Israel’s vaccine drive is making headlines across the world and the vaccination certification that inoculated Israelis receive is supposed to be the country’s ticket back to normalcy.
The so-called green passport is how people who have been vaccinated or recovered from COVID-19 will be able to physically enter the various establishments shut off to those still exposed to the virus. The certificate comes with a QR code that can be scanned to verify its validity – and thus allow the opening of “safe” spaces for those already vaccinated.
Haaretz reported last week that Israel-based cybersecurity firm Check Point discovered that the certificate, which includes information in both Hebrew and English – such as your passport number, ID number, date of birth and date of vaccinations – can be easily forged. The company even provided a video showing officials how exposed the current system was.
The problem is that the Health Ministry website issues the certificates in a way that makes it very easy to fake the barcode. Though the ministry said last week the issue would be addressed, an independent examination by Haaretz has revealed it has not.
This despite the massive risk posed by fake vaccination certificates and the fact that much more secure alternatives exist that allow verification of the document within seconds and prevent forgery.
What did we discover and how can it be addressed?
When you enter the website for issuing the certificate and fill in your details to actually do so – the resulting certificate contains personal details encoded into what is called a QR code. This code can be scanned by any camera and includes text. If we scan the square code then it usually leads to a web address or some form of text.
- Anyone can fake Israel’s vaccination certificate - here’s how easy it is
- One in 1,000 of those fully vaccinated contracts COVID-19, Israeli data suggests
- Pfizer says South African variant could significantly reduce vaccine protection
What the Health Ministry forgot to take into account is that it is possible to make a QR code independently, and have it include any text you want.
For example, I created this QR code. If you scan it using the website or a phone you will find out the secret it hides:
The vaccination certificate code has a very long text constructed this way:
The XXXX is a short code with numbers and letters, and the “very long text with numbers and letters” looks scary. But to tell the truth, it is just a simple form of encoded information. Devoid of encryption or scrambling, this formalization is called Base64, a binary encoding scheme, and it can easily be used to encode and decode any text. It is not some complex encryption mechanism that involves advanced cryptography, but rather just a simple programming scheme that developers use all the time to translate complex data structures into simple text.
Using a decoding system, which is available online for free, one can easily understand the different facets comprising the code. For example, just by decoding the “very long line” and X’s reveals that the "certNum" - the number verifying the validity of the document - is just a number that appears immediately after the word “Vaccine.” This seems to be the only verification this code includes. In other words, just those string of letters and numbers provide they key to verifying the veracity of your vaccine certificate.
Though this may seem technical and complex, any person with even a rudimentary knowledge of code will immediately see how easy it is to forge the certificate this way. All a hacker needs to do is to create an object with their own personal information, to encode it in Base64, generate the text into a QR code and then graft it onto the certificate using a program like Photoshop, or even something simpler.
There are already people offering such forged certificates on the digital black market in Israel. Because it is so easy to create such a document, all you need to do is to enter someone’s details and generate the QR code and then they too can have a seemingly legitimate proof of vaccination though they have not been inoculated.
One would think no other solutions exist, but the rich world of cryptography offers a number of different fixes to this very well known problem.
One would be to use a public and private key system as a digital signature. A digital signature is a well-known method that we already use with to access websites through the world wide web - known as the HTTPS protocol, used to secure online communications and even ecommerce.
Ironically perhaps is that one of the major contributors to this invention is an Israeli – Prof. Adi Shamir of the Weizmann Institute of Science in Rehovot whose warnings against Israel’s decision to use biometric passport in this context were totally ignored by the government. A digital signature is an accepted and familiar way to verify information – as opposed to encryption, which hides the information but does little in terms of provenance.
The signature does leave the information itself exposed, in theory posing a privacy problem; but at least it is possible to verify it – in other words, it makes certain the encrypted document cannot be forged.
This is how the system works: A pair of encryption keys, public and private, is created using mathematical methods. The public key is used only for reading and can be widely distributed – it is no secret at all. The private key is used for encrypting and is kept in secret on government servers. When the vaccination certificate is issued, the ID number and/or the name are encrypted using the private key and the result is used to generate a QR code. Any reader equipped with the public key can open and see the results. But never, as long as the private key remains a secret, can it be forged. People can read the code but they cannot write it. It sounds complicated, but it actually works and is in use all the time (as noted, it is one of the key components of HTTPS we use online).
To put it simply, using this two-pronged system, when the vaccination certificate would be created, the QR code would not contain simple embedded text but rather a digitally signed text, which has been encrypted using the private key. The encrypted text can be read easily, but it cannot be changed or resigned – because re-encryption can only be done with the private key.
Regrettably, asymmetric encryption and digital signatures – which every developer with only minimal experience or computer science graduate knows about – is something that was simply not implemented in Israel’s green passport system, despite being around since the 1980s and despite the fact that it would have been easy to do so.
So, for now the Health Ministry certificates are particularly easy to fake for anyone with a bit of free time and access to a simple graphics program. Meanwhile, a very small change in the way the vaccination certificate is produced can make it completely safe from forgery and easy to verify using simple scanning programs, which can be installed on any smartphone. Instead, this key facet of Israel’s coronavirus exit-strategy is exposed.
The Health Ministry said in response that the present format of the vaccination certificate was intended to provide only a quick and preliminary solution. At the same time, the ministry is examining along with other countries and the World Health Organization the implementation of a universal secure barcode system that would work internationally. When such a standard is defined, new certificates will be issued in the relevant format, said the ministry.
However, this does not seem to address the problem fast enough, as the government expects to rely on the green passport starting on Sunday.