Flaws have been uncovered in a vaccine passport iOS app, after security researchers and hackers have shown there are many security issues with Quebec's mobile verification system.
Quebec has released its VaxiCode app, a COVID-19 vaccination passport intended to provide a way to prove a person's vaccination status via their iPhone. Shortly after its release, the security of the system as a whole has already come into question.
A computer programmer identified as "Louis" successfully disproved claims by Quebec's digital transformation minister, Eric Caire, that the QR codes generated by the system "cannot be falsified, modified, or copied." In a CBC report, the man managed to create a fake proof of vaccination for a person who did not exist.
After storing the proof in the VaxiCode app, the proof was then able to fool the VaxiCode Verif companion app, intended for businesses to verify the documentation.
"Honestly, I am surprised that I was able to penetrate the system so easily," said the programmer.
The security issues aren't just limited to creating fake proof. On Thursday, it was reported a group of hackers were able to acquire the QR codes for Premier Francois Legault, Mayor Valerie Plante, Quebec health minister Christian Dube, along with proofs of provincial opposition leasers and minister Caire.
The QR codes contain a number of pieces of information, including names, dates of birth, dates of vaccination, and the types of vaccines used. Caire downplayed the issue, maintaining the system is safe to use.
The system was intended to be as simple as possible to encourage adoption, but Caire says the province could make the process of obtaining a QR code more complex for improved security.
Caire also says that citizens will also have to show photo identification to go to venues that require a vaccination passport. "The heart of the story is to prove your identity," said Caire. "I want it to be very clear, the QR code has not been falsified, it has not been modified, and it remains secure."
Quebec is mandating the use of vaccination passports for a number of activities from September 1, including sitting in a bar or restaurant, going to a festival or gym, and other situations with a high risk of transmission.
The issues have led to a letter being sent from Quebec Solidare spokesperson Gabriel Nadeau-Dubois to Quebec Premier Legault, calling the situation an "unforgivable mess." The letter asks the premier to fix the breach, "otherwise, suspending the vaccine passport until a long-term solution is found will need to be considered."
22 Comments
That is disconcerting. They are implementing a Vaccine Passport here in BC next month. I hope they use a more secure system. It's sad thought that there are people that will work hard to make themselves a fake VP, or buy one from someone, rather than just getting the shot for free. Reminds me of the people that spend a hundred dollars worth of time and hassle to build a system to save thirty dollars on their taxes.
I also live in Quebec. A vaccine passport is NOT segregation, NOT apartheid and certainly bears no resemblance to what took place in Nazi Germany, Shame on those who make these claims. No one has the right to wilfully infect other persons with Covid - or polio - or any number of other diseases we are vaccinated for. I am 100% in favour of this passport. I want to know that an event I am attending is safe. The public good is more important than individual rights. If this person doesn't want to get vaccinated, he doesn't have to. He just won't get to go to public events - which is best for the rest of us. I have no doubt the security issues will soon be fixed. Besides, my driver's license has more info on it than the passport.