British tech company VST Enterprises (VSTE) warned airlines and the travel industry in December of last year of ‘Covid related security threats’ prior to the chaotic scenes that unfolded at Heathrow airport (Monday 18th January).
Tech boss and CEO, Louis-James Davis, warned of the very real and serious threats facing airlines, airports, and passengers from fake COVID-19 test certificates, vaccination record cards, social distancing breaches, and the use of health passports with ‘unsafe’ QR and bar code technology. He also warned of the serious implications of potential data breaches using ‘insecure’ code scanning technology in health passports.
Passengers arriving into the UK this week (Monday) were faced with unprecedented scenes at Heathrow airport with long delays, social distancing rules breached, altercations between passengers and border officials, £500 on the spot fines, and passengers being refused entry to flights for holding invalid COVID-19 certificates. The chaos came as the British Government put in place tough new measures for entry into the UK in a bid to get a grip of the pandemic and prevent the further spread of infection. Passengers were required to provide verifiable proof of their COVID-19 negative test result.
VSTE developed and launched the worlds first secure digital health passport called V-Health Passport in April 2020 both for passengers and airlines which authenticates a persons health status including Covid test status and their vaccination records all within a secure digital passport. The V-Health Passport ‘cross border’ technology can be used across all air, land, and sea transport infrastructure. The V-Health Passport has over 200 clinics across the UK where a person can book a Covid test – including a PCR based test – and be recognised as ‘fit to fly’ by all international airlines. VSTE believes its solution can solve the global airline and travel issue.
V-Health Passport will shortly start its roll-out program of secure health passport across a number of airlines and airports globally. In the UK it has already started this programme and is available through its healthcare testing partners Salutaris People and Akea Life both at Newcastle and Liverpool John Lennon airports.
Both healthcare partners also offer full airline travel Covid testing at their own clinics with PCR based testing for airline travel with a V-Health Passport. They also supply ‘home test kits’ which are supervised over Zoom calls.
It is the first company in the world to have a fully functioning and secure live health passport that carries a person’s Covid test status and vaccination record in one secure app. Most importantly the technology is GDPR compliant and was built on a privacy framework of ‘self-sovereign identity’ where the person – or airline passenger – can choose what information they want to share, when they want to share it, and with who. Privacy by design is at the forefront of the V-Health Passport framework, unlike other health passport technologies.
V-Health Passport is a test and vaccine agnostic platform working with all COVID-19 protocols from PCR to rapid antigen and antibody tests which can also authenticate a person’s vaccine immunisation record. V-Health Passport is also the most secure passport technology in the world, unlike bar codes and QR codes which are subject to a process called ‘attagging’ where a QR code can be cloned and faked. Using the VCode cyber coding, it works on a ‘closed-loop’ system with ‘end-to-end’ encryption and has over 2.2 quintillion variations of codes that are subject to many scanning permissions making it impossible to hack the front or back end.
V-Health Passport is 10 seconds faster than any code scanner and can also be scanned within and outside of the safe social distancing of 2 metres, whereas bar codes and QR codes have to be scanned in close proximity of inches. In other circumstances, it can also be scanned up to 100 metres away, allowing for easier crowd and queue ingress and egress.
In addition to the security flaws and close proximity of QR code scanning, another downfall of using QR Code for this type of passport solution is that a user may have to carry hundreds of different QR codes for the same identity use case. Companies who wish to add any form of extra security to the QR code would also have to offer their own app to scan a QR code which may lead to a consumer having to carry 100’s of apps or codes due to the QR codes open-source nature (not being generated from a central source).
Commenting on the chaos around the events at Heathrow, VSTE CEO Louis-James Davis said: ‘The scenes at Heathrow could have been easily avoided by using a secure system such as V-Health Passport. Both airports and the airlines need to move to a secure digital platform technology to ensure the security and faster processing of passengers to verify their Covid status and vaccination records. We have that technology now and it is available for airline passengers and the airlines to download and use today. By using the V-Health Passport technology, a passenger’s valid COVID-19 test certificate could have been scanned further than the 2-metre safe social distancing protocols and up to 100 metres away. This would have allowed for a smooth ingress of passengers coming through border control into the UK verified against their identity. This would have also helped the passengers to maintain safe social distancing and much quicker processing through border control thus avoiding the social breaches which occurred.
‘The V-Health Passport would not only provide border officials and airports with authentication of an airline passengers COVID-19 test status – with both a digital and printed PCR test certificate – but also their vaccination records. The technology also verifies a person’s genuine identity against their existing Government ID adding another layer of security. There has been a phenomenal rise in the sale of ‘fake covid’ certificates, with both Russia and the Middle East seeing the greatest activity and posing a serious threat to global aviation security.
‘Using any open-source technology such as RFID, bar code or QR code with any form of health passport or vaccine card/certificate leaves it wide open to being hacked or cloned, with a person effectively making themselves ‘permanently Covid negative’ and ‘permanently vaccinated’ and allowing them to travel freely. By moving towards a secure ’one for all’ technology-based solution that passengers can use with their phones will not only protect the data of passengers but also the safety of their health. It will ensure that a passenger who is travelling has a valid Covid test result or vaccine immunisation record and ensuring other fellow passengers are safe.’
The V-Health Passport technology has a complete audit trail of a person’s Covid testing, their vaccination records and the clinics where those tests or vaccinations have been conducted. This information is also protected under the ‘self-sovereign identity’ data framework allowing only the passenger to view this information, with officials only able to see a current and valid COVID-19 test or vaccine status in the GDPR display of the app.
With the alarming increase and black market trade in fake COVID-19 test certificates and also vaccination cards and certificates this also puts a very real threat and risk to passenger safety. It poses a threat to airlines and international borders with the potential for a passenger carrying a fake Covid test certificate or vaccination card – who may be asymptomatic – to board an aircraft and infect other passengers. This poses a very real threat to the aviation sector and to Governments around the world as they try to arrest the rate of infection.
It is well documented that bar codes and QR codes can be hacked so any airline who considers using a health passport for COVID-19 testing and vaccination using this method of authentication, risks a serious potential breach of its passenger data. In 2018, British Airways was fined a record £20M for a data breach on 400,000 of its customers which affected their personal and credit card data. It now faces one of the biggest ever group privacy claims in UK legal history as reported in the Financial Times. It comes at a time when security over the use of bar codes and QR codes in airline travel has come under intense scrutiny following the cyberattack last year on the former Australian Prime Minister, Tony Abbot. The former PM had his Qantas airline boarding pass hacked. Details including his passport, mobile phone, and messages between Qantas staff about him were intercepted.
VSTE CEO Louis-James Davis added: ‘We are the first technology company in the world to have developed a secure, multipurpose, cross corporate and cross-government digital health passport that does not rely on using bar codes or QR codes as its authentication technology. Both bar codes and QR codes have huge potential security implications as they can be cloned and hacked with the latter being subject to a process called ‘attagging’. Therefore any suggestion of using this type of technology in a health passport for air travel has very real security risks. Not only is a citizen’s personal information at risk, but their Covid test status, vaccination records, and also their credit card information. All of this can lead to the very real potential of a massive data breach and a person’s personal information and data hacked and stolen. This is of particular concern when using a bar code or QR code technology designed for use to authenticate a person’s COVID-19 testing and vaccinations records.’
Unlike other health passports, V-Health Passport has been designed with a citizen’s privacy front and centre. The technology does not track your live location and provides all data in a secure GDPR compliant framework giving citizens a unique ‘self-sovereign identity’ style technology putting them in control of who, when, and how they share their data.
Louis-James Davis went on to state that both bar codes and QR codes – which represent first and second-generation technology – are insecure and vulnerable to hacking.
‘QR codes were originally developed as a scanning technology for close proximity car parts tracking, a world away from identity and banking use cases and now digital health passports. It was then used to skip the input of websites in marketing and promotional purposes. They were never designed with security or privacy in mind. They are simply not fit for purpose and should not be used at all in any form for delivery of sensitive information, travel or event tickets or health passport.’
QR codes can be subject to a process called ‘attagging’ or ‘cloning.’ The process of ‘attagging’ is where a ‘genuine QR code’ is replaced by a ‘cloned QR code’ which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. The problem is so serious that in India alone there are over one billion fraudulent financial transactions each day using QR codes. As the scanning user journey is the same, it is only tech-savvy individuals that may notice the domain name has changed.
QR codes can be cloned and redirected to other information points or websites. Often criminals and hackers will exploit this by putting a fake QR code over a genuine QR code. So a QR code, for example, on scanning would link to the genuine website www.similardomain.com, but a fake QR code can be made up, printed off, and placed over the genuine code to redirect to www.similar-domain.com. At this point, the member of the public is tricked into entering their personal information, private data, and financial information. The rogue website looks and feels exactly like the genuine one and is made to mirror it precisely.
VCode, which is the ultra-secure digital code which powers the V-Health Passport, cannot be cloned. Even if it was printed off, or a photograph was taken and placed over a VCode or V-Health Passport it simply won’t scan as it works on a call and response system of information between the code and web platform to verify the location of the code, user ID, time and date, and much more.
V-Health Passport is making a significant contribution to the safety, mobility and return to work of the UK economy, helping businesses and employers return their staff to offices, factories, and warehouses.
VSTE is working with the UK Government and a number of other foreign governments around the world to use its technology. The company is active in multiple industries and sectors including the maritime and aviation industries, construction, and major infrastructure projects, as well as major national and international sporting events. V-Health Passport is also being used by a number of private Covid testing clinics, manufacturers, and healthcare practices.
V-Health Passport is available on the Apple App Store and Google Play by searching for ‘VPassport’ and downloading to your device.