Pictures of cats, Mickey Mouse, even a takeout menu from a BBQ restaurant: Users of New York City’s COVID SAFE app have discovered they can upload just about any photo into the new vaccine verification software.
Though the app only debuted this week, its vulnerabilities have come under scrutiny as the city announced a new policy to require proof of at least one dose of a COVID-19 vaccine for entry to indoor dining, gyms and entertainment performances.
“The New York City app is nothing more than a glorified photo storage app,” said Brian Linder of cybersecurity research company Check Point. He added, “When someone shows a picture of a card in this app, it's believed that it's real, but there's absolutely no verification of it whatsoever.”
As I explained to @WNYC today, New York City's new #NYCCovidSafe app isn't exactly cutting edge technology. It accepted this portrait of Mickey as proof of vaccination.
We need to get New Yorkers vaccinated, not another City Hall PR stunt.
Listen Here: https://t.co/GRGIWtuK2j pic.twitter.com/O1wS73FbGV
— Albert Fox Cahn (@FoxCahn) August 2, 2021
City officials said it’s up to the staff at restaurants, gyms and event spaces to verify the authenticity of the pictures in the app--no different than bouncers checking drivers’ licenses at bars.
“The NYC COVID Safe App was designed with privacy at the top of mind, and allows someone to digitally store their CDC card and identification,” Laura Feyer, spokesperson for Mayor Bill de Blasio, said in an emailed statement. “Someone checking vaccination cards at the door to a restaurant or venue would see that those examples are not proper vaccine cards and act accordingly.”
Have replicated @FoxCahn’s test.
— Cyrus Farivar (@cfarivar) August 3, 2021
Other acceptable proof of vaccination status under the city’s policy include the paper cards issued by the Centers for Disease Control or the state-run Excelsior Pass, which taps into a database built on blockchain technology. That’s the same platform used to secure transactions of cryptocurrencies like Bitcoin. Those vaccinated outside of New York can show the relevant state or country’s proof of vaccination, de Blasio said earlier this week.
Not sure about this app https://t.co/rZRiCfs28k pic.twitter.com/215EPVROzD
— turbovax (@turbovax) July 30, 2021
But the COVID SAFE app creates an opening for a black market based on fake vaccine cards. While a bill criminalizing the falsification of vaccine records under state law is now awaiting Governor Andrew Cuomo’s signature, the opportunity for fraud is rampant on many levels.
“It’s never been more urgent that we protect this process from fraud, so that the health and safety of the public isn’t compromised by bad actors using fraudulent vaccination cards or passports,” said State Senator Anna Kaplan (D.-Long Island), who introduced the bill in her chamber earlier this year. “The ‘Truth in Vaccination’ bill that I wrote will serve as a strong deterrent to prevent people from lying about their vaccination status, and it needs to be signed into law without delay.”
For example, the COVID Safe app’s dependence on photo evidence relies on users submitting clear pictures of their cards. Friends who want to bypass the system could simply share a valid card among each other and hope that a bouncer doesn’t notice.
“I think it's...very hard to read, especially if you're taking a picture and it could be blurry,” said Saoud Khalifah, chief executive officer of Fakespot which tracks online retail scammers. “It's just not a scalable solution.”
Fake vaccine cards thrived on the dark web, Etsy and other online forums early in the nation’s vaccine rollout.
“We saw this quite dramatically in the beginning where these cards were for sale — you could pay anywhere from a couple bucks to more to buy an actual real looking card, physical card on a place called the dark web,” Linder said. “Now today, again, you could use Photoshop to create one and load it in the [COVID SAFE] app.”
But the security of the personal information may also be vulnerable on the apps themselves, Linder added, even with the Excelsior Pass built using IBM’s blockchain technology.
“Now you have personally identifiable information and an app that is completely unvetted and auditable, but creates a false sense of security, maybe for a restaurant owner or even somebody at the airport or train station or wherever,” Linder said.
Some would-be users of the Excelsior Pass have also reported problems verifying their vaccination status, especially if they received their doses from private doctors or pharmacies that may not have uploaded the right information to the state’s network.
Khalifah said the Excelsior Pass’s blockchain technology also isn’t as transparent as it could be.
“So usually, blockchains are public. And they provide a place where you can get consensus between different computers all around the world, and an open kind of platform,” he said. “In this case, this is closed, and it's private. And we don't really know what's happening behind the scenes.”
A request for comment from the state Department of Health was not immediately returned Friday.
The additional hurdles for using the Excelsior Pass may drive people to use the city’s less-reliable app instead, Linder added.
“If people are unable to do that, or if they didn't actually get vaccinated, they simply use the New York City app, which is literally so easy to fake,” he said. “Why would anyone bother with a digitally fair, digitally verifiable app, when I can simply upload a picture of what looks like my fake vaccine card into the New York City app that they're using?”