In the coming week, German pharmacies should be able to issue digital vaccination certificates again. This was announced by the German Pharmacists Association (DAV) and the Federal Ministry of Health (BMG) in a joint statement on Friday.
“All pharmacies that so wish, will gradually have access to the DAV portal again in the next weekSo that they can issue vaccination certificates again. “That doesn’t sound like a general release of the service. It is more likely that the DAV will only release the portal again for the members of the state pharmacy associations. The guest access for non-members will probably only be opened after prior verification unlocked.
So far, German pharmacies have only been able to access the interface for issuing digital vaccination certificates via a server managed by the DAV. Pharmacies that are not members of the association must register for guest access.
DAV waves fake pharmacy through
This is where two security researchers came in: They had come up with a pharmacy, copied the documents required by the DAV with simple means and, despite their crude forgery, were immediately given access. With this they could easily issue two valid certificates to a fantasy person.
Martin Tschirsich and Dr. André Zilch intentionally designed clumsy. So they gave an apartment building as the address for their fictitious “Sun Pharmacy” and pieced together the verification documents from freely available templates on the Internet. When logging into the portal for the first time, they simply entered any number of digits with the required length instead of a valid telematics ID.
None of this throws a good light on the security of the DAV portal. If those responsible there had searched for the pharmacy name or address online before sending the access data, the fraud would have been exposed immediately. A query with the night and emergency service fund apparently did not take place either.
It is just as reckless that the registration form accepted any number sequence as a “telematics ID” instead of checking its validity or even comparing the name of the ID holder with that of the pharmacy.
Apothekerverband pulls the emergency brake – without need
Confronted with the results of the security researchers, the DAV reacted with surprising consistency. From Wednesday afternoon onwards, pharmacies could no longer issue any evidence without warning – the certification portal only showed an unhelpful error message.
It was not until Thursday that the pharmacists’ association issued a statement according to which the Handelsblatt had created guest access “using professionally forged documents”. Now they want to check all guest access before the server can go online again.
In the meantime, the DAV has adapted the statement so that now there is talk of “independent IT specialists” is. However, there is still talk of “professionally forged documents”, “whose creation with fraudulent intent is only conceivable with considerable effort and criminal energy”.
Otherwise, the DAV tried to dispel any doubts about the security of the portal in its statement. In the case of association members, all data are listed in the membership directory, which is why their authentication on the portal is “guaranteed at all times”.
The ongoing examination of the pharmacies connected via guest connection has so far “provided no evidence of other unauthorized access”. The DAV therefore assumes that the 25 million vaccination certificates issued so far in pharmacies “have all been issued by legally registered pharmacies.”
Why the pharmacists’ association, despite the assurance that the security problem discovered by the researchers only affected guest access, also blocked the members of the regional associations, remains unexplained.
Reopening, although fake certificates are in circulation
The Swiss information portal Watson.ch reported about it a week ago, in the digital underground are traded with real German vaccination certificates. In messenger channels, certificates are offered for 150 to 300 euros. According to Watson, the only possible source of the certificates is the DAV portal.