Canadian supporters of a digital COVID-19 proof of vaccination to help bring some normalcy back to businesses were stung after two holes were apparently dug into Quebec’s VaxiCode app.
First, the Journal de Montréal reported last week that a group of hackers were able to obtain the QR codes of Premier François Legault, Montreal Mayor Valérie Plante, Quebec Health Minister Christian Dubé, as well as those of provincial opposition leaders Dominique Anglade and Gabriel Nadeau-Dubois.
Then a computer programmer was able to show Radio-Canada that it was easy to fool the app into giving proof of vaccination to a fake person.
The incidents, says a cybersecurity expert, proves the importance of having strong authentication behind so-called digital vaccine passports.
“Any software that is controlled by specific input in order to generate output can be manipulated if it was not designed securely,” Ed Dubrovsky, managing partner of Toronto-base Cytelligence, an incident response and penetration testing firm.
If someone can figure out how to insert data into an IT system, they could manipulate the status of a person’s vaccination status as well. “The INSERT or UPDATE functions in such a system must be heavily controlled via extensive authentication capabilities — for example multi-factor authentication — and not exposed publicly using weak controls,” he said.
Quebec’s digital transformation minister defended VaxiCode as safe, while acknowledging getting a QR code — which includes a person’s name, date of birth, the dates of vaccination as well as the type of vaccines received — may have to be toughened.
VaxiCode requires users to photograph a QR code given to them on a paper certificate the province gives as proof of vaccination. The app lists each vaccination and date. Users still have to produce photo identification to confirm the smartphone holder is the person who has been vaccinated.
The incidents come as Liberal leader Justin Trudeau promised the provinces $1 billion will be set aside to help those who want to create their own so-called vaccine passports. The federal government has also said it will offer a vaccine passport for foreign travel. It wasn’t clear whether Ottawa will offer a digital version, but the plan will need the willingness of the provinces to give access to upload or link their vaccine databases to the federal government.
Quebec and B.C. are the only provinces so far that have digital vaccine passports. Ontario’s cabinet will reportedly debate offering some sort of vaccine certificate on Tuesday. It isn’t clear if the province will only offer a paper document, or a digital one as well.
Digital app developers are caught between three demands: The need to only show the information that an organization — a restaurant, gym, office, border guard — needs to accept proof of vaccination, the need to make the app secure, and the need to make the app easy to use on Android and Apple platforms. Solutions don’t necessarily need to be built around a QR code.
“It is always important to remember that systems such as these are built for a specific purpose,” Dubrovsky said after looking at news reports of the Quebec incidents.
Looking at the Quebec app, he noted that the front-end requires anyone that has access to the QR code to display the code to another party, and that the receiving party needs to be able to use the code to translate to a regular URL that allows them to browse to the specific record displayed and validate the name against a government ID, and the status of a vaccination.
“Technically, the more URLs a third party like a restaurant has the easier it becomes to possibly guess or attempt to access other URLs of people who never provided consent to get into their records,” he said.
“It is likely that the translated URL which is received from scanning the QR code is too simple, and access is public, hence using simple automated tools one can attempt to pull down other URLs.” For example, he said, if the URL scanned by the QR code was translated to the theoretical “http://vaccinationsdb.in.quebec.ca/AAAABBBBCCCCDDDD1” someone could change the 1 to a 2 and see if another person’s certificate pops up. These changes can be automated at thousands per second, he said, and some may get a “hit” or return a legitimate record.
He thinks it “highly likely” that the Quebec record numbers are guessable, using some logic that someone can figure out, and therefore allow them to translate a name to a record without ever seeing the QR code.
“Access to such information should be using an authentication process for the party that seeks to validate the vaccination process in order to block other parties from viewing this information,” Dubrovsky said, However, he added, it is likely that this will pose additional difficulties as those credentials may also be compromised.