For months it has been speculated that the security of the digital vaccination certificate is not far off. Last week, the Swiss portal Watson.ch reported that dark channels would offer fake EU vaccination certificates from a German source for around 140 euros.
Few hurdles for counterfeiters
The German Pharmacists Association (DAV) immediately rejected all doubts about the security of the certificate issuance: “We have so far not received any evidence that vaccination certificates could have been issued in German pharmacies without the corresponding legal basis.”
Security experts André Zilch and Martin Tschirsich have now proven that there are only a few hurdles to overcome for such abuse.
As a result of the hack, the pharmacists’ association has taken the portal for issuing certificates offline until further notice – reopening date unknown.
Sunny fake pharmacy gets real access
As the Handelsblatt reported, the security researchers have come up with a “sun pharmacy”. In the registration form for using the DAV portal, they gave an apartment building in Darmstadt as the address of the pharmacy.
The two confirmations required for registration could easily be falsified by the security researchers: For the operating license they manipulated a real document using image processing – apparently many pharmacies make their respective operating licenses available on the Internet. The notification of the night and emergency service fund was made on the basis of generally accessible information on the Internet and inquiries from a neighboring pharmacist.
After two days, the security researchers received a registration code for registration in the mail. When the portal asked for a telematics ID, they entered random numbers.
This cleared the way to create your own certificates with any name and vaccination date. As proof, Tschirsich and Zilch successfully issued a pair of certificates that the official CovPass Check app of the Robert Koch Institute accepted without hesitation.
The DAV removes the certificate server from the network
The security researchers then contacted the DAV, which took the certificate server offline until further notice on Wednesday afternoon after consulting the Federal Ministry of Health. Since then, German pharmacies can no longer issue digital vaccination or recovery certificates nationwide.
In an official statement, the DAV was dismayed: The Handelsblatt had created a guest account with “professionally forged documents”. Pharmacies that are not members of one of the regional pharmacists’ associations must use guest access. According to the DAV, guest access is checked several times a week.
On the occasion of the report by the Handelsblatt, the DAV now carry out an additional check: “Up until this Thursday noon, this did not reveal any evidence of other unauthorized access, the creation of which with fraudulent intent is only conceivable with considerable effort and criminal energy.”
voices the information from Watson.ch, there should be at least one more rotten egg among the 17,900 pharmacies registered for the portal. The fact that the DAV has not only switched off the guest access, but also the entire server, leaves us hoping for nothing good.
Safety which class
In any case, the security researchers managed to outsmart the DAV with shockingly little effort. After uploading the application for guest access on a Sunday evening, the researchers received the message at 9:50 the following Monday morning that the documents had been “successfully checked”.
During its “check”, the DAV does not even seem to have used a map service or a telephone directory – otherwise it would probably have been quickly discovered that there is no pharmacy with the given name at the alleged address.
The falsification of the required documents was evidently downright trivial. There were enough templates online for the operating permit. The notices of the night and emergency service fund are “a simple letter without security features” that can be easily copied.
The fact that Tschirsich and Zilch were able to enter “any 19 digits” in the mandatory field for the telematics ID when registering for the first time does not cast a good light on the DAV’s understanding of security. Either the security researchers were extraordinarily lucky to get hold of a real ID, or there is a lack of basic verification steps here as well.
Where are you going, digital Impfzertifikat
Existing certificates are initially not affected by the blocking of the DAV server, as this was only a portal for the infrastructure provided by the Robert Koch Institute. Vaccination centers should still be able to issue vaccination and recovery certificates, as should medical practices, provided they do not use the DAV portal to issue their certificates.
According to the pharmacists’ association, 25 million certificates have now been issued via the DAV portal. Due to the architecture chosen for the EU COVID-19 Vaccination Certificate, certificates cannot be withdrawn individually. At most, it would be possible to take back the key used by the pharmacies, which would cause all certificates issued there to lose their validity at one stroke.
André Zilch, one of the two security researchers, is also aware of this. He told the Handelsblatt: “The only honest solution would be to invalidate all of the millions of vaccination records that were issued via the DAV portal”.