“Opinion”: Cyber Hackers Are a Threat to Vaccine Passport Privacy
Australia does not have a Bill of Rights to protect the rights of Australian’s (https://dailyclout.io/letter-from-australia-australias-story-of-demolished-human-rights/) and Australians are blissfully unaware of their human rights. Many International critics see vaccine passports as existential threats to their liberty, skating over several human rights guaranteed in the UN declaration on human rights, which Australia signed in 1948:
- Everyone has the right to leave any country, including his own, and to return to his country (Article 13).
- Everyone has the right to freedom of movement and residence within the borders of each state (Article 13).
Making it clear in no uncertain terms, everyone has the right to travel and is not a privilege bestowed to those who hold a COVID vaccine passport.
Australians really to need to pause and consider how their personal information will be stored on a vaccine passport and the security of QR codes. Will the holder’s medical data have watertight security, impenetrable to cyber hackers? Australian Senator Rex Patrick has already demonstrated how easily it is to forge a vaccine certificate. He actually demonstrated this in a 15-minute video he posted. Europol has warned of forgeries being sold on the black market in the UK and noted counterfeit vaccine certificates are not the only threat, opportunistic cyber hackers are problematic over privacy and security of data stored on a vaccine passport.
Vaccine passports are championed to be the answer to opening up international borders and kick starting the travel industry back into gear. However, not much thought has been given to informing the public about the threat to privacy and security challenges to the proposed vaccine passport system. For example, in the UK the NHS is set to use the NHS phone app as its COVID-19 vaccine passport.
“It will be the NHS app that is used for people when they book appointments with the NHS and so on, to be able to show you’ve had a vaccine or that you’ve had testing. I’m working internationally with partners across the world to make sure that system can be internationally recognized,”
Here lies the problem with digital vaccine passports or app. A universal proposal has not been developed globally. There is no place for easily accessible apps, spliced with others to create a universal vaccine passport and QR codes are not the silver bullet. Why? Because a QR code has all the owner’s sensitive data stored on it on it and is a tempting proposition for any enterprising cyber-hacker. Not forgetting a vaccine passport needs to be internationally recognized, with consistent interpretation of information.
The V-Health Passport, coined the people’s passport, is marketed as a secure global mobile pathway allowing the holder’s digital chain of evidence to be linked with any test, or their vaccination status and if adopted by the NHS, would allow its app to talk to any other system using a uniform pattern,
“It means that someone with a UK-issued digital certificate could get off a plane in France or Japan or anywhere, and the local version of the app could scan their app and get the relevant data from the traveller’s national back-end database.”
Thus, vaccine passports will need to have embedded software to protect their identity and all data used to verify their identity, health and vaccination status, ensuring their medical records will remain private and protected from all privacy threats, Begging the question; Where and how will the vaccine passport data be stored safely and securely (https://www.infosecurity-magazine.com/news-features/security-and-privacy-vaccine/)? Invoking images of a fortified warehouse housing rows of central mainframe computer hard drives.
The European Commissioner in charge of vaccines outlined the necessary requirements for a non-compulsory health certificate, or vaccine passport and has indicated they will be equipped with a QR code to track medical records of European citizens, with health certificates available from websites of the Ministries of Health of each EU country. Whereas, a scanned QR code is user friendly with people already familiar with them, making it easy to verify the vaccination status for COVID-19, of the passport holder and records the origin of the vaccine, if the individual has already been a carrier of the virus, and if they have antibodies. South Australian independent senator Rex Patrick, who has received two shots of the AstraZeneca vaccine, has criticized the design of the passport, stating “I’ve been vaccinated twice, I’ve received a certificate, and within 15 minutes of receiving that certificate, I was able to make a forgery over it”.
“That undermines the certification process”.
Senator Rex Patrick warned the government needs to urgently revise the security measures in its COVID-19 vaccine certificates in Australia, referring to the black market forgeries in counterfeit certificates and COVID-19 test results overseas, with Europol issuing a warning in February that fraudsters had been caught selling counterfeit documents in the UK for up to $200 (https://www.abc.net.au/news/2021-08-04/senator-rex-patrick-forges-covid-19-vaccine-certificate/100346974). Health certificates are going to escalate the use of QR codes across Europe with their convenience and favour for health authorities, the wide acceptance of QR codes will see increasing risk to breaches of privacy and potential data theft from EU travellers. It should be noted that QR codes are not watertight and susceptible to cyberattacks by opportunistic cyber hackers, skilled at embedding malware, substituting legitimate QR codes with malicious ones, which direct users to phishing sites without detection. Simply put, hackers use QR codes to illicitly obtain information, hijack accounts, and steal identities and data (https://www.ivanti.com/blog/eu-covid-19-vaccine-passport-is-certain-to-expand-qr-code-security-risks). The Australian government census requires Australians to complete a national survey every both online and in print on range of issues regarding populations, rent, mortgages, incomes, religion, languages, housing etc and experienced a cyber threat during the 2016 census, when Australians who participated in the 2016 Australian census facilitated by the government census website was subjected to an anonymous malicious cyber-attack on census night (https://www.bbc.com/news/world-australia-37008173). With this event in mind, vaccine passport holders must be mindful of anyone asking them to scan a QR code and to always question the source as QR codes are an easy way to target an unsuspecting user and load malicious apps or attempt to capture sensitive data. QR codes used via the new EU vaccine passport for domestic and international travel in all likelihood will be problematic. In fact, according to the Ivanti study, 31% of respondents have had a QR code misdirect their mobile device to a suspicious site or cause other troubling actions (https://www.ivanti.com/blog/beware-of-qr-code-security-risks-lurking-in-user-mobile-devices). QR codes clearly present a risk, both privately and corporately and a malicious code, brought in by employee mobile devices, can comprise an organization’s digital systems and data.
With the hype around vaccine passports being the way forward to allow domestic and international travel, designers of the digital vaccine passport have their hands full and Australians will need to be conscious about the threats to the vaccine passport in light of recent cyber-attacks and fraudsters counterfeiting vaccine certificates. A universal vaccine passport must be impenetrable to ensure medical information is watertight, ensuring a person’s right to privacy and security is watertight.