Services Australia brushes off vulnerability concerns in COVID-19 digital certificates

Image: Cameron Spencer/Getty Images

During Australia’s federal Budget Estimates last year, Services Australia was grilled by senators about various initiatives under its remit, from the COVID-19 digital certificate rollout to the bungled robo-debt scheme.

Of concern to Labor Senators Tim Ayres and Nita Green was the alleged lack of security of Australia’s COVID-19 digital certificates, with both of them criticising the certificate for being easily forged through man-in-the-middle cyber attacks.

Providing responses to the senators’ concerns, Services Australia said it was aware of reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus app, but brushed off the concerns by merely saying such attacks “require significant knowledge and expertise”.

It added that there are currently no vulnerability disclosure programs in place nor any future plans to implement such a program for the digital vaccination certificates. This is despite security researcher Richard Nelson last year detailing the difficulty for the private sector and the public in reporting vulnerabilities about the certificates to government, which was referenced by Ayres during Budget Estimates.

Services Australia also said the Digital Transformation Agency (DTA) had no plans to consider establishing bounty programs.

“Services Australia takes the integrity of the Medicare system and the Australian

Read More: