Sep 15, 2021 I made a fake COVID-19 vaccine certificate

Here it is. It took me about five minutes.

Left to right: the forgery I created, my genuine COVID-19 certificate, and the forgery Yaakov created.

How Apple Wallet passes work, and how I forged mine

This is the technical bit. If you’re just interested in what this means and how it could be fixed, skip to How the government could fix the problem.

An Apple Wallet pass is just a Zip file with some images, a JSON file containing the text to display, and a signature. (If you’re double-vaxxed, you can open up your pass in the Wallet app, copy it to a Mac using the share button and AirDrop, rename the .pkpass extension to .zip, open it up, and have a look at what’s inside.)

The contents of my (genuine) COVID-19 vaccine certificate

About that signature: you might be thinking that’d stop forgeries, but that’s not why it’s there. There’s no way to tell which developer ID signed a pass from within Apple Wallet; the app doesn’t show you which developer ID was used to sign a pass, and there’s no restriction or validation of the names and logos and whatever else on a pass.

That means, if you have an Apple Developer Program membership (or a spare $150), you can grab your COVID-19 vaccine certificate, change the name to whatever you please, re-sign it with your own key pair, and hey presto! My friend Yaakov does have an ADP membership, and I mentioned this experiment to him in a conversation. Five minutes later, while we were still talking, he had a forgery.

The thing is, I don’t have an ADP membership, and I still managed to create a forgery.

That’s because there are multiple third-party apps that let you create your own pass with whatever information you want; they’ll then generate the pass with their key pair. These apps have legitimate uses—I use them to add loyalty cards that aren’t natively available for Apple Wallet. This also means that the bar for forging these passes is even lower; you can do it without even knowing what “JSON” means.

I’m not going to tell you which app I used. I want to prompt discussion about how this system could be improved, but I don’t want to make it even easier than it already is for the anti-vaxxers (especially since it’s already hilariously easy).

Is it a pixel-perfect forgery?

Not quite. The big blob of terms and conditions on the back is missing, because the app I used didn’t let me add more than four fields on the back, and if you put them side by side you can see that the logo is slightly smaller for reasons I’m not quite sure of.

That said, if I wanted to pour a bit more time into this I could probably find an app that would let me create a pixel perfect forgery. If I wanted to drop $150 on signing up for the Apple Developer Program, I also could do what Yaakov did and just alter the name and ID numbers on my genuine pass, and re-sign it using my own key pair—his was a pixel perfect forgery.

Left to right: the “back side” of the forgery I created, my genuine COVID-19 certificate, and the forgery Yaakov created.

Nine News’ Kate Creedon reported on fake vaccination certificates just like the ones Yaakov and I were able to produce being sold on Telegram. At the time her segment went to air, those were probably produced using the flaw that developer Richard Nelson found in August and demonstrated in the same segment.

(As an aside, those “security measures” Hank Jongen mentioned in that clip? Aside from being forgeable themselves, they’re also not present in the Apple Wallet cards we’re talking about here, just the Medicare app.)

Assuming the government has fixed that flaw, the professional forgers have probably switched to the method Yaakov used; Richard says they’re now selling for around $270, which would still let them buy a new ADP membership for only one or a few passes, while still making a profit.

Meanwhile, given that the method I used to make my own forgery has almost zero financial or technical barrier to entry, there’s probably anti-vaxxers already using it for themselves and their family and friends.

Can Apple fix this?

Maybe. Apple could revoke the signing keys of every app that lets you produce arbitrary Apple Wallet passes, or insist that the makers of such apps do some sort of filtering to prevent things that look like they could be a COVID-19 pass, or add filtering to Apple Wallet to only allow things that look like they could be a COVID-19 pass if they’re signed by a limited allowlist of keys.

They could also try to proactively hunt down every key pair that’s being used in this way and revoke them. They’re probably disinclined to spend significant amounts of engineering and administrative time to clean up after the Australian government once again not doing an IT project properly, but they could, I guess.

What Apple can’t do is proactively tell when a key pair is being used to sign fake passes. The key pair is issued before the pass is created, and the process doesn’t contact Apple’s servers at any point from then on.

How the government could have done it better

The government have focused on things like flashy animations (easy to forge) and IDs (how do you even check they’re not just random numbers?), forgetting one key principle: if someone has a device, they have complete control over that device. The best they can do is make forgeries slightly harder. Meanwhile, the overworked customer service staff that are going to be tasked with checking thousands of these a day won’t be looking for much more than a green rectangle with a tick in it. They’re in an arms race, they’re moving slowly, and there’s money to be made in beating them; they’re not gonna win.

Instead, they should introduce a second device that the verifier can trust. EU vaccination certificates, just like SA and NSW drivers’ licenses, have a barcode which someone else can scan using a government issued app on their own phone to verify.

There’s a chain of trust here. If the verifier has their own phone, and they trust the government that published the app, and the app store they downloaded it from, they can scan the barcode and trust the result, even though the pass holder’s device isn’t trustworthy.

There are multiple ways of doing this under the hood. They could use public key cryptography like the EU vaccine passports, which means verification still works without a data connection (or if the servers go down). Or they could use a token fetched from a server by the pass holder’s phone and verified with that same server by the verifier’s phone, which makes revoking bad certificates easier.

There are pros and cons to each, but at the end of the day, they just need something that doesn’t require trusting the pass holder’s device; until they do that they’ll always have a security hole big enough to drive a Sydney furniture removalist’s truck through.

Should the government have used blockchain?

No. Don’t be silly.

Will you give or sell me a fake certificate?

No. Get vaccinated.

In closing

Please, please get vaccinated if you haven’t already. All of the vaccines available in Australia are very safe, and effective in reducing your likelihood of getting COVID, going to hospital, dying, and passing it on to others. Vaccination is one of the most powerful tools we have to keep ourselves, our loved ones, and people we’ll never meet safe. The other powerful tool is lockdowns, but they’re far more disruptive to our daily lives and losing their effectiveness with the Delta strain.

But the vaccines aren’t perfect, and not everyone can get vaxxed. To keep ourselves safe we also need the people around us to get vaxxed. So as we move towards a life where proof of vaccination is going to be required for lots of things, it’s worth being mindful that so far, the current vaccine cards are difficult to verify and easy to forge—and maybe write to your local MP and ask them to fix that.