Episode 230: Are Vaccine Passports Cyber Secure?

In this episode of the podcast (#230) Siddarth Adukia, a regional Director at NCC Group, joins host Paul Roberts to talk about the (cyber) risks and (public health) rewards of vaccine passport systems: how they work, how they can be compromised and what to do about it.


As the world struggles to emerge from the COVID 19 pandemic, countries face one of two distinct challenges. Many poor and developing nations still struggle to obtain vaccines to inoculate their citizens and halt spread of the virus. However, in industrial nations in North America, Europe and parts of asia where vaccines are readily available, a secondary challenge has emerged: how to manage large and strident populations of unvaccinated residents who harbor doubts about the vaccines themselves, or are hostile to government and private sector vaccine mandates. 

In many of those countries, vaccine passports have emerged as a popular tool to help manage the spread of COVID. In much of Western Europe as well as some U.S. states, residents have had to present proof of vaccination to receive a digital pass – often in the form of a QR code – that then grants them access to stores, restaurants and entertainment venues.  

But – like any technology – vaccine passports can, themselves, become a target of those who wish to siphon off sensitive information,  create forged credentials or merely sow chaos and distrust in the passport system. 

That was the case last week after security researchers discovered valid, signed vaccine passports issued in the name of Adolph Hitler and Mickey Mouse were passing checks by state-run vaccine passport scanning apps like Germany’s Green Pass and Italy’s VerificaC19. The forged passports immediately led to speculation that digital keys for signing vaccine passports had been leaked – potentially undermining the entire European vaccine passport system. 

That begs the question of how vaccine passport systems work and what risks exist as countries look to implement vaccine passports to help them curtail the spread of COVID 19 amid populations of vaccinated and unvaccinated citizens. 

To help us understand the vaccine passport landscape a bit better, we invited Siddarth Adukia, Regional Director at NCC Group into the studio. Siddarth recently authored a blog post that explored both the security features and associated threats of vaccine passports. He says that risks abound: from dodgy mobile applications that siphon off sensitive data, to attacks on core passport infrastructure like cryptographic signing keys. 

Check out my full conversation with Siddarth above, or by clicking the download link below.