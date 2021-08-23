A local software developer has found a simple way to create a fake COVID-19 digital vaccine certificate using the official government app, one that’s indistinguishable from the real thing. His discovery raises concerns about the security of the vaccine passport certificate system.
Richard Nelson, a Sydney-based software developer, reported the vulnerability to the Department of Health late last week. He also showed video proof of “his” COVID-19 digital certificate on a mobile device, even though he has not been vaccinated.
Nelson claims he was able to produce this because the government’s Express Plus Medicare app — which generates the COVID digital certificate based on data from the Australian Immunisation Register (AIR) — is vulnerable to what’s called a “man-in-the-middle” attack.
In simple terms, when the Medicare application goes to access data to show whether a user is vaccinated, it sends a message to the server that will tell it whether they have been vaccinated or not.
Sign up to WebCam, Cam's fortnightly newsletter for FREE.
A man-in-the-middle attack hijacks that request and sends its own response back. To use an analogy, it’s like if a letter given to a courier for delivery to a pen pal was redirected to a different address and answered by someone else. In this case, the request — has this person been vaccinated? — can be spoofed because it’s someone else.
When this is carried out, the user ends up with a completely authentic-looking vaccine certificate because it’s generated by the government’s official application which really thinks the user has been vaccinated.
What makes this possible is that the Express Plus Medicare app does not check where this information came from. It’s relatively common for applications to require a response from a server that is signed or verified, like having a signature on a letter that proves it came from who it says it does.
Nelson is surprised this weakness exists, expecting that such a common and obvious issue would have been raised in a security audit.
“Either they didn’t get one done, or decided to accept any risks,” he said.
More broadly, Nelson says he’s concerned that the system is set up in a way that someone who views the certificate cannot easily verify whether it’s real or not.
“If this is to be what’s used to, for example, let people into restaurants or bars then it really must be more robust than an animation on the screen. This is not foolproof at all,” he said.
Australia’s COVID-19 vaccine digital certificates are not used to determine entry for venues yet but Nine papers reported that the federal cabinet is considering allowing state QR code check-in apps to access AIR data to determine whether someone is vaccinated.
Leave a comment
I would have thought security of data and all that involves would be the major issue when the program was started. Are these developers sleeping? What’s always in the news is that our data is being used/sold to almost anyone.
VVery poor selection by govt. – friend of friend selection? Etc etc.
By the way, overseas vaccine passports easy to obtain without being vaccinated. Hackers making good money. Not sure how this can be changed.
Government Departments,. particularly federal one are very weak on security, just ask the Australian Signals Directorate.
We have a prime example in the Covid Safe App, pushed by our prime Minister as the means of getting us out of Covid-19, some time ago.
Remember the main cause of security breaks are people, just as the main cause of Covid-19 spreading is people.
Yet again, the Scomonic junta posts another fail! What is needed before this mob are banished to their own detention centres forever???
If you read the abc and even The guardian little own Sky News or Murdoch it is obvious why Morrison is still with us
the LNP, always keen to get access to our comms, but consistently terrible at even the most basic security – why? – because they don’t give foetid rat’s freckle
Another own goal by internet genius Stewart Robert?
He might have been busy looking for ways to best bring back Robodebt against against recipients of jobsaver – or even researching ways to make a profit on your government internet connection.
That is Brother Stewie no doubt doing gods work as well