Israel’s vaccine passport was released on February 21, to help the country emerge from a month-long lockdown. Vaccinated people can download an app that displays their “green pass” when they are asked to show it. The app can also display proof that someone has recovered from covid-19. (Many proposed passport systems offer multiple ways to show you are not a danger, such as proof of a recent negative test. The Israeli government says that option will come to the app soon, which will be especially useful for children too young to receive an approved vaccine.)
The green pass is also a potential privacy nightmare, says Orr Dunkelman, a computer science professor at Haifa University and a board member of Privacy Israel. He says the pass reveals information that those checking credentials don’t need to know, such as the date a user recovered from covid or got a vaccine. The app also uses an outdated encryption library that is more vulnerable to security breaches, Orr says. Crucially, because the app is not open source, no third-party experts can vet whether these concerns are founded.
Cryptographers and information security experts who examined the official mobile app for Israel’s “Green Pass,” a government-validated certificate for Israelis who have received both doses of the coronavirus vaccine, have found a string of flaws that pose a threat to its functionality.
The Health Ministry’s app, called Ramzor (traffic light) in Hebrew, has experienced serious problems since its launch two weeks ago. Complaints about it were reported both in the media and in its customer reviews.
Initially, the app was supposed to be extremely simple and quick but the final product, experts and users say, is heavy and slow, taking up a large amount of memory. Moreover, the choice to use closed (as opposed to open) source code and the lack of involvement by security and privacy specialists have also caused concern among developers. Security experts and cryptographers who examined the app’s code have discovered several problems that cast doubts on the reliability of its verification that someone has been vaccinated.