Victoria’s COVID-19 digital vaccine certificates are “woefully insecure” and “very easy” to forge in just minutes, according to a number of developers and cryptography experts who have criticised the lack of a national standard for this service.
The Victorian Government this week announced the integration of vaccine certification into the Services Victoria QR code check-in app and the commencement of a trial allowing fully vaccinated individuals to visit venues in regional areas of the state.
The check-in app certificate is separate to the one in the Medicare app, which individuals can add to their phone’s digital wallet.
The Services Victoria certificate includes digital holograms in an effort to combat forgeries via screenshots.
But a number of experts in the field have said this feature is virtually useless and the new certificate could be easily forged.
Cryptography expert and Thinking Cybersecurity chief executive Dr Vanessa Teague said the state’s digital vaccine certificate is “woefully insecure”, and the Victorian Government needs to be upfront about its limitations.
“I hope that the Victorian Government communicates honestly that these are not certificates and have no anti-fraud protections, so that people who need to check vaccination status do not mistakenly rely on them,” Dr Teague told InnovationAus.
“I asked my nine-year-old whether he knew how to take a video screenshot and he said yes. So that is the level of security of the hologram-cartoon as a deterrent to fraud.”
Software developer Jim Mussared said the “holograms” added no extra security to the digital certificate and should not be relied upon.
“It is irresponsible to encourage this ‘trust the triangles’ message,” Mr Mussared told InnovationAus, referring to triangle-shaped Victorian Government logos that appear in the Services Victoria app. “I’ve heard this [same message] from Services NSW, Services Victoria and myGov.
“Anything that runs on a person’s phone can be forged, and in the case of the Service Victoria app, it was very easy to do so. If we’re going to enforce vaccination status, then it needs to be verifiable
“I think there’s an idea that people think that replicating these triangles and holograms is hard. But the reality is that the app already knows how to do this, you just have to convince it to do so.”
Fellow software developer Brad Moore was able to make a fake version of the Service Victoria digital certificate in a few hours.
“I think holographic foils can help prevent fraudulent money and licenses, but when implemented as a digital image it’s just wasted development time for something they surely knew wasn’t going to work from the start….it’s like it’s there for visual effect but no sort of practical effect,” Mr Moore told InnovationAus.
“My implementation is one of many – I already have seen people using fake web requests with the official app to show them as vaccinated when they aren’t. People have told me, ‘But an anti-vaxxer surely won’t know how to install a fake app so this isn’t a problem’, when it could very well just be a full-screen webpage that does the same – no need to install an app then.”
A number of experts have questioned why Australian jurisdictions and the federal government have opted to go it alone and develop their own methods for verifying vaccination status, rather than adopt one being used overseas.
The one most commonly pointed to is the European Union’s vaccine passport scheme, the biggest of its type in the world. This uses a QR code certificate along with a digital signature verified by each nation, and is now being used by more than 40 countries.
Mr Mussared said it was “totally nuts” that there were so many different ways of digitally providing vaccination status in Australia.
“We should have done what other countries did, and it should have been done at the federal level,” he said.
“It’s just bonkers that we’ve ended up with so many systems. The data is spread everywhere, and the weakest link brings the whole thing down.”
It would have been easy and quick to simply adopt the EU’s own vaccine certificate system, software developer Richard Nelson said.
“The EU has a well-defined, publicly discussed framework for verifiable certificates published early this year that would have been technically trivial to implement on, and it’s incredibly poor that we don’t have a federal solution built on this,” Mr Nelson told InnovationAus.
“The security of all of this really depends on the weakest acceptable method, which is the PDF from Medicare. So all of this doesn’t really matter regardless.”
Do you know more? Contact James Riley via Email.
While obviously not perfect, the Services Victoria implementation is nowhere near as bad, or as easy to ‘forge’, as this article makes out. The user’s name, the name of the location, and the date and time of check in are displayed over the top of the animated logos, and the animations appear to be at least partly dependent on signals from the phone’s motion sensors. So there is no way replaying a video screenshot (presumably from another person, place and time) would pass even a cursory inspection. And the location name is not (as far as I can tell) encoded in the QR code – it has to be retrieved from the server, which only the authorised app can do. A fake app could allow the user to manually enter the name, but this is still one more step and one more opportunity to get caught out. People are mostly honest, and even among the hesitant and disgruntled an overwhelming majority will stop short of fraud.
A tiny minority of people will still cheat, but they are the ones that have been breaking the rules anyway, and I’m not sure that 100% compliance is, or was, ever a realistic goal. The objective is to keep the reproduction number below 1.0, and to stop the health system from becoming overwhelmed, while making it as easy as possible for businesses to comply with their obligations. On that score, the apps will absolutely make a positive contribution.