Israel recently introduced its “Green Pass” vaccination certificate, which is a PDF document that serves as proof of that the holder has been vaccinated against coronavirus, or has recovered from the disease with presumed immunity. As NBC reported, with the government claiming that COVID-19 vaccines have been administered to almost half the population, this has led to the reopening of swathes of Israel’s economy, and the start of a return to routine.
400,000 Israelis have already downloaded the vaccination certificate
A source from Israeli Ministry of Health reported that over 400,000 Israelis have already downloaded the vaccination certificate. It is a document resembling an ID card and contains a photo, date of vaccination and a unique QR code which can be scanned to prove the authenticity of the physical document. In the future, it is also expected to allow access to certain venues.
"Green Pass" makes cyber security experts naseous
However, Israeli cybersecurity firm Check Point found a critical flaw with the vaccination certificate. As demonstrated in a Facebook video, it is astonishingly easy for anyone with access to Photoshop or Acrobat, or indeed any image or visual document editing program, to create a seemingly valid document indicating they have received the vaccine and are immune to the virus.
Watch video from https://fb.watch/3S2vZC-l_Y/
The video above has Hebrew subtitles, but the process of faking a document is pretty clear and extremely simple. As Ran Bar-Zik, an expert on cybersecurity, wrote on Facebook “It is easy with a graphics program to change the text on the pass, but the QR code is what looks scary and hard to forge, no? Actually, this is very easy,” He went on to explain that the QR code has no encryption at all, and corresponds directly to a text string, with the holder’s personal information, including name, ID number, and date of vaccination, just as printed on the pass itself.
Questions about digitally signing PDF documents or certificates?
You can learn from the experiences of others to avoid repeating their mistakes. Help iText understand your specific situation and digital signing challenges with PDF certificates or documents, and our experts can advise you on how to proceed without making similar errors.
Digital signing done right with iText
Using a world-renowned PDF library like iText 7 Core could have made the generation and digital signing (or implementing other PDF security measures) of 400,000+ green passes a cinch. If you need to do something similar you can check out our free ebook “Digital signatures for PDF documents” and discover plenty of digital signature examples on the iText Knowledge Base.
Check Point explained to ministry officials, “the current certificate validating vaccination is just a file that can be easily edited by any program that can edit PDFs. To forge it, all an attacker needs to do is create a new and unique barcode - and there are plenty of sites that do this - and graft it onto an existing document with a program and thus create a seemingly valid certificate of vaccination.”
Indeed, the video shows how it can be achieved in barely a minute, using two websites to generate a new QR code and create the fake document. Scanning the specially created QR code would lead to a copy of the falsified image, thus seemingly confirming its validity.
There is already a thriving black market on Telegram, with fake vaccination certificates being offered for around 230 USD.
As mentioned in Haaretz, Israel’s longest-running newspaper, there were other, better ways of doing this:
Cryptographers said simple solutions could be quickly implemented to secure the document. For example, they note using a unique “digital signature” (as opposed to just a scannable code) which would be scannable and could serve as a way to validate the originality of the document.
In response to Check Point’s findings, the Health Ministry stated they were aware of the issue, and that it, and other issues were being addressed.
Digital signing of PDF documents or certificates
Ticket vendors often use HMAC-based tokens to make tickets harder to forge. These tokens are built using symmetric cryptography: they require the issuer and the verifier to share a secret ahead of time. Such an approach is perfectly fine if the verifying party is the same (or closely related to) the issuing party. However, if the relationship between the parties is an asymmetric one, relying on HMAC alone is dangerous, since anyone with the ability to verify tokens can also create valid tokens!
Israel's Green Pass falls into the latter category: since these passes are intended to be used for admittance to venues, venue operators also need to be able to verify their authenticity. On the other hand, it's probably safe to say that the Israeli government wouldn't want them to be able to produce their own Green Passes.
Situations like this call for a solution based on public-key cryptography, which is supported in PDF digital signatures. A digitally signed PDF file can be validated by anyone, without giving them the ability to forge their own copies. Attaching a digital signature to a printed document is also easy: it suffices to include a QR code linking back to a signed electronic copy.
Note: Digital signatures don't work on printed documents (since paper isn’t digital), unless there's a QR code linking back to the signed PDF document.
Will Europe make the same mistake?
EU leaders are currently looking into the adoption of a common approach on the issue, diplomatic sources said. As Euractiv reports.
In an attempt to roll back travel restrictions currently in place across Europe, Austrian Chancellor Sebastian Kurz has proposed to introduce a “green pass” for those who do not pose a health risk.
According to Kurz, three categories of people would be granted such a pass: those who already received the vaccine, those who have already been infected, and those who have been tested very recently.
Deutsche Well reported on the last EU coronavirus summit
Vaccine certificates expected by summer. European Union leaders have met virtually to hash out coronavirus issues. Progress was promised on vaccines, though questions remain over border closings and travel
Governments issue PDF certificates generated with iText DITO
iText DITO, the data-driven, template-based PDF generator simplifies the process of creating and maintaining PDFs. This tool has been successfully used by other government agencies before for PDF certification creation (without being digitally signed). The DABS (Databank voor de Akten van Burgerlijke Stand or Database of Civil Registry Records) project was initiated by the Belgian government and they use iText DITO® to revolutionize citizen certification inside (and outside) Belgium. This cooperative project between the Department of Justice, Department of Internal Affairs (including the National Register), Department of Foreign Affairs, Municipalities and Consulates and many other government departments is an initiative that has been coordinated by the Dienst Administratieve Vereenvoudiging (DAV) or Administrative Simplification Service.
COVID-19 Passenger Locator Forms
Of course, it’s not just digital signing of PDF documents which can be achieved with iText, but also prefilling, data extraction and processing of PDF forms are tasks which are easily accomplished by using iText 7.
Questions about digitally signing your PDF certificates with iText 7?
You can learn from the experiences of others. By sharing these lessons learned you can avoid the same mistake all over again. Help iText understand your specific situation and digital signing challenge with PDF certificates or documents and our experts will advice you on how to proceed.