Flaws found in EU digital vaccine pass

The EU's digital vaccination certificate for smartphones promises more secure freedom of movement, both within Germany and beyond its borders this summer.

While politicians have been quick to take the credit for its speedy rollout from Thursday, experts from the German security firm GData Cyber ​​Defense have discovered a number of vulnerabilities, including the risk of counterfeiting.

Thomas Siebert, head of protection technologies at Bochum-based GData, said this was not due to a lack of technology but rather to the speed of the passport's implementation.

"Being able to present a quick solution before the start of the holiday season was obviously more important than a solution that was secure from the start," Siebert told DW.

Long list of shortcomings

Tim Berghoff, a security evangelist at GData, said the vulnerabilities begin with the transfer of the data from the yellow vaccination booklet. "This digital passport does not contain the batch number of the vaccinated active substance, where the vaccination was carried out, or who carried out the vaccination."

In addition, when the vaccination certificate is created at a pharmacy or doctor's office, the entries are not checked for accuracy. The GData team came across an incorrect second vaccination date from one pharmacy. The date of the first vaccination was entered a second time.

Instead of an error message, the passport was validated without fuss. Incidentally, Germany's infectious disease agency, the Robert Koch Institute (RKI), is always named as the issuer, not the pharmacy or doctor's practice that actually issued the certificate.

Robert Koch — vaccinated twice?

Another flaw is that the digital signature remains unchecked. The security team was able to "take the coronavirus pandemic back to the 19th century and provide a fake digital vaccination certificate for a person who was born in 1843." 

They created an identity named after the famous German microbiologist and Nobel Prize winner Robert Koch. The vaccination of the fake Robert Koch would have taken place in 1890, which was in his lifetime. But as Siebert pointed out, "the coronavirus warning app accepted this vaccination certificate without complaint."

While the minimum wait for the passport to be valid is two weeks after the final vaccine is delivered, the app had no problem accepting the date of Koch's last alleged dose. "With our vaccination certificate, the waiting period was over 130 years."

From Berghoff's point of view, the most obvious weak point is the display function for the digital proof of vaccination in the app, because the digital signature is not checked. "I could also include a fantasy certificate in the corona warning app — and it would be displayed."

Fraudsters face 2 years in jail

The fact that the vaccination certificate is correctly displayed in the app is ultimately not an indicator of the certificate's authenticity, even if the RKI officially appears as the issuer. A quality standard, said Thomas Siebert, is not associated with the issuer. This is because RKI receives practically no data, but merely issues cryptographic keys for signing the vaccination certificates. To put it bluntly: if a pharmacy requests proof of vaccination for Donald Duck, it is likely to receive such proof.

In principle, fraudsters need only a fake vaccination certificate. And the alleged signature of a doctor from another city or even another country can hardly be verified in practice. 

"A forged vaccination certificate almost always also leads to a properly signed digital proof of vaccination," Siebert said soberly. 

Falsifying documents related to COVID-19 vaccinations is punishable under Germany's Infection Protection Act, which took effect on June 1. Anyone caught can face up to two years in prison.

Invitation for criminals

The Bochum IT security experts have also warned against malicious software that specializes in hacking access data. This type of software has been part of the standard repertoire of cybercriminals for years.

For example, fraudsters who have illegally secured a pharmacy's log-in data can use this portal to create vaccination records at will. Berghoff said a further problem is that the certificates cannot be revoked at a later date. This is due to the way that the passports are electronically certified.

Berghoff says it's clear that Germany's health ministry has exerted great pressure amid a tight deadline for the rollout of the certificate.

"They naturally wanted to present an appropriate solution to enable citizens to regain a bit of normality for the summer vacation. That in and of itself is not a bad thing. However, in this case, it was clearly at the expense of security."

This article was adapted from German.