Software developers say South Australia’s new app-based proof-of-vaccine system is vulnerable to easily counterfeit alternatives.
VaxCheck system used by the state government started Tuesday is integrating a COVID vaccination certificate into the currently used mySAGov app for check-ins.
The SA is the second last state or territory in Australia to offer such a solution, and anti-vaccine activists have already explored many ways to work around federal and interstate equivalents.
Proof of vaccination is currently required in South Australia by SA Police officers and staff, taxi drivers working in healthcare settings, schools, kindergartens, early childhood facilities, aged care facilities and airports, and all Adelaide City Council staff, volunteers and contractors by 10 December, will be announced with further authorization by the authorities.
Proof of vaccination is also now a requirement to enter a variety of small businesses and venues across the state, including the Adelaide Oval, Convention and Entertainment centres, Adelaide and Monarto zoos, Memorial Drive international tennis, and some wineries and medical clinics.
The decision on whether to vaccinate in other settings is currently up to business owners, but some industries are calling for an extension of the mandate.
Richard Nelson, a Melbourne-based software developer who proved vaccine certificates can be faked in minutes in the federal government’s Express Plus Medicare app, said. Daily The SA solution is better than this, but still easily solvable.
“The SA app doesn’t share the same vulnerabilities that the Medicare Express app has, which is a really low bar,” he said.
Nelson warned that various state government apps “can be manipulated to display anything.”
Unvaccinated Australians shared techniques on how to create digital copies of vaccination certificates, and Instagram even ran ads promoting fake certificates.
Adelaide Airport check-in. Photo: Tony Lewis/InDaily
A state government spokesman said South Australia’s digital vaccine certification system is “compliant with Federal Government security requirements” and requires users to “enter a pin number or biometric verification (in the form of fingerprint or facial recognition)”.
When a user connects their vaccination certificate to the mySA Gov app and checks in at a location with mandatory vaccination requirements, the check-in screen will confirm that they have a valid certificate.
Most venues do not require vaccinations, but can still choose to be mandatory for entry, in which case users can view visual confirmation of their vaccination status in the app.
The digital certificate contains a barcode in a separate process to the QR code entry system for these cases to verify the certificate using the mySA GOV application on another device.
Leigh Brenecki, the software developer chairing PyConline AU 2020, said: Daily The barcode helps secure the system, but must be easy to use and understand.
Brenecki said the Victorian version was a little slower but was able to provide verification even when the servers were down, while SA barcode verification only works when online, but it’s faster, meaning people are more likely to use it.
“But I have an SA digital driver’s license that uses the same technology and no one has scanned it either,” he said. “So they’ve set everything up for success from a technical standpoint, but businesses really need to make sure they scan the code and know how to do it and understand when it comes to detecting fraud. Just looking for a green tick isn’t enough.”
Get InDaily in your inbox. Daily. The best local news at lunch every working day.
Thank you for signing up for the InDaily newsletter.
Nelson is on the same page, noting that few people often do screening to confirm evidence of vaccination in interstate applications.
“No one actually scans these – so in practice no verification is actually done…unless they’re all designed for people to actually scan verifiable QR/bar codes,” Nelson said.
Other developers have managed to create their own versions of status check-in apps from scratch, along with re-enactments of hologram animations that are supposed to guarantee authenticity.
Nelson added that even a completely safe practice would not prevent vaccine counterfeiting, but South Australia’s federal government readily accepts fake PDF file versions of the vaccine certificate.
“The real problem is that the lowest common denominator is acceptable,” he said.
“A fake PDF can be used to enter a venue – so a fully verifiable system that the SA does is almost pointless.”
Software developer Jim Mussared, who can simulate vaccination status in the Service Victoria app in less than 10 minutes, said: Daily The problems at the state level ultimately resulted from mistakes made at the federal level.
“It’s not the state’s fault – all this should have been avoided if Medicare (Australian Services) had issued digital signatures with all types of vaccination certificates,” Mussared said.
“The PDF should also have a QR code that can be added to the Medicare Express app and Google Wallet / Apple Pay. Status apps could then directly upload these signed certificates.”
Local News Matters
Media diversity is under threat in Australia – nowhere more so than in South Australia. The government needs multiple voices to guide itself, and you can donate to InDaily of any size. Your contribution goes directly to helping our journalists uncover the truth. To help InDaily continue to uncover the truth, please click below.