Source: ABCnews
The federal government’s COVID-19 vaccination certificate can be forged using a widely known technique to bypass the protections.
Fenn Bailey, a software developer in Melbourne, stumbled upon the security flaw this week after reading about other publicised vulnerabilities.
He discovered the government was relying on a “high-school grade permissions password” to prevent unauthorised people from being able to alter or copy versions of the vaccination certificates.
Mr Bailey found it was then possible to change a name or the vaccinated status on the certificate.
“One could argue that this means these [documents] are not certificates, in that they fail to meet the definition of being certified as authentic,” Mr Bailey said.
“You can make it say whatever you want.”
This isn’t the first time a member of the public has found a way to forge a version of the federal government’s vaccination certificate.
But the fact it can be done so easily shows the government did not take basic steps to prevent forgery, Mr Bailey said.
“To anyone who is fairly qualified in this field, the failings are dramatic,” he said.
Other vulnerabilities that allow the certificates to be forged have gone unfixed after being brought to the government’s attention, including a method reported more than two weeks ago.
This could create problems when relying on the certificates to grant extra freedoms to the fully vaccinated.
Will NSW vaccine passport be any more secure?
From next week, fully vaccinated New South Wales residents will be able to spend more time outside, with police monitoring their vaccination status.
It’s expected other freedoms will be granted as the vaccination rate improves.
But given the security holes in the vaccine certification system, it’s not clear how authorities, or workers at pubs, cafes and restaurants, will be able to spot any potential forgeries.
One solution may be a new, more secure app.
From October, the federal government will issue vaccination passports for people to use when they travel overseas.
Though details are scarce, these appear to have better security than the vaccination certificates, with a QR code to verify vaccination status.
However, there are no plans to roll these out for domestic use.
That leaves the possibility the states will develop their own vaccine passport systems.
From early October, the NSW government will trial a vaccine passport system within the Service NSW app, which is currently used for venue check-ins.
In response to questions from the ABC, Service NSW did not share details of how the app will work; whether it would directly access the Australian Immunisation Register for proof of vaccination, or instead rely on a person’s federal vaccination certificate.
“Service NSW is working closely with the federal government on the ability to display a COVID vaccination certificate within the Service NSW app and link vaccination status with the COVID-Safe Check-In,” a Service NSW spokesperson said in a statement.
“The vaccination certificate and check-in screens will have a number of security features which can be validated to help reduce risk of fraud.”
The spokesperson did not respond to questions about whether the federal government certificates would still be accepted as proof of vaccination alongside the Service NSW app.
If they were accepted, the forgery problem would remain, regardless of whether or not the NSW app was secure.
At the same time, not accepting federal vaccination certificates could create widespread confusion.
Senate Estimates heard last week that about 3.5 million Australians have accessed their federal government vaccine certificates.
On top of this, most appear to be intending to use the existing certificate (which can be more easily forged than the in-app digital certificate).
Australia’s vaccination rollout
40.4% fully vaccinated65.4% at least one dose70%80%20.6mPopulation aged 16+At our current pace of 818,041 second doses a week, we can expect 70 per cent of Australia’s adult population to be fully vaccinated by early November 2021.Daily vaccinationsFirst DosesSecond DosesBreakdown unknown7-day moving averageFeb 23Sep 9200k259.78k7 JuneDoses: 60.06k
Moving average: 118.97kDates refer to the reporting date (usually the day following vaccination), not the vaccination date.View the data for your state or territory
Services Australia chief executive officer Rebecca Skinner told Senate Estimates that the government agency was helping people print their certificates.
“We also have people who phone in to our help desk phone lines and ask for us to send a printed version, and we’re doing that as well,” she said.
“And, where people are able to move around in the community, they are also stopping into service centres, and we print it out for them there as well.”
Senate Estimates also heard that about a third of the 3.5 million Australians who have accessed their certificates had taken the trouble of setting up the Express Plus Medicare app digital certificate.
The remainder, about 2 million, appear to be intending to use the digital certificate.
This points to a future scenario where easily forged certificates are the most common way of proving vaccination status.
Asked about the risk of forgery, Ms Skinner told Senate Estimates that both the in-app digital certificate and the PDF version could be trusted.
“If anyone was at all concerned that someone’s vaccination certificate was not accurate, and it was required for some assured purpose, then the assured certificate is the one available in the Express Plus Medicare app or able to be printed out or found in your immunisation history statement.”
But members of the Australian tech community have shown that all versions of the federal government’s vaccine certificates can be faked.
Software engineer Richard Nelson, for instance, has demonstrated he can add any name or type of vaccine — including drugs that are not vaccines — to an “anti-fraud” certificate on the Express Plus Medicare app.
He says the certificates will remain easy to fake until they feature a digital signature, like the kind used in the EU’s vaccine passports.
“I think very few people have put effort into understanding what the issue is here,” he said.
The vulnerability in the Express Plus Medicare app that allows him to forge certificates has not been fixed, more than two weeks after he alerted the government.
‘Exponential’ growth in demand for fake certificates
Meanwhile, demand for fake vaccine certificates appears to be on the rise globally.
Matt Warren, director of the RMIT Centre of Cyber Security Research and Innovation, said vaccine certificates were being forged from the US to the UK.
The Australian certification system, he said, has “real issues of integrity”.
“Nothing has been done to create a secure system,” he said.
“I think certainly the anti-vaxxers will be the market for those forged certificates because they want to travel.
“They’ll want to go to the footy, to pubs and restaurants.”
On the encrypted messaging app Telegram, anonymous sellers offer forged Australian vaccine certificates alongside those for other countries.
The going price per digital certificate is about $US200.
The sales pitches in messaging groups include anti-vaccination statements, such as: “We are here to save the world from this poisonous vaccine”.
One seller who said he was based in the US claimed to have made “many” certificates for Australians, though this cannot be confirmed.
Security researchers at Check Point Software Technologies say they’ve seen exponential growth in volumes of followers and subscribers to groups and channels offering COVID-19 certificates.
Mr Nelson has also been contacted by Australians wanting fake certificates, demonstrating there is demand within Australia for them.
