IATA Travel Pass Privacy and Security Analysis Explained
On April 13, the Citizen Lab published an analysis of the IATA Travel Pass. In this article, we discuss the significance of the report’s findings.
What are the main technical and political conclusions of this report?
The IATA Travel Pass (ITP) check-in process is faulty. The flaw allows an attacker to create an ITP account by impersonating any person, while only needing the victim’s passport details, not the passport itself. This flaw is currently circumvented by requiring users to present their physical passport each time an ITP account is authenticated at a physical location.
ITP uses “Sovrin” blockchain-based technology to verify the validity and authenticity of digital COVID-19 test reports provided by users. Sovrin enables entities to issue tamper-proof digital evidence and independently verify it. However, in ITP, most if not all issuers (COVID-19 testing labs) rely on the same cloud-based web application centrally managed by Evernym, a Sovrin technology provider. With this design, it is technically possible for Evernym to issue valid digital proofs on behalf of labs without their knowledge. This is one of the flaws we show, in which the design of the ITP system negates the benefits provided by Sovrin, a decentralized blockchain system.
This report reveals a vulnerability in the IATA Travel Pass application that is the result of an intentional design decision. Does this mean that the developers did not foresee this problem? Or was convenience prioritized over security?
From our correspondence with IATA, it appears they were aware of this issue when making the decision.
The developer was faced with two options, each with different drawbacks:
- Sending user information (passport details and liveness test captures) to the server for verification will yield reliable verification results, as the user cannot interfere with the verification process. However, this means that the server has to deal with very sensitive user information. This increases the possibility of a data breach.
- Verifying user information on the phone itself makes it much easier for the user to interfere with the process, resulting in a faked result, as we have demonstrated. Since the result is not reliable, verifiers must instead rely on other sources for verification. IATA said physical passports are currently required to verify user identity at COVID-19 testing labs. Verification of physical passports is of course secure, but also eliminates the need for digital passports, as they intend to serve the same purpose (authentication of user identity).
As we have shown, the developer chose the second option.
ITP uses blockchain technology, but part of the verification process is outsourced to a single vendor, seemingly negating the benefits of a decentralized system. What challenges does this present?
Sovrin, which is a decentralized blockchain ecosystem, allows entities to issue, transmit and validate digital evidence, without the need for any centralized authority. Compared to centralized ecosystems (such as mainstream social media websites), a decentralized system tends to be more resilient to cyberattacks and network outages because there is no single point of failure. Failures (such as outages and data breaches) only affect the node (entity) itself, but not others. Decentralized systems are also less prone to monitoring because monitoring just one node would not provide data on the others.
In a decentralized system, the entities must keep the operation and maintenance in their hands, because outsourcing the operation and maintenance would also give controls, which would defeat the purpose of decentralization . This is one of the issues that our research has highlighted with ITP.
The decision to outsource the operation and maintenance of laboratory systems was likely driven by resource constraints, as a single laboratory would have far less information technology capability than a technical service provider. A single technical service provider operating systems for multiple laboratories is also likely to incur a lower overall cost than each laboratory operating its own systems.
This dilemma presents a challenge in choosing between decentralized and centralized system architectures. A centralized system consolidates control and responsibility to a central authority, which could take advantage of economies of scale to operate an efficient system, while keeping operating costs low for most users. A decentralized system distributes control and responsibility to each participant. Without depending on a central authority, each participant must now assume more responsibilities. Weighing these pros and cons is a central challenge when choosing between decentralized and centralized system design.
The design of the ITP system is hybrid. Its current low-level system architecture is decentralized; however, it is encapsulated by a centralized high-level interface. If operated through the centralized interface (which is currently the case in most cases), the system has the same set of security and privacy properties as conventional centralized systems.
What implications does this report have for travelers using the IATA Travel Pass?
The ITP’s “digital passport” feature is only intended for use when registering with laboratories, not as a replacement for physical passports. When registering with the labs, the physical passports must be cross-checked against the digital passport, as the design flaw in the ITP system allows digital passports to be issued without possessing the physical counterpart.
Travelers can already expect their passport data to be shared with labs, as a consent form is displayed in the app. They can also expect their data to be processed by the laboratory’s technical service provider. However, they may not have expected that the labs’ technical supplier, Evernym, would also be in charge of developing the ITP application and be an IATA contractor. These relationships create trust issues, as it is technically possible for IATA to demand user passport data from Evernam.
What implications does this report have for companies looking to adopt, or have already adopted, the IATA Travel Pass?
Despite using a decentralized blockchain technology, Sovrin, under its hood, ITP has implemented a centralized interface to encapsulate Sovrin. This centralized interface is used by laboratories. If operated through the centralized interface, the system has the same set of security and privacy properties as conventional centralized systems.
Instead of labs, Evernym actually has the ultimate control to issue COVID-19 test reports, as labs delegate their private issuer keys to Evernym for easy management.
Software for issuing and verifying digital COVID-19 test results is implemented by the same vendor, Evernym. This creates a conflict of interest, as Evernym must now ensure that all digital test results are delivered correctly (i.e. the software does not leak the issuer’s private keys and that the results are only issued on instruction from the laboratories), while also being the same entity to produce software to verify whether published results were trustworthy.
It is not guaranteed that the digital passport produced with ITP contains the same information as the physical counterpart from which it is derived. A digital passport could also be produced with arbitrary data, without needing a physical passport at all, due to ITP’s design flaw. The digital passport should be treated as an unverified copy of its physical counterpart.