Serious security deficiencies in the digital vaccination certificate. G DATA security experts take a close look at the Covid-19 vaccination certificate for smartphones.
An investigation by the G DATA security experts of the digital vaccination certificate has shown that there are some serious failures in the implementation of security. If you want to, you can create proof of vaccination without having received a vaccination.
The list of security problems is long
A closer look at important components of the recently available vaccination certificate shows that it has some glaring weaknesses. The list of security problems is long: the Corona-Warn-App does not check the signatures of the digital vaccination certificates, so that everyone can create a certificate that looks real at first glance. But there are still much bigger conceptual problems: Relevant data from the yellow vaccination certificate or passport, for example the batch number of the vaccine, is neither checked during creation nor transferred to the digital vaccination records. That makes a later examination impossible. The access for pharmacies to create vaccination certificates is also insecure and vaccination certificates that have been issued cannot be revoked in the event of abuse. There is no lack of technical principles, but rather of implementation.
“The impression is that the introduction of the digital vaccination certificate was primarily a hasty decision. Being able to present a quick solution before the start of the holiday season was obviously more important than a solution that was secure from the start,” explains Thomas Siebert, Head of Protection Technologies at G DATA CyberDefense.
Quick shot before the holiday season
Pharmacies, medical practices and vaccination centers create the vaccination certificates using a website. Access to this portal is only secured with a user name and password; multi-factor authentication does not take place. Malicious programs that specialize in accessing access data have been part of the standard repertoire of cyber criminals for years. Fraudsters who, for example, illegally acquire the registration data of a pharmacy, can theoretically use the portal to create one vaccination certificate after another.
Evidence of vaccinations can also be integrated into the Corona Warning App (CWA) of the Robert Koch Institute in order to be able to show them on a smartphone. However, the application does not check whether the electronic signature of the scanned document is valid. With a few lines of program code, it is possible to create a QR code with a fantasy vaccination certificate, which is easily accepted by the Corona warning app and easily withstands a visual inspection. An actual verification of the vaccination certificate is only possible with the CovCheck app.
More at GData.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.