#AceHealthReport – Aug.24: Richard Nelson, a software engineer in Sydney, has found an “obvious” security flaw in the Express Plus Medicare app allowing him to make vaccine certificates with any name and date of birth and featuring the background animations meant to prevent forgery……
#CoronavirusNewsDesk says #COVID19 vaccine certificates can be forged within 10 minutes due to ‘obvious’ security flaw and Near-perfect forgeries of the federal government’s vaccine digital certificate can be made in 10 minutes using free software, a member of the public has discovered this is how a vaccine passport could work
The Prime Minister has previously said the certificates are a “credible and effective” way for states to administer exemptions from aspects of lockdowns.
The discovery of the flaw could put a hold on state and federal governments allowing the vaccinated more freedoms.
Mr Nelson found the security hole in the current system (which was launched more than two months ago) while mucking around with the Express Plus Medicare app one evening last week.
“It’s a very basic flaw. I thought surely there would be some kind of mitigation to stop this kind of attack, but there wasn’t.”
Other security experts have confirmed it’s the kind of obvious vulnerability that would have been picked up in a basic security audit of the app.
To demonstrate how easy it is to forge certificates, Mr Nelson took 10 minutes to make a counterfeit certificate with the name of this reporter (who hasn’t yet had all their shots).
“I don’t think it’s a good idea to get it out there among the anti-vax crowd,” he said.
“People who don’t have a valid certificate can fairly easily present one — the implications of that are left up to the imagination.”
Will it be fixed? When borders reopen and international travel resumes, countries will require proof that you’ve been vaccinated.
After discovering the flaw, Mr Nelson sent detailed instructions to the government, but has not yet heard back.
In response to questions from the ABC, a spokesman for Employment Minister Stuart Robert, who has ministerial responsibility for data and digital policy, said the government has “iteratively updated proof of vaccination certificates”.
“The government will continue to iteratively update the proof of vaccination certificates … including bolstering security measures,” he said.
From the response, it wasn’t clear if the government would be patching the vulnerability (which would require an update of the Medicare app).
Basic security audit would have found flaw
The security vulnerability is different to the one identified by Senator Rex Patrick earlier this month.
The senator used “a few graphics tools” to make a forgery of the PDF export of the vaccine certificate.
This only works on the PDF, as the certificate within the app itself is protected against counterfeiting by an animated tick, a live clock and a shimmering coat of arms (similar to the type used for digital drivers’ licences).
As can be seen in the video above, Mr Nelson’s more sophisticated forgery includes these anti-fraud features.
Mr Nelson said the flaw would have been “absolutely” raised in a security audit.
“Or, they didn’t do a security audit,” he said.
This isn’t the first time the experienced software developer has poked holes in government IT systems.
He was one of the tech community that found important vulnerabilities in the COVIDSafe app last year, including the fact that the tracking app did not work properly on a locked iPhone.
Privacy expert Vanessa Teague, another prominent member of the tech community, said the Medicare app flaw was “unsurprising after experiencing COVIDSafe”.
“Oh yeah, wow,” she said.
“It’s very easy to fix that flaw. It would take five minutes.”
‘Certificates need QR-code digital signatures’
The certificates also have a bigger security problem, she said.
Other designs, such as that used by the EU, have a digital signature in the form of a QR code that can be verified as a defence against fraud.
Such a system would be much harder to trick.
“They still have to do something a bit like what the EU has done,” Ms Teague said.
“There has to be some cryptographic way of verifying that the information is correct.”
The Prime Minister has flagged the vaccine certificate will get an overhaul in October, though it’s not clear if the new version will only be used for international travel and work alongside the existing vaccine certificates.
In early July, the Australian Digital Health Agency, a statutory body responsible for implementing various digital health initiatives, issued a Request for Tender for a smartphone app for storing digital vaccination certificates, along with the results of COVID-19 tests.
The proposed mobile app will be ready “prior to December 2021” and feature “multiple authenticity and anti-fraud measures”.
The spokesman for Mr Robert did not respond to questions about whether the government was working on a new type of vaccine certificate.
#AceHealthDesk report …Published: Aug.24: 2021:
Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of external site or from any reports, posts or links, and can also be found here on Telegram: https://t.me/acenewsdaily all of our posts fromTwitter can be found here: https://acetwitternews.wordpress.com/ and all wordpress and live posts and links here: https://acenewsroom.wordpress.com/and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com