Yaakov Online


I fight with computers

Yaakov
Author

Share


Tags


Forging a COVID-19 vaccination certificate is child's play

Immunisation records are something we've had for a very long time. I still have some of mine from when I was a small baby just a few months old, in a blue book that I believe was standard-issue at the time.

These records are required for certain areas of society. For kids attending school, they (or rather, their parents) have to prove that they're up to date on their jabs. For travelling to certain parts of the world, you have to have a literal "vaccine passport" and prove that you're protected against certain diseases such as malaria.

And so, in the wake of a global pandemic for which vaccination is available, it makes sense that (for a limited time only) we would require proof of vaccination before welcoming people back to high-risk events and settings.

These are now required - at least in New South Wales - to participate in any of the relaxed lockdown restrictions, starting earlier this week with outdoor gatherings of up to 5 vaccinated people (in a stay-at-home area) or extended outdoor activity with your own household (in an "area of concern"). The Government has also strongly suggested that they will be required as further restrictions relax, and that one will need proof of vaccination to return to bars, pubs, restaraunts, public worship, travel. They are also mandatory to work in certain high-risk industries such as construction and aged care (I think, it's so hard to keep up with all this stuff).

The key defining aspect of some kind of proof of vaccination is very simple - somebody who is vaccinated should be able to get it (easily), and somebody who is not vaccinated should not be able to get it (ideally at all, but I'd settle for easily).

To get this proof of vaccination, which is centralised around the Australian Immunisation Register (AIR), there are a few different methods, and they all suck at the second part above.

Apple Wallet Pass

If you have a MyGov account linked to your Medicare account, and are fully vaccinated, you can get a little green card to add to Apple Wallet. Unfortunately, it has no way to be authenticated - it is just a little green rectangle with some text. This makes it incredibly trivial to spoof.

Apple Wallet passes are .pkpass files, which is a ZIP containing some images, JSON data, and a digital signature. The digital signature is validated by iOS, not by humans, so anybody with an Apple Developer Program account can get their own signing keys and generate their own signature to create a pass.

With regards to the COVID pass from Medicare, this means that anyone with an Apple Developer Program account can get an existing pass, modify it (e.g. replace the name), and then replace the digital signature with their own. It looks identical to a real one so there is no way for a human viewing it to tell that it is or is not authentic.

I managed to forge one earlier this week in less than 15 minutes from start to finish:

A genuine-looking but totally fake COVID-9 digital certificate for John Jacob Jingleheimer Schmidt - his name is my name too.

It is also possible to forge less-perfect clones without having an Apple Developer Program account. For more on this you can read Leigh Brenecki's writeup on the topic.

Google Pay Pass

Like the Apple Wallet passes, Medicare also offers Google Pay passes, though I haven't poked at this yet myself.

Google Pay does have a special kind of COVID-19 pass which is only available to healthcare institutions. I would hope that Medicare are using this, and that it has some kind of unique appearance or other authenticity feature, but given my experience with Government technology I have strong doubts.

Even if that was true, it may be possible to forge these by creating an identical looking pass of another category - I don't know.

Digital Certificate PDF

As well as getting cutesy little passes, you can also get a COVID-19 Digital Certificate, which comes as a PDF. These can just be photoshopped. A Senator has already done it.

This looks like my real one, but is apparently fake. Image taken from ABC News article linked above.

These can also be edited directly rather than photoshopped, but more on that in the next section as it has the cool video to go along with it.

Immunisation History Statement

You can also just use a regular Immunisation History Statement, which lists all the immunisations you have recieved which are registered with the AIR. This is what you would use anyway for other shots like the flu shot, if you ever needed to prove that.

It turns out that these PDFs aren't even flattened. They are password-protected to prevent editing, but you can unlock the PDF with some basic tools and then just edit the text directly, rather than needing to carefully photoshop it.

Forging an immunisation history statement is about as easy as editing a Word Document, except Services Australia have already taken care of the layout for you.

For more on this see Geoffrey Huntley's tweets on this subject.

Service NSW

Victor Dominello MP, the Minister for Customer Service and Minister for Digital, has publicly stated that Service NSW will include vaccination status (somehow), and has posted a mockup already on LinkedIn.

Minister for Digital and definitely-not-a-pirate Victor Dominello showing off a mockup/prototype/early build of Service NSW COVID Safe check-ins featuring vaccination status. Image taken from LinkedIn post linked above.

Given that:

  1. Service NSW were caught completely unaware when I found their Digital Drivers License to be trivially forgeable,
  2. The Digital Drivers License is still partially forgeable to this day, and
  3. People built and distributed fake check-in apps to avoid checking in to venues and assisting state contract tracing teams,

I hold out little hope that Service NSW's proof-of-vaccination implementation will be difficult or impossible to fake.

For more information on the Digital Drivers License forgery you can watch my conference talks from PyCon AU 2019 or linux.conf.au 2020.

How can we do this better?

If you're feeling deep in the pits of despair by now, there is some hope. The EU have built a system that seems pretty solid, utilising PKI infrastructure and including signed QR codes so that you can verify if someone else's vaccination proof is authentic or not.

Richard Nelson has already built a proof-of-concept that uses this system, though since his public/private key-pair isn't trusted by anyone else, it's practically useless on a large scale - you would need a custom verifier app too, unless the Government adopted it and published their own public key.

"Ah, yeah... that's one fine-looking barbecue pit... why doesn't mine look like that?" - Homer Simpson. Image extracted from video in Tweet linked above.

However, it does still demonstrate that the Federal Government could trivially build an actually useful, hard-to-fake system, if it so desired.

Clearly though, it doesn't. To borrow a quote used frequently by Justin Warren, The Purpose Of a System Is What It Does, and this system, like many COVID-19 and Identity tech projects run by Australian Governments, do not achieve what we would consider it's purpose to be.

Seemingly then, as the purpose of the system is not affected by being fallible, perhaps the purpose is simply so that the Government can look like it has done something when it has achieved little at all.

Meanwhile, we will still have to carry around our little cards and PDFs and printouts, though they offer little in the way of proof of vaccination. All they prove is that we managed to get a card/PDF, not neccesarily that we've had our required schedule of vaccinations.

Though if you haven't gotten your vaccinations yet - please book/get them ASAP.