A local software developer has found a simple way to create a fake COVID-19 digital vaccine certificate using the official government app, one that’s indistinguishable from the real thing. His discovery raises concerns about the security of the vaccine passport certificate system.
Richard Nelson, a Sydney-based software developer, reported the vulnerability to the Department of Health late last week. He also showed video proof of “his” COVID-19 digital certificate on a mobile device, even though he has not been vaccinated.
Nelson claims he was able to produce this because the government’s Express Plus Medicare app — which generates the COVID digital certificate based on data from the Australian Immunisation Register (AIR) — is vulnerable to what’s called a “man-in-the-middle” attack.
In simple terms, when the Medicare application goes to access data to show whether a user is vaccinated, it sends a message to the server that will tell it whether they have been vaccinated or not.
A man-in-the-middle attack hijacks that request and sends its own response back. To use an analogy, it’s like if a letter given to a courier for delivery to a pen pal was redirected to a different address and answered by someone else. In this case, the request — has this person been vaccinated? — can be spoofed because it’s someone else.
When this is carried out, the user ends up with a completely authentic-looking vaccine certificate because it’s generated by the government’s official application which really thinks the user has been vaccinated.
What makes this possible is that the Express Plus Medicare app does not check where this information came from. It’s relatively common for applications to require a response from a server that is signed or verified, like having a signature on a letter that proves it came from who it says it does.
Nelson is surprised this weakness exists, expecting that such a common and obvious issue would have been raised in a security audit.
“Either they didn’t get one done, or decided to accept any risks,” he said.
More broadly, Nelson says he’s concerned that the system is set up in a way that someone who views the certificate cannot easily verify whether it’s real or not.
“If this is to be what’s used to, for example, let people into restaurants or bars then it really must be more robust than an animation on the screen. This is not foolproof at all,” he said.
Australia’s COVID-19 vaccine digital certificates are not used to determine entry for venues yet but Nine papers reported that the federal cabinet is considering allowing state QR code check-in apps to access AIR data to determine whether someone is vaccinated.
Yet again, the Scomonic junta posts another fail! What is needed before this mob are banished to their own detention centres forever???
If you read the abc and even The guardian little own Sky News or Murdoch it is obvious why Morrison is still with us
Another own goal by internet genius Stewart Robert?
He might have been busy looking for ways to best bring back Robodebt against against recipients of jobsaver – or even researching ways to make a profit on your government internet connection.
That is Brother Stewie no doubt doing gods work as well
the LNP, always keen to get access to our comms, but consistently terrible at even the most basic security – why? – because they don’t give foetid rat’s freckle
I would have thought security of data and all that involves would be the major issue when the program was started. Are these developers sleeping? What’s always in the news is that our data is being used/sold to almost anyone.
VVery poor selection by govt. – friend of friend selection? Etc etc.
By the way, overseas vaccine passports easy to obtain without being vaccinated. Hackers making good money. Not sure how this can be changed.
Once upon a time all apps/webpages had the creator and the copyright on the bottom of the page/app. Curiously increasingly no one wants to own the work. Take the money and run – then pray no one holds you accountable until you reach the pearly gates. Admit your sins in the name of…
then it’s all good.
Was there a loophole for a reason? Accidental seems too far fetched! After watching simple Scimon today, I think he is now going for the pied piper cloak. He never wanted lock downs. He has always wanted to run the gauntlet He is playing his hand according to his sad attempt at reverse psychology. The penties think they are masterful at it. Then they say God gave them the idea in Jesus’ name. It’s so F U.
Scott Morrison the repeatedly sacked marketer by the government in New Zealand and Australia is fermenting civil unrest with his press conferences
He is using the same words the q anon conspiracy theorists and the weekend protesters use, they are using the words he is spouting
Scott Morrison is a very dangerous criminal and is undermining the health of our nation and residents coming
Welfare. He is copying the strategy used by Donald Trump and appealing to the far right and the lunatics and the intellectually stunted, the anti anti vaxxers and the Sovereign citizens he is appealing to them and orchestrating super spreader events with his language.
Scott Morrison Steve Marshall and Gladys Berejiklian have enbarjed on a strategy to please business and donors and Australian citizens
We are the ones that are going to pay the price for their treason and traitorous psychopathy
I have a Dream – that one day, the Electorate will fire Scummo’s government.
No chance that, like the Rodent he’d lose his electoral seat – Sylvannia Waters voters really consider him their dag as long as he delivers.
I’d prefer that he is consigned to the backbench as a constant reminder of what happens to a country run by a cheap flack.
That sneering gurninghead is as near a Skull at the Feast as could be imagined in a nightmare.
In 1997 the Howard government completely trashed the IT competence (OGIT) of the federal public service that had been so painstakingly established under the leadership of the late Senator John Button. Several hundred small and medium businesses which were part of this system – creating locally developed IT solutions – were sent to the wall. Instead, outsourcing was going to be the strategy. Hundreds of millions of dollars were then wasted delivering failure after failure for the public and rich incomes for the consultants. Indeed one consultancy was paid $27m for a report – the content of which was cribbed from the OGIT website. Here we have yet another example in the endless litany of failure.
I can remember one IT consultant being paid $600K for 5 months work a decade ago. Those paying him didn’t know what he had done as those contracting him were not those paying him. Also, being there when the IT outsourcing began, I saw the rapid erosion of in-house expertise and the resultant wastage of resources as a result. A total shambles brought about by the shambler-in-chief at the time, John Howard.
The entire Customs IT system, built inhouse by users who knew what was required in total detail, was handed lock, stock & barrel to EDS.
This quickly led to their first of multiple failures with the shutdown for almost a month in Aug/Sept 2005 of the Sea Cargo automated clearance system just in time for the stock buildup for Christmas.