An investigation by the G DATA Security experts of the digital proof of vaccination has revealed that there are some serious omissions in the implementation of security. Anyone who puts it on it can create proof of vaccination without having received a vaccination. […]
A closer look at important components of the recently available vaccine evidence shows that it brings with it some glaring vulnerabilities. The list of security problems is long: The Corona Warning app does not check the signatures of the digital vaccination certificates, so that everyone can create a real-looking proof at first glance. However, there are still much larger conceptual problems: relevant data from the yellow vaccination certificate, for example the batch number of the vaccine, are neither checked nor included in the digital vaccination certificates during preparation. This makes a later examination impossible. Access to pharmacies for the preparation of vaccination certificates is also uncertain and once issued vaccination certificates can not be revoked in the event of abuse. There is no lack of technical foundations, but of implementation.
“It gives the impression that the introduction of digital proof of vaccination was above all a quick shot. Being able to present a quick solution before the start of the holiday season was obviously more important than a secure solution right from the start,“ explains Thomas Siebert, Head of Protection Technologies at G DATA CyberDefense.
No multi-factor authentication
Pharmacies, medical practices and vaccination centers create the vaccination certificates with the help of a website. Access to this portal is only secured with a user name and password, multi-factor authentication does not take place. Malicious programs that specialize in tapping access data have been part of the standard repertoire of cybercriminals for years. Fraudsters who, for example, illegally acquire the login data of a pharmacy can theoretically use the portal to create vaccination certificates at will.
Vaccination certificates can also be integrated into the Corona Warning app (CWA) of the Robert Koch Institute in order to be able to show them via smartphone. However, the application does not check whether the electronic signature of the scanned proof is also valid. With a few lines of program code, it is possible to create a QR code with a fantasy vaccination certificate, which is easily accepted by the Crona Warning app and easily withstands a visual inspection. An actual verification of the proof of vaccination is only possible with the CovCheck app.