Identity industry

October 08, 2021

Vaccine Passport App Vulnerabilities: an Overview

Due to high demand, digital vaccine passports are rushed out worldwide. However, they often have serious data security and validity issues. Let’s see what some of these vulnerabilities are and how ID readers can help in spotting criminals exploiting vaccine passport apps with fake COVID certificates.

Keeping a document on you that proves you received the necessary doses of a COVID-19 vaccine can be a nuisance. However, more and more people accept it as the price of returning to normalcy.

As countries are reopening their borders, there is a justifiable demand for digital versions of our vaccine passports. And states are answering that demand as fast as they can. But due to rushing out these apps, many of them come with severe vulnerability issues.

In this article, we collected the most notorious cases. We also propose a viable option for spotting convincing but forged analog and digital vaccine passports.

Why Is Vaccine Passport Vulnerability a Risk?

We all know that there is no such thing as a perfect mobile application. In many cases, a bug is nothing more than a nuisance. However, vulnerability becomes a priority for apps that store sensitive data, such as the vaccine passport.

New York Times correspondent Ceylan Yeğinsu writes that the main problem is that a passport is a government-issued document for certifying personal data. So “many people fear […] handing over personal and sensitive health information that data controllers can easily abuse.” And unlike medical facilities where laws strictly regulate how such information must be handled, businesses outside the health industry can do whatever they want with our health data.

Panda Security, a manufacturer of antivirus solutions conducted non-representative research regarding vaccine passports. It turned out that 56% of the people worry about the security of their data. Unfortunately, they have every reason to fear falling victim to data theft. In the early stages of the COVID-19 pandemic, four U.S. states suffered from cyberattacks targeting unemployment benefits applicants.

The results of Panda Security's study, showing that 56% of people have concerns for their data's safety
Courtesy of Panda Security

As such, digital COVID certificates should be bulletproof from the get-go. However, these apps had to be developed rapidly to lift travel and social restrictions as soon as possible This resulted in flaws of varying degrees of concern.

Examples of Known Digital Vaccine Passport Vulnerabilities

NYC Safe: One Photo to Fool Them All

It’s hard to tell from a printed vaccine passport whether it’s fake or not, let alone from a photo of the document. This was the case with New York’s NYC Safe application. Heavily criticized for being nothing more than photo storage for paper-based COVID passports, the application allowed individuals to upload any document, legitimate or forged. The weakness of the system became all too evident when it accepted a portrait of Mickey Mouse as proof of vaccination.

NYC Excelsior Pass Wallet: Fake Credentials

The infamous case of this U.S. digital vaccine passport for the citizens of New York State highlighted another type of risk. As discovered by the NCC Group, the NYC Excelsior Pass Wallet application allowed individuals to create and store fake vaccine credentials by simply scanning a phony document. Users could easily exploit the fact that the COVID certificate wasn’t appropriately verified.

Australia’s Express Plus Medicare: Replicating the Animated Validator

Ten minutes. This is all it took for Richard Nelson, a software engineer in Sydney, to expose the vulnerability of Australia’s Express Plus Medicare COVID-19 application. He also proved why QR codes are a must for vaccine passports. The main issue with the Australian COVID certificate is that aside from basic data, it features a supposedly unique animation to demonstrate the passport’s validity. Nelson could easily replicate this animation, allowing him to create as many fake digital vaccine passports as he liked.

A Set of Vaccine Passports Showing Their Respective Status Screen

Québec’s VaxiCode Verif: Forged Digital Signatures

Like many COVID certificate apps used worldwide, the digital vaccine passport issued by Québec, Canada, uses QR codes containing the necessary vaccination data combined with digital signatures. The digital signature features asymmetric cryptography, using two keys. Theoretically, this guarantees that the validator app doesn’t identify fake credentials as legit.

A cybersecurity expert still managed to fool VaxiCode Verif relatively easily. He generated a key pair and made the public key available at a given website. Then he created two QR codes. One was posing as a valid digital vaccine passport containing the public key and a plain fake COVID certificate. Then he presented the QR code with the public key to the app. It correctly rejected it as a valid COVID certificate but, simultaneously, forcefully downloaded the public key. After that, the app verified the other fake digital vaccine passport as being valid.

We should add that the app’s developers reacted quickly. Soon after the incident, they released a new version that eliminated the problem.

EU Digital COVID Certificate: Vaccinating the Dead

When it comes to the European vaccine passport, called the EU digital COVID certificate, experts usually praise it for implementing the strict privacy rules of the GDPR, especially from overseas. In fact, allowing member states of the EU to develop their own versions of the COVID certificate was a risk, which eventually paid off. That doesn’t mean there were no flaws, however.

Tim Berghoff of GData, a German computer security company, pointed out many issues with the EU certificate’s German version. We’ll highlight two:

  1. In the case of paper-based COVID certificates issued by a pharmacy or a doctor’s office, the accuracy of the data transferred into the app wasn’t verified. Cybersecurity experts managed to validate an EU vaccine passport even though it showed the same date for the test subject’s first and second vaccination.
  2. Berghoff and his team could create a vaccine passport for Robert Koch, a German microbiologist from the 19th century. The EU COVID certificate had no problem validating the vaccination of a long-gone person.
Example of a Vaccine Passport

Are Paper-Based Vaccine Passports the Answer?

Not quite. Granted, it seems like a logical step to forget digital vaccine passports and have our vaccination certificates in our pockets.

Like their digital counterparts, paper-based certificates were also rushed out. This led to analog vaccine passports being easily forgeable. In the U.S., the Centers for Disease Control and Prevention (CDC) issued a certificate with data written in ink. It isn’t surprising that scammers took their chance and flooded the black market with fake vaccine passports.

Consequentially, these fake certificates could quickly end up in COVID apps with minimal or no authenticity validation features. This allows unvaccinated people to enter places that require individuals to be vaccinated.

Verifying Vaccination Status

Application bugs and issues will always be discovered and eliminated sooner or later. This is what happened in the case the apps of Québec and the State of New York. Furthermore, virtual COVID certificates – at least those implementing digital signatures – are still more resistant to forgery than their paper-based counterparts. In any case, those who trust analog vaccine passports more should make sure they store them in a secure location.

Osmond Smart ID Reader and Scanner Banner

If you are part of a business and have to verify the validity of digital vaccine certificates, there are two things you should consider. First, check, and double-check the document in front of you. Although some national and international vaccine passports do not feature advanced security solutions like digital signature, they are in the minority. The number of states requiring vaccine passports is rising. Many of them are likely not to accept vulnerable certificates as valid travel documents.

One way to verify that an individual isn’t presenting a fake COVID certificate is by cross-checking it with another ID document. An advanced automated ID reader like Osmond can verify a travel passport’s authenticity while also obtaining virtually all data from travel passports via optical character recognition technology, including the traveler’s name, country of origin, and many more.