As many of you know, COVID-19 vaccinations are now open to anyone in Australia over the age of 16. Along with the vaccine rollout comes the COVID-19 digital vaccination certificate. The intention of the COVID-19 digital vaccination certificate was to make proof of vaccination accessible anytime and anywhere, much like the digital driver’s licence. It features a coat-of-arms hologram and includes the holder’s name, date of birth and a ‘validity tick’. The theory behind the hologram, which moves when tilted, was to prevent the creation of both fake vaccination certificates and digital licences. However, near perfect forgeries of the vaccine certificate can be made in 10 minutes using free software. Security experts have confirmed it's the kind of vulnerability that would have been picked up in a basic security audit. For more information see this ABC article.
Sydney Software Engineer Richard Nelson found the security hole in the current system, which was launched in July, while playing with the Express Plus Medicare app one evening in early August. After the discovery of this flaw, Nelson submitted detailed instructions to the government, but has not yet heard back.
The EU have mitigated this issue by implementing a digital signature model in the form of a QR code. As the QR codes are unique and often timestamped, they are much harder to falsify.
The Prime Minister has previously said the certificates are a "credible and effective" way for states to administer exemptions from aspects of lockdowns. However, the discovery of the flaw could put a hold on state and federal governments allowing the vaccinated more freedoms. The Prime Minister has since flagged that the vaccine certificate will have an overhaul in October 21.
So what is the takeaway? Have security audits performed! They are a fantastic way of measuring your security at any point in time, allowing you to see where your vulnerabilities exist, and how to strengthen those weak points. Following last month’s announcement of the ASD Essential 8 changing, it is crucial for businesses to re-assess their compliance/alignment. We at Comunet are able to provide security audits against NIST, ISO27001, SACSF, ISM, ASD E8, and PSPF.