NY’s Vaccine Passport Security
I was going to write a post on how to hack the NY vaccine passport even if you've not been vaccinated. Some smart people (my wife) advised against it. So, I pivoted and am simply sharing some observations about how poorly the app is conceived in light of rational human behavior.
If everyone is doing something, that doesn’t mean it’s right. As my wise grandma used to ask, “if everyone was jumping off a bridge, would you jump off the bridge?”
However, when it comes to application security, you can’t ignore what everyone is doing either. Human behavior is a paramount factor in designing secure apps.
Human behavior is a paramount factor in designing secure apps.
I have recorded my session for APICON 2021 (April 13-15, 2021: register). When I speak, I always talk about something topical. Something recent, but technology related, that's happened in my life. Partly because I think it’s a great speaking/relevance technique, partly because my brain wanders and it’s less “painful” to let it wander and redirect to the key theme than to reign it in.
Observe human behavior
In my session, I mention briefly a couple of observations about NY State’s brand new covid passport app:
- We had over a year to prepare for vaccine passports (longer if you imagine that it’s got to be a part of the overall abstract pandemic planning process).
- It’s insecure.
- It’s not iOS-friendly.
Point #3 is one I make often, and not my session's topic. It has to do with customer experience, and is simply the observation that if you’re writing something to be cross-platform, you’re prioritizing YOU vs ME. Because I (and most users) pick a platform and use it exclusively.
Your users don't care about cross platform compatibility, your developers do.
It’s point #2, and really point #1 that I care about in the context of API- and application-security.
Again, I turn to observations.
Since the vaccine roll-out has started people have been posting their vaccine cards to social media. Some people cover the ID number on them... but mostly they’ll say something like “got shot number one today” or “now it’s all about the waiting” (meaning, shot #2 is complete). Many people even discuss which vaccine they received as part of the conversation around side-effects.
Well... guess what information NY requires in order to create your vaccine passport?
Yep, exactly and only the information people are sharing.
Is it better to be right, or for the solution to work?
As a security expert, you probably think that people are crazy for sharing that information. And you would be correct.
As a lawyer, you probably looked at the terms and conditions posted on the website warning people about sharing information. Those terms protect the wallet vendor, NY, etc.
However, our goal is to stop/mitigate the pandemic. And, if people can easily forge a vaccine passport, that works against the goal.
The security people are “right”. The lawyers are “right”. And yet the solution is not in alignment to the goal (often called the "business objective).
All because of user behavior.
Are you observing your customers in the wild and informing your solutions? Or are you ignoring human behavior and just checking all the right boxes?
To see more about this conference, my topic, and eventually recording and materials, head over to the event's post on this blog. I'll be updating that page regularly until the event is over. You can subscribe (for free) too and receive updates in your inbox.
