Facing increasing pressure to reopen Australia’s international borders, the government has fast-tracked the development of digital vaccination certificates – but with cyber security researchers easily altering existing certificates, newly unveiled Digital Passenger Declarations (DPDs) will need to dramatically improve security.
Announced this week as an amalgam of existing Incoming Passenger Card and COVID-19 Australian Travel Declaration forms, the new DPDs are designed as testamentary evidence that will ultimately allow Australians to demonstrate their vaccination status here and abroad.
The new system – to be built and implemented by Accenture under a $75m contract –will enable travellers to use the MyGov portal to integrate a digital proof of vaccination into a QR code linked to their passports, which will be used to verify their status within 72 hours of travel.
Faced with threats by airlines to pull out of Australia’s aviation market – American Airlines has already suspended flights to Sydney – the federal government will be relying on the DPDs as it works to bring forward the reopening of Australia’s borders to as early as November.
Yet for all the importance of the DPD, security experts warn that it will need to be much better designed than existing certificates – which can be easily manipulated to say whatever a security expert wants them to.
Sydney software engineer Richard Nelson last month demonstrated how a man-in-the-middle attack – in which he intercepts requests by the Express Plus Medicare app and supplies his own information instead – allowed him to produce an authentic-looking COVID-19 digital certificate with any information he wanted.
“This should not be anywhere near this easy to fool,” Nelson tweeted as the as-yet-unvaccinated security researcher demonstrated a certificate in the Express Plus Medicare app testifying to his vaccination status.
More recently, software engineer and Volantio cofounder Fenn Bailey found another security flaw using what he described as a “high-school grade permissions password” that allowed the PDF-based vaccination certificates to be changed to say whatever a person wants.
Experts agree the use of PDFs and unsigned back-end data requests fail to provide required levels of security, which have been provided in other countries through the use of QR codes that integrate data encryption and digital signatures confirming the origin of the source data.
“With current systems you’re able to create a secure PDF, but once you’ve tried to pass it into other systems the security features disappear,” Professor Matthew Warren, director of the RMIT University Centre for Cyber Security Research and Innovation, told Information Age. “That leaves it open for vulnerabilities to be exploited.”
The struggle for verifiability
Problems dealing with forged vaccination certificates – a growing problem that has also spawned a cottage industry online – are by no means limited to Australia: Malaysia’s Ministry of Health last month warned that action would be taken against anyone forging digital COVID-19 vaccination certificates in its MySejahtera application.
Singapore’s Ministry of Health has also been investigating the issue, with new advice recommending local businesses closely scrutinise vaccine passports and noting that anyone vaccinated overseas would need to demonstrate their vaccination status with blood tests.
Given the wide variations between countries and states and the demonstrated security risks of existing solutions, Warren – whose team has been exploring the security weaknesses of existing approaches – believes authorities should step back and weigh up their options.
Nelson, for his part, has pulled together a proof-of-concept that generates secure QR codes using MyGov data. And technologies like blockchain already provide an irrefutable, unmodifiable way of tracking individuals’ vaccination status and travel movements.
“There is technology available that could be used in a very effective way,” Warren said, “but it’s all to do with how quickly these last-minute things can be developed.”
With “balkanised” states each developing their own, incompatible apps and the federal government in overdrive as it pushes to reopen borders, Warren believes expedience is compromising the potential security and efficacy of digital vaccine passports.
“We’ve all gone back to being state-based citizens,” he said, “and if you’ve got all the states trying to develop their own different systems, there are going to be vulnerabilities identified in those.”
A more consistent standard like the IATA Travel Pass, spearheaded by the peak global airline organisation, may be more effective in enabling smooth and verifiable movement between countries – although even that system will be challenged by countries such as the United States that continue to rely on paper-based arrival cards.
“Even if everyone starts to adopt that, it’s going to be fragmented,” Warren said. “You’re only going to be able to travel to certain countries that have these technologies in place.”
