Due to a obvious security flaw near-perfect forgeries of the federal government’s COVID-19 vaccine digital certificate can be done in 10 minutes using free software, one member of the public found.
Richard Nelson, a software engineer in Sydney, found an “obvious” security hole in the Express Plus Medicare app, allowing him to make vaccine certificates with any name and date of birth and featuring background animations designed to prevent forgeries.
- A flaw in the Medicare app means Australia’s COVID-19 vaccine digital certificates can be forged
- A basic security audit would have identified the vulnerability
- Without confidence in certificates, governments may delay giving the vaccinated more freedoms
The Prime Minister previously stated that certificates are a “credible and effective” way for states to administer exemptions from the blocking aspects.
The discovery of the defect could put a brake on state and federal governments by allowing vaccinated people more freedom.
Mr. Nelson found a security vulnerability in the current system (which was launched more than two months ago) while rummaging through an Express Plus Medicare app one night last week.
“It’s a very basic flaw. I thought there would surely be some kind of mitigation to stop this kind of attack, but there hasn’t been.”
Other security experts have confirmed that this is an obvious vulnerability that could be identified by a basic application security audit.
To demonstrate how easy it is to falsify certificates, it took Mr. Nelson 10 minutes to produce a fake certificate bearing the name of this reporter (who didn’t have all the pictures yet).
Will this be fixed?
After discovering the defect, Mr. Nelson sent detailed instructions to the government but has not yet received a reply.
In response to ABC questions, a spokesman for Labor Minister Stuart Robert, who is ministerial in charge of data and digital policy, said the government had “iteratively updated vaccination certificates.
“The government will continue to iteratively update proof of vaccination certificates … including by strengthening security measures,” he said.
From the response, it was not clear whether the government would fix the vulnerability (which would require an update to the Medicare app).
A basic security check and an audit would have found flaw
The security vulnerability differs from the one identified by Senator Rex Patrick earlier this month.
The senator used “few graphical tools” to forge the PDF export of the vaccine certificate.
This only works with a PDF file, as the certificate in the application itself is tamper-proof with an animated checkmark, a live clock, and a flickering emblem (similar to the one used for a digital driver’s license).
As seen in the video above, Mr. Nelson’s more sophisticated spoof includes these anti-fraud features.
Mr. Nelson said the flaw would have been “absolutely” identified in a security audit.
“Or, they did not do a security audit,” he said.
This is not the first time an experienced software developer has breached government IT systems.
He was part of the tech community that found important vulnerabilities in the COVIDSafe app last year, including the fact that the tracking app didn’t work properly on a locked iPhone.
Privacy expert Vanessa Teague, another prominent member of the tech community, said the Medicare app crash “was not surprising after trying out COVIDSafe.”
‘Certificates need QR-code digital signatures’
Certificates also have a bigger security problem, he said.
Other designs, such as the one used by the EU, have a digital signature in the form of a QR code which can be verified as a defence against fraud.
Such a system would be much more difficult to fool.
“They still have to do something similar to what the EU has done,” Ms Teague said.
The prime minister noted that the vaccine certificate will be revised in October, although it is unclear if the new version will only be used for international travel and work alongside existing vaccine certificates.
In early July, the Australian Digital Health Agency, the official body responsible for various digital health initiatives, issued a tender request for a smartphone app to store digital vaccination certificates along with test results for COVID-19.
The proposed mobile application will be ready “by December 2021”
Robert’s spokesman did not respond to questions as to whether the government was working on a new type of vaccination certificate.