Why visual digital certificates are only secure in theory (so far)
Barcodes and QR codes have long been used to pass on information in a visually coded way. In everyday life, we encounter them on products, on packages or concert tickets. "However, the amount of data that can be encoded in this form is limited. Often, therefore, behind the QR or bar codes there is only a link to an external source, such as a website or similar," explains Gerhardt. If the QR code on the concert ticket is scanned to check whether it has been paid for, then this usually has to be done online by accessing external pages or databases.
Visual digital certificates often look just like a simple QR code. However, there is no link behind it, but cryptographically signed data. Such certificates have been in widespread use since the Covid pandemic to enable people's vaccination status to be verified, among other things. It works like this: Vaccination centers send personal data such as name and date of birth, a personal identifier as well as vaccination date and information about the type of vaccine to the Robert Koch Institute, which adds a digital signature to this information and issues a corresponding certificate. Vaccinated individuals can pick up this certificate on paper and in digitally scannable form in the form of a QR code by presenting their vaccination card and ID card at pharmacies and some doctors. This certificate can then be scanned using apps such as the German "Corona-Warn" app. This digital certificate makes it convenient to keep at hand. The Robert Koch Institute deletes the data once the signature has been created. "The fact that the data is not stored centrally in Germany, but only locally, makes the process very privacy-friendly. It's also more secure against forgery, more sustainable and more cost-efficient, since no authority has to produce forgery-proof printouts, " explains Gerhardt.
In practice, however, the 25-year-old became aware of a problem: "When I wanted to go to a restaurant, for example, I experienced a few times that instead of scanning the QR code and checking my ID, employees just took a look at the code in my app and then let me in. Obviously, that's not a meaningful check. Others did use a scanning app needed for verification and also scanned the QR code, but didn't check my ID, for example." Because a functioning certificate verification process is critical to their security, Gerhardt conducted a qualitative interview study to explore why so many mistakes happen in practice. He observed and later interviewed 17 people who were tasked with verifying certificates at their jobs, including, for example, theater employees, waiters, retail employees and gym employees as they verified Covid certificates. "We wanted to answer two main questions this way: How do these individuals verify certificates and why do they do it this way? We also looked at how much the people doing the verification know about the verification process and how it works." The qualitative study is intended to provide approaches to better understand the behavior of users in order to translate the theoretical security benefits of visual digital certificates into the real world as well.
The CISPA researcher was surprised by the results: "The study participants checked the certificates in very different ways. I didn't expect so many variations." Some respondents performed all the necessary steps correctly during the verification process: they scanned the certificate with an appropriate verification app, matched the data displayed in their app with the person's ID card, and also checked that their photo really showed the person standing in front of them. Other respondents also performed all of these steps, plus some unnecessary ones. "For example, some people tried to form a picture of their counterpart and his or her trustworthiness based on their appearances. Others became fundamentally suspicious when presented with a screenshot. Yet that's not really an indication that there is something dodgy going on." Some respondents also showed distrust when they were presented with the certificate in an app they did not know. Other study participants often relied on their own gut feeling rather than proper technical verification when assessing a vaccination certificate, and only scanned the certificates from time to time. Others stated that they basically only looked to see if a QR code was present and did not scan the certificates at all.
"The majority of the study participants didn't know much about the verification process and how it works technically. But that didn't necessarily mean they made mistakes in the process," Gerhardt says. "It was only the other way around that those who understood the process well did not make mistakes." In business, the researcher says other factors are often much more critical to how the testing process goes: for example, how time-consuming it is. "Also, some participants told us that their employer didn't provide them with a device to scan and they didn't want to use their personal smartphone to do it. Others, again, didn't know they could simply download the testing app from the app store. They thought the app was only available to official agencies."
According to Gerhardt, all of these misunderstandings also occur because many respondents did not receive information from official bodies on how to check certificates. According to Gerhardt, better communication and consistent education for people who are supposed to carry out the verification process is an important prerequisite for using the technology safely in the future. "Legislators could support that with a legal requirement for compliance." It's also important to equip the verifiers with appropriate test equipment and software, he said. "In addition, they need to know how to handle it when certificates don't stand up to scrutiny." A final important consideration, according to Gerhardt, is the design of verification apps. Some respondents have been misled by certain details or even the app's color scheme. For example, some classified a certificate as secure as soon as the QR code was outlined in blue. For others, the "3 out of 3" information on the number of vaccinations provided in addition to the certificate misled them into thinking that the verification process had not been carried out correctly. According to Gerhardt, care should therefore be taken in the design of future apps to ensure that such apps do not carelessly send the wrong signals. "If we improve verification through such measures and the visual certificates are implemented correctly, there are some useful areas of application for them. In addition to digital driver's licenses, for example, electronic prescriptions. They could be digitally signed and securely issued by doctors," says Gerhardt.
The Baden-Württemberg native is thrilled that his paper was accepted at the prestigious USENIX Security Symposium. "The topic was already part of my bachelor's thesis. Together with CISPA researchers Alexander Ponticello, Adrian Dabrowski and Katharina Krombholz, I elaborated it into a full paper for the conference." The 25-year-old is enrolled in the Grad School at Saarland University and, after the preparatory phase, plans to start a PhD program at the university supervised by Krombholz. "I think the topics in the area of Usable Security are very exciting and really enjoyed the collaboration with the researchers at CISPA."