC General Hospital"
}
}],
"lotNumber": "Lot #0000001"
https://www.cdc.gov/vaccines/programs/iis/COVID-19-related-codes.html

Conclusion

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Day 20. Let It Be The Light

Bringing Cisco SaaS To Life With Brad Bonin

Cisco SaaS Brad Bonin

Pulling Out Data From Fusion Yelp

How to stop a thread in Java?

The Next Generation of Cloud Computing: Our Investment in Wasmer

Project closure | Software engineering apprenticeship pattern 📚

Write a function to delete a Linked List

Three Types of Management Product You Should Know

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
marcan2020

marcan2020

More from Medium

Do We Need A Host-Based Firewall?

What’s the weakest link in cybersecurity?

13 Strategies To Make Your Cybersecurity Failproof — Just Gilbey IT Solutions Ltd

Warning: GG18/20-Based Attack Towards MPC Threshold Signature