IATA Travel Pass (ITP), a global, opt-in app to receive, store, and share digital COVID-19 test certificates for flights, has a critical flaw in its registration process which allows an attacker to impersonate another user, needing only to know the user’s passport details but not possess the passport itself. According to the IATA this issue is the result of an intentional design decision to not verify user-provided information on its servers to minimize transmission of sensitive personal data. This flaw is currently circumvented by requiring users to present their physical passports alongside ITP.

ITP utilizes a blockchain-based technology called “Sovrin” to verify the validity and authenticity of user-supplied digital COVID-19 test reports. Sovrin is one of many “Self-Sovereign Identity (SSI)” systems. SSI is an emerging technology that aims to replace conventional cloud-based identities with decentralized systems. ITP delegates the most crucial certificate issuance function of SSI to a web application managed by the company Evernym. This design nullifies the advantages brought by a decentralized system.

More specifically, in ITP, COVID-19 test certificates are issued as “verifiable credentials”, which can be seen as a digital certificate that supports decentralized verification and other advanced features. The weakness of ITP lies in that a web application was used to manage certificate issuer keys, and that the verifier program was developed by the same company as the issuer system. Despite not introducing any direct vulnerability, this design does introduce a systemic weakness by allowing the same authority to issue and verify certificates.

In this talk, the speaker will:

1. Introduce basic concepts around Self-Sovereign Identity and Decentralized Identifiers
2. Introduce the high level architecture of Sovrin, a decentralized identity system.
3. Introduce how Evernym implements an decentralized identity system using Sovrin in ITP, and how ITP implements user registration, issuing digital attestation, and verifying digital attestation.
4. Explain shortcomings of ITP’s design, especially on how the benefits of decentralized systems are neutralized by Evernym’s centralized management web application. And how it undermines system trustworthiness.

Sovrin and other SSI technologies might replace centralized online identity systems in the future. And have the potential to be integrated with systems used by the general public (such as electronic national identity systems). This talk gives an overview on how future online identity systems might look like. And, by looking at issues of early deployments of SSI, future designers will be able to come up with more trustworthy systems.

Full research report on this topic is published at: https://citizenlab.ca/2022/04/privacy-and-security-analysis-of-the-iata-travel-pass-android-app/