Aussie Researcher Fakes Digital COVID-19 Vaccination ProofVeteran Researcher Recommends Australia Copy EU's Verified QR Code System Instead
Australian software engineer Richard Nelson is warning that he was able to create a fake digital COVID-19 vaccine certificate via the government's Express Medicare Plus app. He says the agency in charge of the app has so far failed to acknowledge his bug report.
Sydney-based Nelson was part of a team of independent security researchers that last year identified serious flaws in Australia's digital contact-tracing app.
On Aug. 18, he detailed the vaccine certificate problems via Twitter, noting that he'd failed to receive a response from Services Australia, which is the federal government agency that developed the app.
Three weeks later, the bug still isn't fixed. Nelson worries the issue could be embraced by anti-vaccination campaigners for nefarious purposes. There's also the question of how fake certificates might pose an increased risk to public health.
This should not be anywhere near this easy to fool (I’m not vaccinated.. yet) pic.twitter.com/faTQws7XhX— Richard Nelson (@wabzqem) August 18, 2021
"If they're going to use it to allow people to go to restaurants or bars or even eat, how is someone supposed to check if what they're seeing is real or not?" Nelson asks.
Showing digital proof of vaccination will grow in importance. States such as New South Wales and Victoria remain in lockdown, and other states are on a knife's edge due to growing Delta cases. Some states and the federal government have promised looser restrictions for those who are vaccinated after states hit 80% double-dose vaccination rates.
It's still early days for exactly how people in Australia will show their vaccinated status. One method is via a government app on a person's phone. Another option is downloading a digital vaccination certificate and loading it into Apple's Wallet or Google's Pay apps, according to Services Australia.
The state of New South Wales has suggested it may incorporate digital proof of vaccination into its Service NSW app. The app is already used for checking into locations using QR codes, which then assist contact tracers.
Lack of Verification
The bug is in an app called Express Medicare Plus. The app is designed to let people interact with a variety of federal government services.
In the last couple of months, the government added a feature that would pull a person's COVID-19 vaccination status from the Australian Immunization Register. The app displays a person's name, date of birth and if the person has received a vaccine.
Not long after the feature launched, Nelson says he decided to have a look and said to himself, "Well, I wonder what they've really done here to make this trustworthy. And one night, I had a few minutes to spare. I thought 'Okay, I'll just have a look at this.'" It took him little time to find the problems, which he promptly attempted to report.
Nelson demonstrated how he could manipulate the app's data to show that he'd received a vaccine when he hadn't. And on Thursday, he tweeted another proof-of-concept, this time involving Craig Kelly, a federal member of Parliament who has been accused of pushing misinformation around COVID-19 and vaccines.
The demonstration falsely showed the politician had received ivermectin, which is used to treat parasitic infections in humans and animals, and hydroxychloroquine, usually used for malaria infections.
Nelson doesn't want to reveal the precise details of how the manipulation is possible. But broadly speaking, he says the app isn't verifying either that the server sending the vaccination-related data is legitimate nor that the actual vaccination data itself is. The fix would involve a couple of architectural security fixes that would ensure verification of both, he says.
Regions such as the EU have solved the problems that Australia's app has, Nelson says. Further, the code behind those apps in Europe is open and available, he says.
In Europe, vaccinated people can show a QR code that contains a digital signature that represents their vaccination status. The digital signature is confirmed as valid by checking with the EU Digital COVID Certificate gateway, which stores the public keys for various countries' public health authorities. Once the QR code is scanned, the relevant public key verifies the signature, according to EU documentation.
"It's a very straightforward mechanism," Nelson says of the EU's system. "And it's puzzling why they didn't think about this verification method" in Australia, he adds.
Better Bug Reporting
The app was developed by Services Australia, which is a federal government agency. The agency says it does not comment on security issue but works "closely with relevant authorities and agencies to investigate and resolve them."
"COVID-19 digital certificates have features to safeguard against fraudulent activity consistent with other official government documents, such as birth certificates and citizenship certificates," the agency says.
Nelson says that after he found the issue, he tried to reach Services Australia but found it difficult to make contact.
"Ultimately, it boils down to not having a mechanism to get in touch with them to report these kinds of issues in the first place," Nelson says.
He also tried to reach the Department of Health, which has a vulnerability disclosure policy, but it wasn't in charge of the app. The agency did, however, reply after a week.
Nelson also contacted the Australia Signals Directorate, which is Australia's spy agency. It acknowledged receiving the report the same day. In its statement, Services Australia says Nelson "has received acknowledgement from the Australian Government."
Services Australia added that: "Anyone who suspects that someone may be creating fake COVID-19 digital certificates or Medicare immunization history statements should report it. They can do this online at www.servicesaustralia.gov.au/fraud, or by calling 131 524."
Nelson also wrote a blog post outlining his concerns and called for a government-wide vulnerability disclosure program.
Nelson is one of several researchers who closely examined COVIDSafe, which is Australia's digital contact-tracing app. The researchers discovered software bugs and privacy issues but alleged the government moved too slowly to remedy the issues.
Also, the group advocated that the Australian government embrace Exposure Notifications, a framework developed by Apple and Google. The framework was designed to provide stronger privacy controls and interoperability, but the government declined to use it. COVIDSafe plays no meaningful role now in contact tracing (see: Australia Passes Privacy Law for Contact-Tracing App).