DALLAS—A few weeks ago, Stephen received a message from a friend with a tantalizing opportunity: an access code that would allow him to receive a coronavirus vaccine that same day.
The best part: He wouldn’t be stealing anyone else’s vaccine but getting a shot before it spoiled, which health experts say is by far the better outcome.
The code was geared toward registration at Fair Park, a “mega center” vaccination site in Dallas operated by Dallas County with the support of FEMA and the U.S. Army. Stephen, who spoke under the condition that his last name be withheld due to concerns about repercussions for jumping the line, did just that: Within four hours, he received a shot in the arm.
But he didn’t get the code through an official channel, raising questions about who’s being plugged into networks of individuals sharing vaccine access codes amid a national rollout plagued by concerns over racial and class disparities. It’s not the first documented case of such codes quietly changing hands. But coming months into a process that is finally picking up steam, what’s going on in Dallas suggests getting a shot in America is still in no small part about who you know.
According to multiple volunteers at Fair Park, access codes were provided by Dallas County to register themselves or others who were eligible using county-issued iPads. Dr. Philip Huang, director of the Dallas County Health Authority, confirmed this, adding that the codes were often used for those who were eligible for a second dose and possessed a valid paper record but had not been able to register online initially.
Stephen, who said he used one of these access codes to get a vaccine, received the code in a message from a friend via WeChat. The friend told him that they knew someone in the Army who had passed along these codes while participating in the delivery and distribution of the vaccines at Fair Park. The message Stephen received alleged that someone in the Army had authorized the sharing of the access codes due to low turnout of elderly individuals, for whom the codes were ostensibly reserved.
Lt. Col. Chris Mitchell, a spokesman for the Department of Defense, told The Daily Beast that, based on what they’ve seen at other vaccination centers, “[Department of Defense] personnel simply process people as they come and administer the vaccines… they have no involvement with the registration process.”
Yet these access codes, according to volunteers at Fair Park and Dr. Huang, have been used on-site by personnel who process incoming individuals who are eligible for a vaccine but have not registered online ahead of time.
Mitchell added that FEMA Region 6 would be better able to comment on the matter and suggested further inquiries be sent their way.
A representative from FEMA was contacted but would not comment on the record.
Stephen shared screenshots of the messages he received and his journey to the vaccination site. He did not qualify for the vaccine as a member of a priority group, nor did he qualify for a shot by volunteering at the Fair Park site, he said.
Dr. Huang, with the Dallas County Health Authority, told The Daily Beast that line-jumping has been a widespread issue, particularly in the early days—and that the county’s tech infrastructure has left it exposed.
“We’ve been addressing it since day one. We started out with a different system, and the very first day it got hacked,” he told The Daily Beast. “Early on, I think City Council members were sending out ways you can get around it. We had to crack down on it.”
Following the hack of the original Dallas County system, a new system, created by the Houston-based technology company Luminare, was adopted. On Monday, the company was profiled in the Houston Chronicle. At least a dozen public institutions use the Luminare system, some of them outside the state.
“Now that we’ve gone to this new Luminare system, we have more controls,” Dr. Huang said.
But Luminare was already in place when Stephen skipped the line, according to screenshots he provided to The Daily Beast. An announcement was made in late January that Dallas County had acquired the software for $600,000.
Now security experts who have reviewed their software said the new system appears to lack basic security protocols to prevent people from brute-forcing access codes.
“This actually affects multiple vaccine distribution programs across the country. This is not just a Dallas issue.”
A Dallas-based white-hat hacker and member of the Dallas Hackers Association who goes by the moniker WhiskeyNeon looked into the Luminare system after this reporter raised concerns about them on Twitter.
Within a matter of hours, WhiskeyNeon said, they were able to generate valid access codes for the vaccine site. They said some codes are single-use, meaning they can only be used once, but others allowed for potentially hundreds of uses.
“This actually affects multiple vaccine distribution programs across the country. This is not just a Dallas issue,” WhiskeyNeon wrote on Twitter.
In an interview, the founder and CEO of Luminare, Dr. Sarma Velamuri, disputed the characterization of the problem as a security vulnerability, instead framing the issue as one of low password complexity.
“I don’t necessarily think this is a security flaw as much as an issue of ongoing education to people, telling them to make complex passwords,” Dr. Velamuri told The Daily Beast.
“In partnership with the city of Corpus Christi, we launched something known as the Save Our Seniors program,” he added. “And what it involved was firefighters and other aid personnel going out in pairs to nursing homes and using an access code that allowed them to register homebound senior citizens.”
A press release by Gov. Greg Abbott says the Save Our Seniors program is now used in 34 counties, including Dallas.
Clients such as Dallas County are ultimately the ones responsible for setting up and managing these access codes, Velamuri continued.
“These access codes are not being given to the end user,” he said. “They’re being given to a volunteer or a firefighter or a police officer, or to someone who is helping.”
Paul Lariviere, a technical director at Security Compass, a cybersecurity company based in Ontario, reviewed the evidence WhiskeyNeon produced. He agreed with Velamuri that it was not a security vulnerability in the sense that there was no leakage of personal information or health information.
However, Lariviere said that Luminare failed to put in place common security protocols.
“Whether asking for a CAPTCHA, or requiring users to wait five minutes after a certain number of failed attempts… [there are] simple solutions that could have been put in place that wouldn’t rely on individual implementers using the strongest passwords available,” Lariviere told The Daily Beast.
While it appears that a combination of factors has resulted in abuse of the program, initial estimates suggest that misuse may be limited. Dr. Huang said more than 90 percent of those who have used the latest FEMA program are from priority zip codes where at least 20 percent of the population is at under 150 percent of the federal poverty level. And Dr. Velamuri said they are capable of doing a backward audit of the program to check for abuse.
“The FEMA effort is specifically to reach underserved communities,” Dr. Huang said.
“It’s disappointing to hear that there are people who have in some ways given access to these codes and are abusing the system.”
Whatever the extent, it seems that a lack of brute-force protections, lax operational security, the switch from paper to electronic records, and low turnout relative to available vaccines have allowed for some individuals to distribute these codes to friends and family.
While Dr. Huang acknowledged that there still appear to be significant problems with the brute forcibility of the access codes, he said Dallas County has faced such security issues since day one and will continue to work to secure the site.
“There was a period when we were moving from paper based to electronic. So everyone who was coming back for the second doses needed to be entered back into the system. And we had, you know, for the masses, a larger number of people have access to the system to register some people,” Dr. Huang told The Daily Beast. “We’ve had people who monitor social media and have caught this.”
Dr. Huang told The Daily Beast that they are aware of the problem and have taken steps to address the issue, such as changing the codes multiple times a day and controlling more tightly those who have access to the codes.
Such problems may no longer be relevant come May 1, the date President Joe Biden has floated for the expansion of eligibility for the vaccine to all who want it. Yet the abuse of access codes suggests that some are willing to go to extraordinary lengths to get access to vaccines in the meantime.
As Dr. Huang put it, “It’s disappointing to hear that there are people who have in some ways given access to these codes and are abusing the system.”