New York Vaccine Passport App Stored Forged CredentialsNCC Group: Users Could Fraudulently Create QR Code, Get COVID Pass
A recently patched flaw in a mobile app allowing New York state residents to acquire and store a COVID-19 vaccine credential did not validate user input properly and stored forged verifications, according to security researchers.
The firm NCC Group say the NYS Excelsior Pass Wallet, which is on Google Play Store, was patched by the New York State Office of Information Technology Services' Cyber Command Center on Aug. 20, and the current available version is not susceptible to the issue - although apps that have not been updated can still be used to enter forged credentials.
NCC Group Technical Director Siddarth Adukia says the flaw was uncovered amid research on similar mobile passport apps and "would allow an individual to create and store fake vaccine credentials in their … wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a COVID-19 vaccine."
A spokesperson for the New York State Department of Health tells Information Security Media Group: “When notified, New York State worked to immediately address this issue and as noted in the report, this has been long resolved. Excelsior Pass is safe, secure, and one of the few verifiable systems nationwide” that is validated against confidential state and city immunization and testing databases.
NCC Group's Adukia says the app can add vaccine credentials to its database by interacting with New York state servers or through scanning a QR code or photo. "In neither case is the credential verified, allowing forged credentials to be added to the Wallet," he says. "Screenshots of forged credentials are included; these may be scanned by the Wallet app and added as a legitimate pass."
If businesses do not properly scan the application or ignore an "invalid pass" warning within the scanner app - and trust a pass physically displayed on a smartphone - they could allow individuals to fake their vaccination status and potentially enter physical spaces requiring valid, legitimate proof of vaccination, the U.K.-based security consultancy says.
“Any fraudulent credential that was created outside of this [platform] would show up as invalid when scanned at a participating business through the Excelsior Pass Scanner App,” the New York State Department of Health spokesperson says, adding that the pass must be cross-referenced with a photo ID. “As with any smartphone app, it is always recommended to keep up-to-date with the latest version available for optimal security and performance.”
"The widespread rollout of vaccine credential passport applications and their inherent security and privacy implications make them a natural area of interest for security research," Adukia tells ISMG, adding that the consultancy is currently analyzing issues in other state-run COVID-19 apps.
"We started with the NYS Excelsior Pass applications as they were one of the first to roll out in the U.S., and we had consultants who live in New York state, including myself, who were personally vested in assuring the security and privacy of the system," says Adukia.
The researcher tells ISMG that NCC Group detected the issue after threat modeling possible attack and abuse vectors against the application and the wider system.
"By reverse-engineering the mobile applications, as well as intercepting network traffic, we examined the applications for possible problems such as information leak, weak cryptography and other common … issues," he says.
Timeline of Events
According to Adukia, NCC Group began the disclosure process by first contacting New York state on April 30. On June 10, the firm reportedly spoke to Excelsior phone support and was directed to the state Department of Health, where "several attempts went unanswered."
From there, NCC Group reportedly contacted NYS ITS Cyber Command on July 16. The office promptly replied, and NCC Group met with members days later regarding vulnerability details and mitigation steps. A patch was released for the flaw on Aug. 20.
"Once we got in touch with the right team, NYS was eager to learn from our findings and implement fixes, and was responsive to our communication," says Adukia. "It's worth noting that secure and privacy-respecting vaccine passports are possible. This finding does not mean that vaccine passport apps are necessarily any less secure than any other app, product or service."
In August, research from the security firm Check Point noted that COVID-19 vaccine certifications continue to be sold on the dark web, and now range from $100-120 per credential. Advertisements for these COVID-19 certifications have been found in groups sometimes reaching up to 450,000 people, the firm says.
Similarly, the FBI has said unauthorized use of an official government agency's seal - including Health and Human Services or the Centers for Disease Control and Prevention - is a crime punishable under Title 18 of the United States Code, with penalties including a fine, imprisonment of up to five years, or both.
'A Much Broader Challenge'
James McQuiggan, education director for the Florida Cyber Alliance, says that too many web-based applications for browsers and smart devices are designed simply to get them operational.
"What ends up missing a lot of the time is proper security controls," says McQuiggan, a security awareness advocate for the firm KnowBe4. "Suppose security is baked into an application with the proper processes for static code analysis, security audits and reviews. In that case, the organization can save resources and finances down the road when they have to fix it and spend a lot more time and money to correct and patch it."
McQuiggan adds: "When it comes to personal health information for healthcare systems and applications, the risk increases significantly, as HIPAA regulations come into effect."