Man creates fake COVID-19 digital vaccine certificate, exposing security risk

A local software developer has found a simple way to create a fake COVID-19 digital vaccine certificate using the official government app, one that’s indistinguishable from the real thing. His discovery raises concerns about the security of the vaccine passport certificate system. 

Richard Nelson, a Sydney-based software developer, reported the vulnerability to the Department of Health late last week. He also showed video proof of “his” COVID-19 digital certificate on a mobile device, even though he has not been vaccinated.

Nelson claims he was able to produce this because the government’s Express Plus Medicare app — which generates the COVID digital certificate based on data from the Australian Immunisation Register (AIR) — is vulnerable to what’s called a “man-in-the-middle” attack.

In simple terms, when the Medicare application goes to access data to show whether a user is vaccinated, it sends a message to the server that will tell it whether they have been vaccinated or not. 

A man-in-the-middle attack hijacks that request and sends its own response back. To use an analogy, it’s like if a letter given to a courier for delivery to a pen pal was redirected to a different address and answered by someone else. In this case, the request — has this person been vaccinated? — can be spoofed because it’s someone else. 

When this is carried out, the user ends up with a completely authentic-looking vaccine certificate because it’s generated by the government’s official application, which really thinks the user has been vaccinated.

What makes this possible is that the Express Plus Medicare app does not check where this information came from. It’s relatively common for applications to require a response from a server that is signed or verified, like having a signature on a letter that proves it came from who it says it does. 

Nelson is surprised this weakness exists, expecting that such a common and obvious issue would have been raised in a security audit.

“Either they didn’t get one done, or decided to accept any risks,” he said.

More broadly, Nelson says he’s concerned that the system is set up in a way that someone who views the certificate cannot easily verify whether it’s real or not. 

“If this is to be what’s used to, for example, let people into restaurants or bars then it really must be more robust than an animation on the screen. This is not foolproof at all,” he said. 

Australia’s COVID-19 vaccine digital certificates are not used to determine entry for venues yet but Nine papers reported that the federal cabinet is considering allowing state QR code check-in apps to access AIR data to determine whether someone is vaccinated.

This article was first published by Crikey.