The federal government’s COVID-19 vaccination certificate can be forged using a widely known technique to bypass the protections.
- The protections against editing the PDF vaccination certificate can be bypassed in seconds
- Security experts warn of booming demand for forged vaccine passports
- This could create problems when granting extra freedoms to the fully vaccinated
Fenn Bailey, a software developer in Melbourne, stumbled upon the security flaw this week after reading about other publicised vulnerabilities.
He discovered the government was relying on a “high-school grade permissions password” to prevent unauthorised people from being able to alter or copy versions of the vaccination certificates.
Mr Bailey found it was then possible to change a name or the vaccinated status on the certificate.
“One could argue that this means these [documents] are not certificates, in that they fail to meet the definition of being certified as authentic,” Mr Bailey said.
This isn’t the first time a member of the public has found a way to forge a version of the federal government’s vaccination certificate.
But the fact it can be done so easily shows the government did not take basic steps to prevent forgery, Mr Bailey said.
“To anyone who is fairly qualified in this field, the failings are dramatic,” he said.
Other vulnerabilities that allow the certificates to be forged have gone unfixed after being brought to the government’s attention, including a method reported more than two weeks ago.
This could create problems when relying on the certificates to grant extra freedoms to the fully vaccinated.
Will NSW vaccine passport be any more secure?
From next week, fully vaccinated New South Wales residents will be able to spend more time outside, with police monitoring their vaccination status.
It’s expected other freedoms will be granted as the vaccination rate improves.
But given the security holes in the vaccine certification system, it’s not clear how authorities, or workers at pubs, cafes and restaurants, will be able to spot any potential forgeries.
One solution may be a new, more secure app.
From October, the federal government will issue vaccination passports for people to use when they travel overseas.
Though details are scarce, these appear to have better security than the vaccination certificates, with a QR code to verify vaccination status.
However, there are no plans to roll these out for domestic use.
That leaves the possibility the states will develop their own vaccine passport systems.
From early October, the NSW government will trial a vaccine passport system within the Service NSW app, which is currently used for venue check-ins.
In response to questions from the ABC, Service NSW did not share details of how the app will work; whether it would directly access the Australian Immunisation Register for proof of vaccination, or instead rely on a person’s federal vaccination certificate.
“Service NSW is working closely with the federal government on the ability to display a COVID vaccination certificate within the Service NSW app and link vaccination status with the COVID-Safe Check-In,” a Service NSW spokesperson said in a statement.
The spokesperson did not respond to questions about whether the federal government certificates would still be accepted as proof of vaccination alongside the Service NSW app.
If they were accepted, the forgery problem would remain, regardless of whether or not the NSW app was secure.
At the same time, not accepting federal vaccination certificates could create widespread confusion.
Senate Estimates heard last week that about 3.5 million Australians have accessed their federal government vaccine certificates.
On top of this, most appear to be intending to use the existing certificate (which can be more easily forged than the in-app digital certificate).
Services Australia chief executive officer Rebecca Skinner told Senate Estimates that the government agency was helping people print their certificates.
“We also have people who phone in to our help desk phone lines and ask for us to send a printed version, and we’re doing that as well,” she said.
“And, where people are able to move around in the community, they are also stopping into service centres, and we print it out for them there as well.”
Senate Estimates also heard that about a third of the 3.5 million Australians who have accessed their certificates had taken the trouble of setting up the Express Plus Medicare app digital certificate.
The remainder, about 2 million, appear to be intending to use the digital certificate.
This points to a future scenario where easily forged certificates are the most common way of proving vaccination status.
Asked about the risk of forgery, Ms Skinner told Senate Estimates that both the in-app digital certificate and the PDF version could be trusted.
But members of the Australian tech community have shown that all versions of the federal government’s vaccine certificates can be faked.
Software engineer Richard Nelson, for instance, has demonstrated he can add any name or type of vaccine — including drugs that are not vaccines — to an “anti-fraud” certificate on the Express Plus Medicare app.
He says the certificates will remain easy to fake until they feature a digital signature, like the kind used in the EU’s vaccine passports.
The vulnerability in the Express Plus Medicare app that allows him to forge certificates has not been fixed, more than two weeks after he alerted the government.
‘Exponential’ growth in demand for fake certificates
Meanwhile, demand for fake vaccine certificates appears to be on the rise globally.
Matt Warren, director of the RMIT Centre of Cyber Security Research and Innovation, said vaccine certificates were being forged from the US to the UK.
The Australian certification system, he said, has “real issues of integrity”.
“Nothing has been done to create a secure system,” he said.
“I think certainly the anti-vaxxers will be the market for those forged certificates because they want to travel.
“They’ll want to go to the footy, to pubs and restaurants.”
On the encrypted messaging app Telegram, anonymous sellers offer forged Australian vaccine certificates alongside those for other countries.
The going price per digital certificate is about $US200.
The sales pitches in messaging groups include anti-vaccination statements, such as: “We are here to save the world from this poisonous vaccine”.
One seller who said he was based in the US claimed to have made “many” certificates for Australians, though this cannot be confirmed.
Security researchers at Check Point Software Technologies say they’ve seen exponential growth in volumes of followers and subscribers to groups and channels offering COVID-19 certificates.
Mr Nelson has also been contacted by Australians wanting fake certificates, demonstrating there is demand within Australia for them.
Is there a better, more secure system?
Security experts unanimously say the EU’s vaccine passport system is more secure.
The EU passports contains a QR code with a digital signature to protect them against falsification.
When a person enters an EU country, for instance, the border guard scans the QR code and the signature is verified through a serviced called the EU Gateway.
The Gateway doesn’t store vaccination data; it only checks the signature is correct.
The advantage of this system is privacy: no-one has access to a certificate holder’s personal data other than the country that issued the certificate.
Privacy expert Vanessa Teague said the EU system would be a more secure alternative to the current Australian one.
“We’re going to have to be able to verify EU vaccine certificates if we let Europeans back in to Australia, so we might as well build vaccine certificates that require the same verification,” she said.
Professor Warren also said it would “make sense for Australia to pick an effective system like the EU one.”
Mr Bailey pointed out the EU technology is “open-source, peer-reviewed and has been in heavy use in Europe for months”.
In March, the World Health Organization released an interim guidance for developing vaccination certificates that recommended using digital signatures to verify authenticity.
“Why the Australian federal government have chosen to ignore this is, frankly, baffling,” Mr Bailey said.
“This is not just because it actually works, but because it would allow global interoperability had we adopted this approach.
“It feels like yet another example where we’re going to end up 6-12 months behind the rest of the world, playing catch-up.”