[Interview file] "Is this going to happen?"... 'K-vaccine app' penetrated by college students ②

"It is still possible to modulate."

I had to breathe deeply into the content right above the messenger.

It was only a day, or less than half a day.

After reports of a loophole in the app, the government showed confidence that it would take immediate action.

'As soon as the update is completed, the electronic vaccination certificate app will not be authenticated except for the certificate issued by the Korea Centers for Disease Control and Prevention.'

It was the position that the government directly revealed.

That confidence collapsed again very easily like a poor security system.

The government has explained that it is possible to fundamentally prevent'forgery or alteration' of certificates.

'Forgery' means making it plausible and similar to the real thing.

It's creating a fake new thing that didn't exist.

'Modification' is an operation that changes the contents of a real document.

Wait a minute here, let me go over this concept one more time.

Everyone must have been to the Dong Community Center at least once to issue documents.

I think you may have issued government documents such as'Resident Registration Copy' and'Family Relations Certificate'.

What are the two most important pieces of information in this document?

These are the two names. The first is to whom it was issued. If I say that I have received this document, it will be'Kim Deok-hyun'. The second is who issued it. Based on where our SBS headquarters is located, it becomes the'Chief of Yangcheon-gu, Seoul'. If either of these are unreliable, in other words, if tampered with, this document will of course be forfeited. You can't get a government stamp that certifies'this is true'.

The main thing that I pointed out in the first report last Sunday was'counterfeiting'. Taking the above document as an example, it is not the'Seoul Metropolitan City Yangcheon-gu Office', but whoever issuing it, the government stamped the stamp with a bang.

Now, this loophole is hastily fixed by the government after the report goes out. It adds a verification process to confirm the'issuing entity'.

Unfortunately, I don't seem to have noticed that'modification' is still possible. After confirming that it was issued by the ‘Seoul Metropolitan City Yangcheon-gu Office’, I just stamped the government stamp. Even if I change my name or date of birth at will.

▶ [Exclusive] Even though it was updated... Still vulnerable to'tampering'

I am a person who loves animals.

I was able to prove that the street cat I met by chance while passing by, and the friend's dog I saw a while ago received the vaccine in the hope that I would not get sick from Corona 19.

It was possible through this'COOV' app developed by the government.

To be absurd.

From Children's Day to'Vaccination Completion', that is, those who received all of the vaccination 2 weeks later were eligible for the'Isolation Exemption'.

When entering the country from abroad, if the PCR test results negative and there are no symptoms when in close contact with a confirmed person, there is no need to quarantine.

In the future, these systems for'vaccinated people' will increase further.

Little by little, you go back to your life before Corona 19.

That way, there will be some people who covet the benefits of'vaccinated people'.

But I haven't gotten the vaccine yet, what should I do?

There may be some who turn their eyes to the trade under water.

If you just change your name and date of birth on the official certificate, you can be authenticated.

In the worst case,'I'll sell a Pfizer vaccination certificate for 100,000 won last month', and there could have been a terrible situation where such a ridiculous phrase became a reality.

"The thing you showed is a PC, but there was no case of manipulating it with an app?"

This is a story given to me by an official at the Korea Centers for Disease Control and Prevention, which is the main ministry that develops and operates the'COOV' app. It was a call telling us that there was a loophole in the app.

"It's just implemented on a PC, and if you put a little more effort here, it's possible even if it's not a PC, right?" When I asked this, it was a long silence that came back.

I hoped that the worst of the things mentioned above didn't happen. With that in mind, we contacted the government as soon as possible after verifying that the problem could actually exist on both the first and second days. Secondly, the article went out, and it was necessary to correct the error first by conveying the content.

However, by catching only visible loopholes and saying ``no problem,'' the lax and incompetent appearance, and the passive and easy reaction I explained earlier, I thought I knew why the app security was broken. I felt embarrassed in the past, who believed in'You did some work' and gave me trust.

Apart from disappointment, anyway, after two reports, the loophole in the certification process was resolved. But is there any more problem with the app? Unfortunately not.

In order to'modify', you had to have a formal certificate. This is because I have to import the data in the real document so I can change the content at will.

How did you get this data?

I once summarized the verification process in Part 1 of the report file.

Authentication requires 4 steps, the final process of reading my QR code on someone else's mobile phone.

Here, my certificate data is passed to the other party's mobile phone.

If the other party decides, the official certificate data can be used.

▶ [Report File] "Is this going to happen?"…

'K-Vaccine App' Opened to College Students

Even if you don't directly read the other party's QR code, you can import data.

If you are connected to a network that is less secure, such as a password-less public Wi-Fi, if someone is going through a four-step process, the third party can read enough data transmitted over the network.

The reason why this is possible is in the'QR Code'.

This is because even though it contains personal information including vaccination facts, it is not encrypted.

Anyone can access it without having to do a ton of hacking.

Finding out how your app works and how it communicates is a big hint when trying to attack an app, including forgery or falsification.

At least if the communication is encrypted, you can hide how individuals are connected, what data is coming and going, and what data standards are, but government apps are still vulnerable.

There is a concept called'reverse engineering'. It refers to the process of figuring out the first factor that created this outcome through the final outcome. Taking the'COOV' app as an example, you can find out the source code that created this certificate with the result of a QR code.

In the financial sector, which is particularly sensitive to security, solutions are installed in their own apps to prevent such'reverse engineering' in the first place. The attack difficulty is much higher.

Obviously, government apps should be much more security-sensitive than this. With the start of the quarantine waiver, more than 60,000'vaccinated people' will be able to use the app first, and in the near future 50 million all citizens will use the app frequently. The number of'customers' and their eye level cannot be compared.

I hope you don't have to ask this question again, which I have replied over the past few days.

Where is the government's efforts for proof apps, especially for security, headed?

** This is the end of both articles and both coverage files. However, the coverage of the electronic vaccination certificate has not been finished. Reports on Corona 19 and'K-Defense', including the'COOV' app, are always welcome. (dk@sbs.co.kr / KakaoTalk sbs8news)