Vaccine passports: Reimagining their cybersecurity

vaccine passports, digital vaccine certificates
© anolkil

Jonathan Jackson, BlackBerry, looks at how vaccine passports and digital vaccine certificates could work – while facing off with cyber-criminals across the world

The UK’s roll-out of the COVID-19 booster vaccines is the latest move in an effort to stave off new variants like Omicron, while allowing the UK’s society and the economy to remain open in the eyes of the world.

Although the UK government scrapped original plans for new verification methods such as digital vaccine certificates, the reopening of international borders and venues has quickly led to a worldwide discussion about the necessity of a vaccine passport system.

We have seen the launch of EU’s digital vaccine passport, as well as plans for Japan to have its vaccine passports accepted by over 10 nations within just two months. Australia, for its part, has recently updated the Medicare Express App to include digital vaccination certificates.

Soon, citizens globally are likely to be required to show a valid digital vaccine certificate when accessing certain venues. But questions and anxiety around the security and privacy of data with the use of these vaccine certificates, and related contact tracing applications, are beginning to surface.

Understanding security and data privacy anxiety

It’s no secret that threat actors have been quick to pivot and capitalise on the trends arising from the COVID-19 pandemic to conduct malicious activities. They have tailored their phishing lures, which involves targeting towards things like the vaccine supply chain or offering people quick access to the vaccines at varying prices. For instance, fake COVID-19 certificates are now being sold on the darknet for as little as £25.

There is little doubt that the widespread digitisation of these vaccine passports will offer value to those wishing to profit from this new scheme via fake applications and QR code verification systems. Cybercriminals can easily do so by intercepting the traffic to direct unsuspecting users to another system, such as phishing websites or applications that give a fictitious reading.

In fact, I was personally able to download a fake Android version of the NHS COVID-19 app, that provides made-up check-in verification without any tracking data synced to a government system. A similar trend is happening in Australia, wherein links for downloading fake check-in apps are circulating on the web and mobile messaging groups, to circumvent existing contact tracing measures.

can also expand their attack surface by setting up fake email addresses and phone numbers purporting to be from a legitimate government agency or healthcare institution, asking other individuals to apply for a vaccine certificate in countries such as the UK and India.

Simply put, threat actors are leveraging the demand for vaccine passports to illicitly obtain information, hijack accounts and sell personal identifiable information using their old tricks. As vaccine passports are expected to become a permanent fixture in the future of travel and accessing venues, not being able to detect and stop these threats can hinder a governments’ ability to stop the spread of the virus and is opening a new underground market for cybercriminals to exploit for illicit gains.

Protecting vaccine passport data through mobile security

While the vaccine passport applications being developed by governments will likely be secure, there is the risk of users falling victim to other malicious applications that they may have inadvertently installed on their mobile devices.

Because mobile devices are now a staple feature in both personal and business activities – with more people having transitioned to working from home – it is critical for employees and businesses to prioritize mobile security, whether the mobile device is company- or employee-owned. Mobile malware is becoming increasingly common and could allow threat actors to potentially access sensitive PII stored in a vaccine passport application on an infected device. In most cases, simple solutions can provide improved protection and promote cyber resilience:

  1. For users, they must be more vigilant on the links that they access or applications that they download from the web, by checking the legitimacy of the source and exercising caution when sharing PII on the web. If possible, having a mobile threat defense or antivirus solution running on their devices which can detect malicious activities that are trying to gain access to their information, also serves as an additional layer of defense.
  2. For businesses, a zero-trust security strategy should be implemented to continually verify each user and device, as well as limit access to their critical assets.
  3. For governments and developers of mobile applications, specifically for vaccine passports or collecting vaccination data, having systems in place to ensure security and privacy of data are important as wide-scale rollouts gather pace in the months or years ahead.

Looking to the future

While countries around the world are looking at vaccine passports as the ‘door opener’ for a return to normality, we must remain stringent, preventing threat actors from using this as an opportunity to take advantage of the pandemic.

There has been very lucrative threat actor activity over the last 18 months, with individuals being increasingly susceptible to cybercrimes during this time of instability. Cyber criminals are, without doubt, leveraging this vulnerability to redesign their attacks.

Looking through a technological lens, for the implementation of any vaccine passport scheme to be successful, some basic principles must be adhered to: any scheme must be privacy-preserving and secured by design. If these needs are not met, the “normal” to which we are all so ready to return will be put at grave risk.


Please enter your comment!
Please enter your name here