A flaw in Quebec’s VaxiCode Verif COVID-19 vaccine passport app shows the risks of not publishing source code for outside scrutiny before a government-backed application is released, says a threat researcher.
“Quebec government may have missed a good opportunity to publish the source code of the applications it produced for the sake of transparency,” Marc-Etienne Léveillé of ESET said in a column Tuesday. “After all, there is nothing to hide and nothing secret about these applications. The rapid discovery of flaws has shown that analysis by a larger number of experts improves the security of this type of application. The publication of the source code and its analysis by experts might have avoided scandals that could affect the public’s confidence, since the whole population would have been able to check the security by itself.”
His analysis came after two incidents last week suggested weaknesses in the security in the app’s QR code mechanism, used to link to a provincial government URL with an individual’s vaccine health record. A Montreal newspaper said a group of hackers claimed they were able to obtain the QR codes of Premier François Legault and other politicians. Separately, a computer programmer was able to show Radio-Canada that it was easy to fool the app into giving proof of vaccination to a fake person.
Léveillé found a problem in the iOS version of the app, although he couldn’t verify it was the same one that caused those issues.
Over the weekend he notified the app’s developer Akinox, which patched the flaw in an update to the iOS version of the app (v 1.0.2). Léveillé hasn’t analyzed the Android version. But he noted VaxiCode and VaxiCode Verif use the Expo framework that allows iOS and Android apps to be produced using the same source code, so assumes the applications on both platforms are probably equivalent.
The flaw Léveillé discovered allowed the application to be forced to recognize non-government-issued QR codes as valid.
The URL contained in the QR code uses the SMART Health Cards (SHC) specification that defines a format created earlier this year by the Vaccination Credential Initiative for exchanging information about a person’s vaccination status.
The SHC protocol requires a digital signature for verification. The digital signature is based on asymmetric cryptography, which means that a private and public key pair is used. For this app the Quebec government’s server issues the private key. The public key verifies that the signature has been made with the private key. The SMART Health Cards specification was designed to allow for the possibility of multiple vaccine evidence issuers because each country or region adopting the standard would have to issue its own pair of keys to sign and verify passports. In this way one app could be used across many jurisdictions.
Akinox included the Quebec government’s public key in VaxiCode and VaxiCode Verif. However, the code to download third-party issuer keys was still in the application, even though it is not required.
The vulnerability lies in the fact that once a public key is downloaded, it is used to validate any other passport, without checking if it matches the content of the issuer field. So an attacker could generate a key pair and make the public key available on the internet. They could then generate two Smart Health Cards in the form of QR codes — one with arbitrary content, the other with the personal information of the person who wants to impersonate as vaccinated. This would also include a field pointing to the legitimate government domain. It would be signed with the public key they generated.
During verification of the vaccine passport, the attacker first presents the first QR code they created. It would be rejected by VaxiCode Verif — but would force the application to download the attacker’s public key and add it to its trusted keychain. The attacker would then present the second QR code they created, which would be validated as legitimate by VaxiCode Verif.
The app update completely removes the functionality of downloading public keys from the issuer’s URL, Léveillé said.
Léveillé added that ESET didn’t test the servers allowing the issuance of vaccine passports.
“As a result of this analysis, I believe that, although VaxiCode Verif had some problems at its release, the technologies on which the system is based are solid,” he said. “The idea of using existing standards and technologies is in my opinion a good decision. It ensures both signature security and interoperability between regions using the SMART Health Cards protocol. In my opinion, a flaw in the system that denied a valid vaccine passport would have a much more serious impact than the reverse, and that is not the case here.”
That the problem was fixed in just a few days shows that all parties want a secure system, he noted, adding. “There are always areas for improvement, but the use of the digital signature proposed by SHC is, to date, secure.”