1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Flaws found in EU digital vaccine pass

Klaus Deuse
July 1, 2021

The new EU digital vaccination certificate is valid across the bloc from Thursday. The electronic passes were developed to a tight deadline, and several vulnerabilities have been left open.

A smartphone displaying Germany's coronavirus warning app
The new EU vaccination certificate can be loaded onto COVID appsImage: Chris E. Janßen/imago images

The EU's digital vaccination certificate for smartphones promises more secure freedom of movement, both within Germany and beyond its borders this summer.

While politicians have been quick to take the credit for its speedy rollout from Thursday, experts from the German security firm GData Cyber ​​Defense have discovered a number of vulnerabilities, including the risk of counterfeiting.

Thomas Siebert, head of protection technologies at Bochum-based GData, said this was not due to a lack of technology but rather to the speed of the passport's implementation.

"Being able to present a quick solution before the start of the holiday season was obviously more important than a solution that was secure from the start," Siebert told DW.

A phone displays the digital vaccine certificate
The COVID vaccination certificate will allow EU nationals to travel more freely this summerImage: Weber/Eibner-Pressefotopicture alliance

Long list of shortcomings

Tim Berghoff, a security evangelist at GData, said the vulnerabilities begin with the transfer of the data from the yellow vaccination booklet. "This digital passport does not contain the batch number of the vaccinated active substance, where the vaccination was carried out, or who carried out the vaccination."

In addition, when the vaccination certificate is created at a pharmacy or doctor's office, the entries are not checked for accuracy. The GData team came across an incorrect second vaccination date from one pharmacy. The date of the first vaccination was entered a second time.

Instead of an error message, the passport was validated without fuss. Incidentally, Germany's infectious disease agency, the Robert Koch Institute (RKI), is always named as the issuer, not the pharmacy or doctor's practice that actually issued the certificate.

Robert Koch — vaccinated twice?

Another flaw is that the digital signature remains unchecked. The security team was able to "take the coronavirus pandemic back to the 19th century and provide a fake digital vaccination certificate for a person who was born in 1843." 

They created an identity named after the famous German microbiologist and Nobel Prize winner Robert Koch. The vaccination of the fake Robert Koch would have taken place in 1890, which was in his lifetime. But as Siebert pointed out, "the coronavirus warning app accepted this vaccination certificate without complaint."

While the minimum wait for the passport to be valid is two weeks after the final vaccine is delivered, the app had no problem accepting the date of Koch's last alleged dose. "With our vaccination certificate, the waiting period was over 130 years."

A black-and-white historic photo of Robert Koch
Robert Koch, who died in 1910, is regarded as one of the main founders of modern bacteriology

From Berghoff's point of view, the most obvious weak point is the display function for the digital proof of vaccination in the app, because the digital signature is not checked. "I could also include a fantasy certificate in the corona warning app — and it would be displayed."

Fraudsters face 2 years in jail

The fact that the vaccination certificate is correctly displayed in the app is ultimately not an indicator of the certificate's authenticity, even if the RKI officially appears as the issuer. A quality standard, said Thomas Siebert, is not associated with the issuer. This is because RKI receives practically no data, but merely issues cryptographic keys for signing the vaccination certificates. To put it bluntly: if a pharmacy requests proof of vaccination for Donald Duck, it is likely to receive such proof.

In principle, fraudsters need only a fake vaccination certificate. And the alleged signature of a doctor from another city or even another country can hardly be verified in practice. 

"A forged vaccination certificate almost always also leads to a properly signed digital proof of vaccination," Siebert said soberly. 

A picture of a German vaccination passport and a syringe
Blank vaccination passports can be bought on the internet without much difficulty, along with stampsImage: picture-alliance/Eibner-Pressefoto/D. Drofitsch

Falsifying documents related to COVID-19 vaccinations is punishable under Germany's Infection Protection Act, which took effect on June 1. Anyone caught can face up to two years in prison.

Invitation for criminals

The Bochum IT security experts have also warned against malicious software that specializes in hacking access data. This type of software has been part of the standard repertoire of cybercriminals for years.

For example, fraudsters who have illegally secured a pharmacy's log-in data can use this portal to create vaccination records at will. Berghoff said a further problem is that the certificates cannot be revoked at a later date. This is due to the way that the passports are electronically certified.

Berghoff says it's clear that Germany's health ministry has exerted great pressure amid a tight deadline for the rollout of the certificate.

How can we travel safely?

"They naturally wanted to present an appropriate solution to enable citizens to regain a bit of normality for the summer vacation. That in and of itself is not a bad thing. However, in this case, it was clearly at the expense of security."

This article was adapted from German.