Australia Corona Virus News

COVID-19 vaccination certificates at risk of forgery after discovery of another security flaw

Source: ABCnews

The federal government’s COVID-19 vaccination certificate can be forged using a widely known technique to bypass the protections.

Fenn Bailey, a software developer in Melbourne, stumbled upon the security flaw this week after reading about other publicised vulnerabilities.

He discovered the government was relying on a “high-school grade permissions password” to prevent unauthorised people from being able to alter or copy versions of the vaccination certificates.

Mr Bailey found it was then possible to change a name or the vaccinated status on the certificate.

A long outdoor queue with marshals in orange vests
About half of fully vaccinated Australians have accessed their COVID-19 vaccination certificate.(Getty: Mark Kolbe)

“One could argue that this means these [documents] are not certificates, in that they fail to meet the definition of being certified as authentic,” Mr Bailey said.

“You can make it say whatever you want.”

This isn’t the first time a member of the public has found a way to forge a version of the federal government’s vaccination certificate.

But the fact it can be done so easily shows the government did not take basic steps to prevent forgery, Mr Bailey said.

“To anyone who is fairly qualified in this field, the failings are dramatic,” he said.

Other vulnerabilities that allow the certificates to be forged have gone unfixed after being brought to the government’s attention, including a method reported more than two weeks ago

This could create problems when relying on the certificates to grant extra freedoms to the fully vaccinated.

Will NSW vaccine passport be any more secure?

From next week, fully vaccinated New South Wales residents will be able to spend more time outside, with police monitoring their vaccination status.

It’s expected other freedoms will be granted as the vaccination rate improves.

But given the security holes in the vaccine certification system, it’s not clear how authorities, or workers at pubs, cafes and restaurants, will be able to spot any potential forgeries.

One solution may be a new, more secure app.

A man holds a phone that reads 'COVID-Safe check-in' and 'Betty's cafe'
NSW Minister for Customer Service Victor Dominello with the Service NSW vaccine passport to be trialled next month.(Supplied: Victor Dominello on LinkedIn)

From October, the federal government will issue vaccination passports for people to use when they travel overseas.

Though details are scarce, these appear to have better security than the vaccination certificates, with a QR code to verify vaccination status.

However, there are no plans to roll these out for domestic use.

That leaves the possibility the states will develop their own vaccine passport systems.

From early October, the NSW government will trial a vaccine passport system within the Service NSW app, which is currently used for venue check-ins.

Three screenshots for the Service NSW vaccine passport.
A series of screenshots showing how the Service NSW vaccine passport will work.(Supplied: Service NSW)

In response to questions from the ABC, Service NSW did not share details of how the app will work; whether it would directly access the Australian Immunisation Register for proof of vaccination, or instead rely on a person’s federal vaccination certificate.

“Service NSW is working closely with the federal government on the ability to display a COVID vaccination certificate within the Service NSW app and link vaccination status with the COVID-Safe Check-In,” a Service NSW spokesperson said in a statement.

“The vaccination certificate and check-in screens will have a number of security features which can be validated to help reduce risk of fraud.”

The spokesperson did not respond to questions about whether the federal government certificates would still be accepted as proof of vaccination alongside the Service NSW app.

If they were accepted, the forgery problem would remain, regardless of whether or not the NSW app was secure.

At the same time, not accepting federal vaccination certificates could create widespread confusion.

Senate Estimates heard last week that about 3.5 million Australians have accessed their federal government vaccine certificates.

On top of this, most appear to be intending to use the existing certificate (which can be more easily forged than the in-app digital certificate).

Australia’s vaccination rollout

40.4% fully vaccinated65.4% at least one dose70%80%20.6mPopulation aged 16+At our current pace of 818,041 second doses a week, we can expect 70 per cent of Australia’s adult population to be fully vaccinated by early November 2021.Daily vaccinationsFirst DosesSecond DosesBreakdown unknown7-day moving averageFeb 23Sep 9200k259.78k7 JuneDoses: 60.06k
Moving average: 118.97kDates refer to the reporting date (usually the day following vaccination), not the vaccination date.View the data for your state or territory

Services Australia chief executive officer Rebecca Skinner told Senate Estimates that the government agency was helping people print their certificates.

“We also have people who phone in to our help desk phone lines and ask for us to send a printed version, and we’re doing that as well,” she said.

“And, where people are able to move around in the community, they are also stopping into service centres, and we print it out for them there as well.”

A man in a suit holds up his phone, with an apparent government website visible on the screen
Senator Rex Patrick has forged his own COVID-19 vaccination certificate in an effort to expose flaws in its design.(ABC News: Matthew Doran)

Senate Estimates also heard that about a third of the 3.5 million Australians who have accessed their certificates had taken the trouble of setting up the Express Plus Medicare app digital certificate.

The remainder, about 2 million, appear to be intending to use the digital certificate.

This points to a future scenario where easily forged certificates are the most common way of proving vaccination status.

Asked about the risk of forgery, Ms Skinner told Senate Estimates that both the in-app digital certificate and the PDF version could be trusted.

“If anyone was at all concerned that someone’s vaccination certificate was not accurate, and it was required for some assured purpose, then the assured certificate is the one available in the Express Plus Medicare app or able to be printed out or found in your immunisation history statement.”

Youtube A video showing a fake vaccine passport complete with “anti-fraud” features

But members of the Australian tech community have shown that all versions of the federal government’s vaccine certificates can be faked. 

Software engineer Richard Nelson, for instance, has demonstrated he can add any name or type of vaccine — including drugs that are not vaccines — to an “anti-fraud” certificate on the Express Plus Medicare app.

He says the certificates will remain easy to fake until they feature a digital signature, like the kind used in the EU’s vaccine passports.

“I think very few people have put effort into understanding what the issue is here,” he said.

The vulnerability in the Express Plus Medicare app that allows him to forge certificates has not been fixed, more than two weeks after he alerted the government.

‘Exponential’ growth in demand for fake certificates

Meanwhile, demand for fake vaccine certificates appears to be on the rise globally.

Matt Warren, director of the RMIT Centre of Cyber Security Research and Innovation, said vaccine certificates were being forged from the US to the UK.

The Australian certification system, he said, has “real issues of integrity”.

“Nothing has been done to create a secure system,” he said.

“I think certainly the anti-vaxxers will be the market for those forged certificates because they want to travel.

“They’ll want to go to the footy, to pubs and restaurants.”

A woman's hand holding a card with vaccine details
A patient holding a CDC vaccine card.(Getty: Joan Slatkin)

On the encrypted messaging app Telegram, anonymous sellers offer forged Australian vaccine certificates alongside those for other countries.

The going price per digital certificate is about $US200.

The sales pitches in messaging groups include anti-vaccination statements, such as: “We are here to save the world from this poisonous vaccine”.

One seller who said he was based in the US claimed to have made “many” certificates for Australians, though this cannot be confirmed.

A screenshot titled immunisation history statement with blurred personal details
A purportedly forged immunisation history statement.(Supplied)

Security researchers at Check Point Software Technologies say they’ve seen exponential growth in volumes of followers and subscribers to groups and channels offering COVID-19 certificates.

Mr Nelson has also been contacted by Australians wanting fake certificates, demonstrating there is demand within Australia for them.