As the NSW Government ramps up its plans to incorporate “Covid vaccination status’ into the QR check in via the Services NSW app, security experts have found major security flaws in the Federal Government vaccination certificates, which potentially puts the entire scheme at risk.
The protections against editing the PDF vaccination certificate can be bypassed in seconds, say the technical experts, because the government is relying on “high-school grade permissions password”. This means, if you know what you’re doing, the certificate can be easily overwritten.
Of course, this puts the validity of the certificates in question, and it would create big problems for the government granting ‘extra’ freedoms to people who are vaccinated.
This is not the first time security bugs have been identified in the system.
South Australian Senator Rex Patrick claimed he forged a COVID-19 vaccination certificate in just 15 minutes last month, alerting authorities to the issues, which the Federal Government claims have since been resolved.
Appalling track record
Australian governments have nothing short of an appalling record when it comes to technology schemes.
And just last year, the national CovidSafeApp proved to be a dismal, expensive, taxpayer-funded failure with a litany of issues and limited uptake.
Self-inflicted skills shortage
Numerous Australian Government Departments, including the Australian Defence Force, have been infiltrated by cyber-attacks, and cyber-security experts have long warned that our nation has a chronic shortage of encryption experts.
A significant reason for that shortage is Australia’s ban on the education of encryption without a government-issued licence.
It can be confidently stated that the prohibition is one of the most illogical, futile and counter-productive moves made by any government regarding technology, given that such technologies are learned and taught around the world without the need for government-issued licences.
Indeed, the potential of being criminally prosecuted for not fully complying with the strict rules in Australia has contributed to those who might otherwise work to protect our nation leaving for other countries (or not coming here from other nations) to learn, teach and/or practise their skills.
Being overseas means these skilled people are in a better position to both infiltrate and escape prosecution for illegally hacking Australian systems.
To many, the prohibition exemplifies the Australian Government’s fear-based, knee-jerk and ill thought out decision-making when it comes to technological matters.
Australia ignores international guidelines
Australia has also been criticised for ignoring interim guidance for developing vaccination certificates, released by the World Health Organization that recommended using digital signatures to verify authenticity, such as the EU model does.
By ignoring these guidelines, Australia runs the risk of not having full “global operability,” … that is, it would be more compatible with systems in other countries.
Only time will tell what the implications for international travellers are.
What about New South Wales?
So, would the NSW state-based system be any more secure? A trial of the QR check-in and linked vaccination status is expected to be rolled out later this year.
Despite the fact that the Federal Government, which is developing vaccination passports for international travel, decided against introducing the passport domestically, the Berejiklian Government is moving ahead anyway, all but ignoring the issues around personal privacy, confidentiality and discrimination.
Under the NSW system, police and businesses will have the responsibility for checking vaccination status — but given the potential for forgeries, there is a risk in being able to tell the difference between the real deal and the fakes.
Meanwhile, the demand for fake vaccine passports is on the rise globally, as other countries, including Canada, the UK and France implement similar systems.
The French System is so far the harshest. Under the legislation those who enter a range of venues without a Covid pass – which is issued once a person is fully vaccinated – or a negative Covid test will face 6 months in prison and a €10,000 ($16,000AUD) fine. Business owners who fail to check the status of patrons will face a 1 year prison sentence and a €45,000 (about $72,000 AUD) fine.
The very high cost of freedom
What’s interesting is the change that has occurred in the collective Australian psyche over the past 18 months after living with on-off lockdowns, restricted movement, curfews and border closures.
When the Federal Government’s CovidSafeApp was introduced in April last year, many people were very concerned about having their movements tracked and handing over their personal information. Similarly, QR check-ins in NSW were met with resistance, particularly after warnings issued by the Federal Government’s Australian Signals Directorate issued warnings about their use.
But now, it seems, many people have simply accepted that in future their vaccination status — which has until now been private health information — will be public knowledge.
Many Australians have also simply accepted the fact that NSW Government’s policies dictate that regaining freedoms will be contingent on being vaccinated, at least with one dose of the three government-endorsed Covid vaccinations.
Australians clearly want their lives back, and the return to some sense of ‘normalcy’ but as time goes on they are being expected to pay an increasingly heavy price for it.