FAQed Up — Article #2

Philippine Statistics Authority, this is not encryption.

They tried with the ePhilID but fell short, in fact it made everything worse.

Dearest reader,

I have discussed with you the initial findings I had with the vulnerabilities of the National ID in its PVC Card version. Just a little briefer if you must, here’s the article for it. As always, this document is for informational and educational purposes only. It contains materials that can be potentially damaging or dangerous. If you plan to use what’s written here for something illegal, you are strictly enforced to leave.

Now that’s settled, let’s dive in. But before we proceed, I warn you to tread lightly with what you are about to learn.

I’ve successfully created a fake QR.

We’ll start with a little activity. Open your preferred browser in your mobile phone and enter the PhilSys Check website (https://verify.philsys.gov.ph/). Once the site has completely loaded, click on “Scan QR” and aim your camera on one of the following QR Codes below.

Click to enlarge this photo for the checker to scan the QRs properly.

Last April 28, just 4 days after I’ve sent my findings to the authorities, the Department of Information and Communications Technology—National Computer Emergency Response Team (DICT-NCERT) coordinated with the Philippine Statistics Authority (PSA) for the most recent update in the PhilSys Check verifier as what you’ve seen after scanning the codes. It shows invalid because yes, these QRs are fake.

Going back to the day I’ve decided to further investigate the National ID’s vulnerabilities, I turned to the QR in the ePhilID to somehow alleviate my disappointment in the PVC QR’s effortless identity-theft duplication flaw. To the casual eye, both look like regular QR Codes until you put them side by side, you can see the ePhilID is bigger. It is also slower to read by the QR scanner which I had several attempts on rotating and zooming the code’s position in order for the camera to scan it. This is because it contains more text than the PVC’s and when scanned, it shows the following data.

Two versions of one identity. The PVC’s QR Code compared to the ePhilID’s and its extracted text.

Wow, I hear you say, they’ve successfully hid the initially exposed format and information of the holder’s ID from the PVC version of the document. My mind immediately went: encryption. So I basically have to give up at this point because not in the next decade can one read the cryptic text unless you have the key for it. Except, it wasn’t encrypted. Upon closer inspection, the “PH1:” prefix looks somewhat similar to one format which was utilized widely back at the time of the COVID-19 pandemic. I pulled out the project we’ve developed for contact-tracing of the virus back then and ran a script through the QR’s extracted text to decode it. Here’s what I got.

//Total of 915 Characters
C�'�Y�bPHc����ckey��adj2022-12-16aicPSAbsb�asfFemalebBFe[1,2]
bfneSYRAHblnfALDANAbmnfGALVEZbsf`cDOBj2000-05-20cPCNp---03546215----cPOBp
JORDAN, GUIMARAScimgYtRIFFl��WEBPVP8.........�k��8K����9p�
+�n�!wM�dx��,�^���_�{=G[tɰ������]��

I can see my complete name, the obvious indication that this is not encrypted to begin with. I have shortened the decoded text but the rest of it is just special characters needed to be passed through another script to show its actual data. But the display of identifiable information from the ID confirms my theory on the method used to obscure the holder’s details. ‘Lo and behold the EU Digital COVID Certificate or as locally implemented here in the Philippines as DICT and DOH’s, VaxCertPH.

//VaxCertPH QR Extracted Text
HC1:6BFOXNYTSFDHJI8-.OT0E6%N48Q*UP2NB$NUT91BXAS%D +0BKAEPF.
C2RRIC0WSA3/-2E%5G%5TW5A 6+O6XL6Q3QR$P*....

//PhilSys ePhilID QR Extracted Text
PH1:RRQXO8P609CK B00XKDJCX495F33 J*8H:FKQPCC$CD536ZKBVCNF6P
F64W5KF6/967EC:OCSNA3KCCLCHEC$-C0$CAECY....

The process of converting this obscured text to human readable content is widely documented and readily available in various sources online. The first script to decode the initially extracted data from the QR is a portion of code from an unused feature of the mobile app in our contact-tracing and mitigation system, QVID. I tried to apply the encoding used in the EU COVID Pass to our own QV.ID QR code back then but eventually ditched it because of the extreme increase of length from the original text—if you only had one attempt to scan your ePhilID QR, you’re a miracle—and ultimately, it’s not encrypted at all.

Let’s proceed with decoding the gibberish into something much more pleasing to the eye. I’ve modified my old code to suit the format used in the ePhilID through several trial and errors. Since the initial code I had was for the creation of the QR, the modification was written to parse and decode the text this time. After feeding the extracted QR text into the new script, oh well.

{
 1:"PH",
 6:1671209608,
 8:{
  3:"key"
 },
 169:{
  "d":"2022-12-16",
  "i":"PSA",
  "sb":{
    "s":"Female",
    "BF":"[1,2]",
    "fn":"SYRAH",
    "ln":"ALDANA",
    "mn":"GALVEZ",
    "sf":"",
    "DOB":"2000-05-20",
    "PCN":{---redacted---},
    "POB":"JORDAN, GUIMARAS"
   },
  "img":h'524946466c010000574542505650382060010000f008009d012a2d002d003f117ab5532c27a522ae34099980220969000b0ec294189fe479f5d80f9bce77b2d63a8811e0530bb1fa3d61de6190bbec8751804b2879a82eedc0dc35adab314592de21a40000e22ad5b8bcecf33c7d433675049e85d45c87d72b0af15f6fb4206371f6375bb4c15c7423f89eaed9b21c0bfd510a644deb7de0119aea4954db83446712015b0809b0c635b954e055d9a1e1f91e8134b912beae94b561fcf7d3b444670c894072387b0410992d8a78996920f68a03a2a87dd632d0fd83323d3ca4bfb6eb30b7c694cd953f137bc3f3734e1d2549e1ebf4d7176da85a7b78fb27db1006a9c0bf535c3f2500a6576ab4a42d710bd01b1bc26a29f99b3ce771b1812c346146d6fcd73665ea57a6301eca02b987b1e506dbbfdb7824b46089cba2f9836c684a222ccc8af872d2cdc776f736f307994b98406c3ea54bab37a09d468db704cb03f696ec7972a8e3a488c9e67c1a8010cb4000' 
 }
}

Clear as day. Notice that these are the exact same fields from the PVC QR Code only for the image (“img”) detail to be added in the end of the list. This time, I am now fully aware of the applied digital signing which means despite it being exposed you cannot edit any text in the QR without passing as invalid in the PhilSys Check. Boy oh boy, how wrong I was.

April 22, 2023: Modified first name passes as valid in the PhilSys Check website.

I’ve always liked the name “Pilar” and PhilSys Check just made one hopeful wisher’s dream come true with this surprise. Yes, I was still in denial when the modified first name passed with a blaring green check in the verifier. I thought it could’ve been just a smidge of a mistake. Maybe the first name field was accidentally not included in the digital signing while the other details are not changeable.

So I replaced the last name, generated the QR, valid. Changed the middle name and filled in the empty suffix, still valid. Switched the sex field to “Male”, still valid. Flew all the way to Egypt for my place of birth, still valid. Scrolling back a few years in the birthdate to make myself a tad bit older (not that I already am), still valid. Transferred my best fingerprint captured to both my pinkies, still valid (fun fact: I wasn’t supposed to have any fingerprint data in the QR due to the damaged skin on my finger pads making it difficult to capture, so I don’t know why it was present in my ePhilID). This time, I’m slowly inching away from my desk and holding on to a very thin string of hope in the last untouched field of the QR.

As I had mentioned in our previous article, the PVC fails the physical check due to the lack of visual reference of the holder. The ePhilID addresses this with a front-facing photograph shown once scanned via the PhilSys Check. If I cannot change the photo, all my previous attempts in replacing the details of my QR becomes useless, for a simple mismatch of the holder’s face will rule everything as fake. My confidence on the security of the ePhilID hangs on that image field as I attempt to decode its contents. I grabbed the most beautiful portrait I can find from Pinterest, replaced the “img” data and finally generated the QR Code. Crossing my fingers while muttering a silent prayer, trusting for the red of the invalid symbol to appear once more and finally quash my fears.

April 22, 2023: Fictitious ePhilID QR code passes as valid in the online authentication of the PhilSys Check.

I remember slamming my laptop shut and forcing myself to a second cup of coffee. The time I went back to work was night, a quarter past nine and I was drafting an email to DICT-NCERT and NPC. Of course, it was automatic that I think about the “dangerous what ifs” in this situation because its long since the first public release of the paper equivalent of the National ID.

May I remind you, the script I’ve used to parse the text and create a fictitious QR is open source. Having the code on my archives is no coincidence. Me and my company are not the only ones developing apps and systems during COVID, the entire world is. Why would PSA assume that no one will spare time to figure out the encoding of the ePhilID QR when its decoding process is publicly available? It took me over 2 days to modify the script. What do you think others can do in 7 months and 27 days ever since the first release of ePhilIDs last September 2022?

Philippine Statistics Authority relied on hiding the QR’s content, thinking that simply converting it to a non-human readable format behind a random string of letters equates to data protection.

No PSA. This is not how encryption works. If its encrypted, I should not be able to create a fake one at all.

PSA’s response.

9:47 PM on the 24th of April 2023, the email was sent and the rest is history. DICT-NCERT reached out immediately the next day and coordinated the findings with PSA. Changes in the PhilSys Check website were in place by the 3rd day and after a couple more fixes, the anti-tampering remedy was completed by the 28th. The QR codes you’ve tested in the beginning were the actual codes attached to the email for their tests. The same codes I have uploaded and scanned in the PhilSys Check after the update, confirming the false details I’ve changed has finally been flagged as invalid. There’s just one teensy issue.

Open the PhilSys Check website now and let it load completely. Next, turn off the internet connection in your device—may it be from WiFi or Data. Be careful not to reload the webpage. Now, go back to the QR Codes in the start of this article and scan.

False QR still shows on the offline authentication of PhilSys Check as of June 09, 2023.

PSA referred to this in their official letter response as quoted in the following excerpt.

Issue #2: False QR code in ePhilID passes PhilSys Check Authentication
Regarding this issue, the PSA applied fixes to its backend system to enable the verification of the digital signature embedded in the ePhilID. This solution, however, imposes that the ePhilID authentication must be performed online for it to be reliable.

Not every transaction is you get to sit in an airconditioned room with a stable internet connection where in fact the frequent transactions happen under the roof of a barangay gym or even house to house. The Department of Social Welfare and Development (DSWD) honors the National ID in its social welfare program beneficiaries (more here) such that indigents can avail of their cash assistances with the ID as their proof of identity.

No internet connection + fraudulent ePhilID QRs = ah, freedo—I meant scammers. A large portion of the Philippines still suffer from the lack of a stable internet connection or even without connectivity at all. And the National ID advocates for inclusion in the digital era of the country yet cannot address the crucial offline reliability. Scams are already widespread even before it escalated to digital platforms. This ranges from a simple individual having multiple IDs with several different addresses just so they can avail of benefits in every barangay to cases of fraudulent documents used to obtain receivables from remittance centers. Here’s a use case close to our hearts, I am required to show my ID upon receiving my online shopping deliveries, so let me conclude that horror of somebody stealing your identity to receive it in your place.

This shortcoming with the PhilSys Check authentication have added more fuel into hellfire. Made worse because the Philippine National ID is one of the established primary valid identification in the country.

IRR of Republic Act 11055, Rule II, Section 6, C.2 — Purpose.
The PhilID shall serve as the official government-issued identification document of cardholders in dealing with all national government agencies, local government units (LGUs), government-owned or controlled corporations (GOCCs), government financial institutions (GFIs), State Universities and Colleges (SUCs), and all private sector entities.

You want more fuel into that? This means the paper ID is equivalent to all the use of its PVC version. The paper printed ID is a primary valid ID.

Public advisory on the use of the ePhilID from the official website of the Philippine Identification System.

I’ll put a bet on this: PSA is going to enforce the online authentication for the ePhilIDs and eventually remove the offline display in the website. Then I’ll have to slap back the identity theft dilemma with the PVC QR once more. In the Philippines, whatever technology cannot accomplish, the law will find a way to cover it. A sad truth.

Effortless integration with the duplication method.

No guilloche, no micro-prints, no hologram but just your trusty ol’ printer paper. This got me thinking, the ePhilID doesn’t have any sort of visual “security features”—no, the watermark is not for security — except for the gigantic QR code occupying half of the entire front of the ID.

Following the cloning process we did in the previous article, copying a valid PVC QR and changing its photo and address values but instead of the PVC card, its printed on paper with the ePhilID’s uncomplicated layout. Is it questionable? The only way to check out its authenticity is by scanning the QR on it, a QR that is undoubtedly valid. Again, there’s not going to be any front-facing photograph to compare to the holder’s visuals due to the PVC QR not storing any. Did PSA’s proactive strategy became a convenience for possible perpetrators to commit identity theft this easily?

Multiple fictitious National IDs using one valid PVC QR with ePhilID’s layout and material.

We’ve all seen how simple the ePhilID is constructed. I’ve also briefed you on how easy it is to replicate from the extracted QR code of the PVC ID. Mix it all together and you’ve ultimately cancelled out the laborious method of recreating the false ePhilID QR with only a valid PVC QR and a piece of paper.

Don’t.

You’ve seen, read and heard about the method in here first. Do not attempt to do reproduce this. This is a precaution. If you’ve scanned an ePhilID QR code and it doesn’t show a photograph in the PhilSys Check verifier, report it immediately. PSA has measures to revoke the holder’s card and identity from use, so please be a responsible citizen and do not encourage the illegal act further. It’s the only thing we can do for now since the duplication method of the PVC ID QR passes with a green check on both the verifier’s online and offline authentication. And yet they considered it as a feature.

This is going to sound like a broken record already, how hard is it to encrypt the QR code? The method they used in the ePhilID had many layers in its encoding (4 to be exact) and yet it can still be read. Whilst encrypting it would only require a key and you can show it off to the public however you’d like. Also, remember PSA considered the plain-text data in the PVC QR as an intended feature which got me wondering: If there is not an issue with the first QR in the PVC, why did they change it?

What you can do for now is ensure to scan the ePhilID through the PhilSys Check via its online authentication in any and every kind of transaction. You cannot trust the authenticity of the paper National ID from its face value and offline state of the verifier anymore. No change in the PhilSys Check website can resolve ePhilID’s offline authentication vulnerability. Pair this with the PVC ID’s identity theft duplication technique, we can only end this in one conclusion.

The Philippine National ID needs to be replaced.

Alright, you can breathe now. This completes my investigation of the vulnerabilities in our Philippine National ID System. All in all, this took over a month in total. Started with the discovery and initial investigation on April 20 to the forwarding of the findings on 24th, ‘till the resolve on the PhilSys Check on the 28th. Ever since then was waiting for PSA’s official letter response while composing the draft for these articles until the said letter was forwarded to me just this 6th of June 2023.

I have more shorter entries from here on now focusing on the other shortcomings—not “critical”—of our National ID alongside suggestions to fix it. Spread awareness and use the findings to protect yourself from the potential dangers.

Stay careful, everyone. See you in the next entry.

ㅤ

ㅤ

ㅤ‎‎

Kind regards,
Syrah.

This article is part of the FAQed Up series. A collection of fact finding and investigation reports that studies technology systems and applications implemented and developed in the Philippines. The entries are all accomplished and investigated by Syrah Aldana, Chief Technology Officer of ARKITEK Inc, a startup company. The series is part of the company’s initiative to empower proper use of technology in upholding data privacy and security in the rising digital age of the country.