22.07.2021 - In order to test the security of the COVID-19 certificate, the NCSC conducted a public security test, among other things. In its recently published report, the NCSC gives an overview of the vulnerabilities identified so far. The public security test is still ongoing.
COVID-19 certificates have been issued in Switzerland since 7 June 2021. In order to thoroughly test the functionalities and operation of the entire system, including security, various internal and public tests were carried out beforehand.
The internal analyses were carried out before and during the introduction of the COVID-19 certificate by several bodies under the supervision of the NCSC, including the Federal Office of Information Technology, Systems and Telecommunication (FOITT) and the National Test Institute for Cyber Security (NTC).
The public security test means that the system has been subjected to an endurance test by other experts and interested individuals since 31 May 2021.
The launch phase of the COVID-19 certificate is complete and it is now moving into normal operation. The NCSC presents an overview of the vulnerabilities reported so far in a report. However, the public security test continues. Should any vulnerabilities that are not yet known be discovered, they can still be reported to the NCSC at:
What functionalities were tested?
- Systems and their components that receive requests from COVID-19 certificate issuers to create and sign COVID-19 certificates, generate the cryptographic signatures and return the issued COVID-19 certificates to the issuers.
- Services that provide the public keys of trusted certificates to enable decentralised offline verification and to detect blocked certificates.
- Communication systems used to exchange information for verifying the authenticity, integrity and validity of electronic signatures of COVID-19 certificates with corresponding third-party systems, especially within the framework of the "Digital Green Certificate" of the European Union.
- Mobile apps (incl. configuration backends) that can be used by COVID-19 certificate holders to store COVID-19 certificates on their mobile phones.
- Mobile apps (incl. configuration backends) for electronic verification of the authenticity, integrity and validity of COVID-19 certificates.
How many vulnerabilities were reported?
In the most intensive phase of the security tests, 136 issues and vulnerabilities have been identified so far.
They have been classified into the following categories:
- Ongoing: the reported vulnerability is being analysed and a solution to the problem is being prepared.
- Fixed: the vulnerability has been identified and the problem has already been fixed.
- Wontfix: the issue has been acknowledged, but there is no need to make any changes as the development was undertaken according to explicit national or European requirements.
- False positive: a finding turned out to be a misinterpretation on the part of the reporting party.
What conclusions can be drawn from the reported issues and vulnerabilities?
- Number of reported vulnerabilities
The project designed and implemented by the FOITT is of high technical and organisational complexity. The number of reported vulnerabilities (136) can be therefore be considered normal, given the extensive amount of code and infrastructures;
- Quality of tests performed and reported vulnerabilities
Both public and internal tests were carried out with great accuracy. The results of both the internal analyses and the public tests were of high quality. A lot of time and resources were invested, especially by the participants in the public security tests, to report possible security vulnerabilities. This will ultimately benefit the entire population.
- Transparency
The findings were regularly published on the NCSC website. Transparency is also of central importance to the NCSC in the context of the public security test for the COVID-19 certificate.
Report:
Last modification 22.07.2021