Are vaccine passports giving a free pass to COVID-19 rule breakers?

Vaccine passports, which are documents that contain an individual’s personal details, health records and COVID-19 vaccine status, are becoming a key part of daily life in the post-pandemic world. They are usually accessed via a mobile app or physical certificate, and are already being introduced en-masse across the EU, USA, Israel and China, with plans to introduce them in Australia in the near future.

The passports offer users a convenient method of proving their vaccine status when entering venues or travelling abroad, but their widespread rollout and storage of personal information presents several implications for security and privacy. At NCC Group, we’ve been researching a number of these apps to gauge the extent to which user privacy is affected by vaccine passports, and the degree of trust that users should place on digital vaccine credential systems as a result.

Fake credentials

The New York State (NYS) Excelsior Pass applications were some of the first apps that we researched due to their early rollout. The systems enable users to add credentials by interacting with the NYS servers or by scanning a QR code or photo. However, our research revealed that while the NYS Excelsior Scanner app accurately verified the vaccine credentials that the user presented, the Wallet app did not validate credentials added to it before the vendor released a fix in August 2021.

As a result, forged credentials could have been added to the Wallet and used as a legitimate pass, enabling individuals to gain access to physical spaces and venues that required COVID-19 passports without receiving a COVID-19 vaccine.

As Siddarth Adukia, Technical Director at NCC Group, explains: “The issue that allowed fake credentials to be stored in the wallet was due to incomplete threat modelling and consideration of where and how the systems could be abused rather than a technical limitation. Some venues don’t use the Scanner app or ignore the verification results and trust the seemingly legitimate data on a user’s device, leaving the technology open to abuse.”   

What should organisations do?

Our technical advisory outlines the actions that authorities and developers of this type of technology should take to ensure the successful verification of COVID passports.

According to Siddarth, the responsibility must be balanced between developers and venues or organisations that wish to use the technology: “it’s a fine line between making the technology hard to abuse, and using it correctly. It is critical that venues use the Scanner app to validate vaccine credentials. Locking the Wallet application down to prevent the storage of fake credentials makes it harder for someone to present them convincingly, but venues could just as easily accept fake paper vaccination cards if they are not diligent.

“Developers should consider how this technology could be subverted on a social level, before taking proactive steps to curb such actions and make it harder to abuse the system. This could involve threat modelling how the apps are used, their technical and non-technical concerns, and expanding on education for the individuals and venues that use the applications. It should also involve collecting and using the least amount of data required and other data minimisation principles where possible.”  

For more information, read our full technical advisory here.