Instead of the yellow vaccination card, the digital proof of vaccination on the smartphone is to serve as proof of vaccination. However, there are some glaring weaknesses behind the scenes that could render the whole concept moot and raise some more than uncomfortable questions.
We took a closer look at the digital vaccination record and the way it is created and managed. What we found was not what we expected.
"Admission only for vaccinated, tested or recovered persons" is currently still the norm in many restaurants and venues. If you have already received your vaccination(s), all you have to do is go to the nearest pharmacy, show your vaccination card and you will receive the vaccination certificate in the form of a QR code. What sounds good on paper has some huge catches in practice.
The issuing process
Vaccination portal of the Robert Koch Institute. (Source: https://digitaler-impfnachweis-app.en/vaccination-certificate-issue/) Click to enlarge
The issuing of digital vaccination certificates is carried out in particular by doctors’ surgeries and pharmacies. Not only vaccinations done by yourself, but also vaccinations from other vaccination centers – even from abroad – should and will be certified without restriction, as long as it is a vaccine approved here.
Using pharmacies as an example, the process is as follows: Pharmacies receive access data from the German Pharmacists’ Association, which they can use to register on a special portal of the Pharmacists’ Association. To create a digital immunization record, a pharmacist needs to record some data: the name of the person being vaccinated, date of birth, date of vaccination, vaccine, and number of vaccinations.
Based on this, a digital vaccination certificate is created (example on the website of the city of Nuremberg) and digitally signed. In addition to the digital signature, the information that can be found in text form also corresponds to the information in the QR code. Also, the CovPass app or the Corona alert app do virtually nothing but display the QR code.
The Corona warning app of the Robert Koch Institute is the most conspicuous significant weak point in the process. A look at the source code (publicly available on Github) shows that they simply didn’t check the digital signature at all. We were thus able to bring the Corona pandemic into the 19. The CovPassCheck app is not affected by the above-mentioned vulnerability Large metal parts are lying in the garage. According to this, the vaccination would also have taken place during Robert Koch’s lifetime in 1890. The Corona warning app accepts this vaccination proof without complaint. Of course, according to the CWA app, the vaccination also counts as complete. This requires only a minimum waiting period of two weeks after the last vaccination. However, with our vaccination certificate, the waiting period has already been over for a good 130 years.
This vaccination certificate is of course obviously recognizable as a fake. However, the program code below can be used to generate immunization records for people who are alive today. While these vaccination certificates, just like the one we issued for Robert Koch, do not contain a real digital signature. But the Corona warning app currently accepts it anyway.
Clarification: This is not the already known problem that by changing the system clock on a device the display of the vaccination certificate can be manipulated. The phenomenon described shows that the Corona Warning app does not verify the digital signature or the content of the proof (name, vaccination date, vaccine, etc)! The attack described here can be used to create arbitrary vaccination proofs with completely invented content, which are not objected by the Corona warning app.
The concept of the digital proof of vaccination is that everyone who checks a proof (police, public order offices, catering businesses, event organizers, …) verifies with the CovPassCheck app whether the QR code together with the signature is actually correct. Here, at the latest, the forgery would be exposed: The CovPassCheck app is not affected by the aforementioned vulnerability. In practice, however, this step should often be omitted if someone can show a seemingly valid certificate in the supposedly trustworthy official app of the Robert Koch Institute.
At this point, it must also be made clear that this vulnerability does not affect the Corona alert app’s other contact tracking and risk assessment functions.
(Update 28.6.: Additional update on the existing bug report at the RKI, on the spread of the CovPassCheck app and on verification in other countries at the end of the article)
Program code to create immunization records without a valid signature
Weaknesses in the exhibition
But the problems in the process start much earlier. There is no plausibility check whatsoever during issuance. This is illustrated by a case we have, where a pharmacy entered the wrong date for the second vaccination date when creating the digital proof – namely the date of the first vaccination. By mistake the same date was entered again in the input mask. Instead of an error message, however, the computer spit out the completed proof of vaccination.
Contrary to earlier reports (e.g. Tagesschau), the batch number is not recorded either (see RKI screenshot). This shows a first curiosity: many people have been publicly warned against social media posts of their own vaccination certificate, including the batch numbers used, because these could help forgers to create vaccination certificates that appear genuine. Conversely, if these are missing from the digital vaccination record, the possibility of detecting a forgery is obviously lower.
Also the vaccinator resp. the vaccination site is not noted in the digital certificate. The Robert Koch Institute is always listed as the issuer of the vaccination certificate, not, for example, the pharmacy or doctor’s office that actually issued the vaccination certificate.
Once a certificate has been issued, it is virtually impossible to identify it as illegitimate, as the relevant data is not contained in the digital vaccination certificate.
However, this data is not checked during the creation of the certificate. At least not by the Robert Koch Institute. This doctor appears officially on the vaccination certificate as the issuer, which the population might expect to be associated with some kind of quality standard. In practice, however, the RKI does not receive any data at all, but only assigns cryptographic keys for signing the vaccination certificates. The RKI cannot check anything. That still leaves two instances that could theoretically check something: The pharmacies or. Medical practices that issue the certificate. Or those who technically create and sign the digital vaccination certificates. In the case of pharmacies, this means the central portal of the German Pharmacists Association. The possibilities for verification would be limited anyway, because batch number and vaccination center or vaccination certificate are not known. Vaccinator not even recorded in the first place.
But the above example illustrates: centrally nothing is checked at all. If a pharmacy requests a vaccination certificate for Mickey Mouse, it will receive such a vaccination certificate.
Using a fake vaccination certificate to obtain a "real" digital certificate
One must therefore rely on the fact that the issuing medical practices and pharmacies carry out a plausibility check. However, according to the information available to us, this is not the case in practice.
A forged vaccination certificate almost certainly also leads to a properly signed digital vaccination record. Falsifying a vaccination certificate is trivial.
Blank vaccination passports can be bought legally on the Internet. Stamps as well. A signature of a doctor from another city, or even another country, can of course hardly be verified. So you can simply make them up as you go along.
A real looking batch sticker can easily be created by yourself. A template from Biontech can be found openly on the Internet. A manufacturer of all-purpose labels for self-printing advertises appropriately: "The label in the format 25×10 mm can be used as a vaccination certificate label for the vaccine COMIRNATY® from Biontech." However, counterfeiters can actually also save this effort: Often, even genuine Corona vaccines do not have batch labels applied, but the batch is entered by hand. According to the information available to us, this is the case for the vast majority of vaccination certificates.
Even though (more or less) forgery-proof labels have been announced for a few weeks, the problem will not be solved. On the one hand, the existing vaccinations with older labels are therefore not invalid. Furthermore, as long as the use is not mandatory and physicians continue to frequently enter the batch number by hand, the procedure will be thwarted.
How does a counterfeiter get a matching batch number?? Theoretically, one can help oneself to the still existing social media posts with real batch numbers. In practice, however, a counterfeiter can save himself the effort. According to information available to us from pharmacy circles, there is no regulation or even conceivable possibility of a plausibility check of the batch number. Since these are not recorded in the digital vaccination certificate, there is no need to worry about a future audit.
What many do not know, by the way:
Since the 1. June 2021, falsification of vaccination records for COVID19 vaccination is punishable under § 74(2) and § 75a of the Infection Protection Act. There is a risk of up to two years in prison in the event of a violation.
Potential for abuse by pharmacies and medical practices
However, a completely different scenario is also possible, namely that false vaccination certificates are deliberately issued in pharmacies and doctors’ practices, for example for financial motives, ideological proximity to opponents of vaccination or as a personal favor.
Subsequent detection based on a later review of a digital vaccination record is not expected, unlike the traditional yellow vaccination card. As described, the features that make detection of a forgery possible upon closer examination are no longer included in the digital proof of vaccination. The Robert Koch Institute always appears as the official issuer. Because, according to our information, there is no documentation obligation, the issuing doctor’s office or pharmacy could always deny culpable behavior. After all, there could have been forged yellow vaccination certificates, so that the illegitimate digital vaccination certificate was not deliberately issued. Since, by the way, at least in the case of pharmacies, not individual accesses are issued for each employee, but a collective access for the entire pharmacy, the responsibility of an individual employee is almost impossible to prove.
Because pharmacies and doctors’ offices are paid for the creation of each individual vaccination certificate – even if issued incorrectly – it is also questionable to what extent there would be an unconditional will to clarify such incidents.
At this point, it should be made clear that no one should place pharmacies and doctors’ practices under general suspicion. The problem lies in the procedures. Pharmacies and doctors’ offices are given an unfulfillable responsibility when it comes to vaccination record checks. In addition, it is to be feared that access data will be leaked due to weak authentication, which can lead to false suspicions afterwards.
But that’s not all: there is also room for improvement in the security of the web portal that pharmacies use to issue the vaccination certificates. Here, a simple username and password combination would suffice. Actually, multi-factor authentication of each individual transaction should be the standard in this area, just as it has been practiced for years even in online banking for private individuals with transaction numbers (TAN). Unfortunately, this is not the case here. Whoever manages to get hold of the password of a pharmacy can issue vaccination certificates at will. And malware that spies on user data of any kind (z.B. Keylogger or form grabber), has been part of the standard repertoire of criminals for years.
Together with the problems described above, it is questionable whether the unauthorized issuance of vaccination certificates would ever be noticed in this scenario.
At the same time, with this weak authentication, any suspicious pharmacy or doctor’s office, or. an employee in this, as a protective claim on the fact that probably a malware attack took place or the access data were otherwise lost.
After the scenarios just described, it is obvious that at least one response option should exist to recall illegitimately created digital immunization records.
However, the latest version of the EU guidelines on vaccination certificates refers to the recall of certificates as an "additional feature" that still needs to be worked on.
From a technical point of view, the so-called "public key infrastructure" used here suggests that illegally used or. To recall compromised keys for signing digital proofs of vaccination. At least in the case of pharmacies, however, this is hardly an option, since according to the certificates known to us, all pharmacies use a single central key (key ID 5e455666a51e7857). The signature is ultimately issued via the portal of the German Pharmacists Association with its key, not by the issuing pharmacy (or even the individual employee).
Another way would be the blocking based on the certificate identifier ("Unique Vaccination Certificate/Assertion Identifier", UVCI). This has the following form in the certificates we have:
The Issuer, so the issuing entity, of the certificates known to us, starts with the type of issuing entity (IZ for vaccination center, A for pharmacies), followed by an identification number, with which the concrete pharmacy or the concrete vaccination center can be identified. However, this format has only been in use for a few days, at least for pharmacies. Previously, "DAVPU" was specified as the issuer for all certificates, i.e. the German Pharmacists’ Association. If it should turn out that incorrect vaccination certificates were previously issued throughout a pharmacy, these certificates could not be recalled. At most, all certificates from all pharmacies could be recalled by that time – with associated costs.
Another pitfall of this method: The certificate identifier is not specified Europe-wide, but by each country individually. Blocking based on the certificate identifier would accordingly require a separate implementation for each country. If another EU country does not implement the German blocking methods in its respective app, a certificate blocked in Germany would accordingly be blocked in other countries if necessary. to be recognized as valid.
So far, however, these are purely theoretical considerations. As things stand, the portals for pharmacists do not contain any functionality for recalling vaccination certificates once they have been issued. In the source code of the CovPass app, we also found no indication that there are corresponding blocking options. And the Corona warning app of the RKI, as described above, accepts even invalidly signed vaccination certificates, so that all thoughts about a possible blocking are meaningless.
In practice, this means that even if it became known that illegitimate vaccination certificates had been issued – by presenting forged yellow vaccination cards, by pharmacies and doctors’ practices acting maliciously, or by their losing their access data, for example through malware: the digital vaccination certificates could not be recalled at present.
Conclusion: Immature and with serious deficiencies
There were numerous serious omissions in the development of the digital vaccination certificate. These are not conducive to increasing the confidence of citizens in technologies provided by the state.
Basically, the impression arises that the introduction of the digital vaccination certificate was primarily a rush job. It seems to have played a greater role to be able to present the solution before the start of the vacation season than to deliver a sustainably secure solution.
In the Corona warning app the digital signatures of the certificates are not verified. Authentication for pharmacies to generate immunization records does not meet modern security standards. The authenticity of the yellow vaccination certificates is practically not checked by anyone. A subsequent check is also hardly possible, because the relevant data are not part of the digital vaccination certificate. The fact that this can lead to serious consequences should be clear in view of the reports about mass-issued false certificates for the exemption of the mask obligation. There is practically no possibility to withdraw illegitimate vaccination certificates.
Actually, against this background, it would be appropriate to correct the problems mentioned and to withdraw and reissue all existing vaccination certificates. However, because of the costs for the taxpayer and because of the political loss of face, it is questionable whether this will be done.
The issue would certainly be re-evaluated if large-scale fraud became known, where vaccination certificates were falsely issued – and could no longer be recalled. But the current implementation of the process will make it difficult to capture such cases at all.
All in all, we can currently state the following: The digital vaccination certificates have not made the world safer, but more insecure.
Update on missing signature verification in Corona warning app
Bug known. CovPassCheck hardly used. Other countries verify signatures.
It has been brought to our attention that there is already a bug report with the developers of the Corona warning app for the lack of signature validation. The background of the decision to prevent signature validation mentioned there is exciting. Accordingly, the development team wants to keep the complexity of the app low and thus as compatible as possible. There would be no additional security without additional verification anyway, because smartphone users, after all, also have fake screenshots or fake apps created that display false vaccination certificates. In addition, there is also no requirement in the EU specifications for validation in the so-called wallet apps, which are responsible for storage on the mobile devices of the vaccinated population.
In theory, this line of reasoning is certainly not entirely wrong. Practically, nevertheless, in most cases the display of the official Corona warning app of the RKI will be trusted. The fact that the actually required verification with the CovPassCheck app only takes place to a very limited extent can already be seen in the download figures. According to the Google Play Store, the app has currently been used between 50.000-100.Downloaded 000 times. This is opposed by 2.096.000 employees in the hospitality industry, 259.600 employees in the security services industry, 341.400 police officers, and countless other municipal employees (especially municipal law enforcement / community enforcement services) across the street, as well as the workforces of numerous music schools, saunas, amusement parks, and other relevant businesses.
While not every single one of these is for "3G rules" compliance and thus also responsible for checking digital proofs of vaccination with the CovPassCheck app. More than 50.000-100.000 people, however, certainly are.
Even though there is no obligation on the part of the European Union specifications to verify signatures in wallet apps, it is not explicitly excluded either. In the other German apps, the Luca app and the CovPass app, verification takes place. We also looked abroad.
None of the official apps we tested – from France (TousAntiCovid), Switzerland (Covid Certificate), Denmark (Coronapas) and the Czech Republic (CTeCka) – accept the fantasy proof we generated.
It would be desirable for the EU to stipulate in its guidelines the obligation for verification already in the wallet apps. To create awareness of the need for verification with a suitable app such as CovPassCheck, there should also be a reference to the need for this verification on the digital vaccination certificates (printed as well as in the apps).
Nevertheless, the developers of the Corona warning app should face reality, and, as with any other app, provide verification as early as the scan in the wallet app.