An expert from Dvuln demonstrated that the digital driver’s license, which has been used in Australia since 2019 (namely, in the state of New South Wales) can be easily compromised and spoofed.
Let me remind you that we also wrote that Fail0verflow Announces PlayStation VR Hack, and also that 55-Year-Old Venezuelan Doctor Turned Out to Be the Author of Jigsaw and Thanos Ransomwares.Australian authorities previously reported that as of 2021, more than half of the state’s 8 million residents are already using the Service NSW app, which displays a digital driver’s license and also offers access to many other government services.
As Dvuln Noah Farmer now says, he managed to compromise this application using only a Python script and a regular laptop. In the application, he discovered numerous security vulnerabilities that made it easier to change the data in the driver’s license stored there.
In total, the expert found five separate shortcomings in the application. Specifically, it uses a four-digit PIN to unlock, which is also the decryption key for the driver’s license, which is stored in the JSON file. With the help of a Python script and a laptop, Farmer was able to brute-force a PIN code in a few minutes and gain access to a driver’s license.
We also found that the app was not verifying stored driver’s license data with government records and was unable to properly “update” license data. In addition, the application transmits minimal information in a QR code (which can also be replaced) and includes rights data in device backups.
The change preserves all of the protections inherent in Australian digital rights, including the animated New South Wales logo, refresh rate, QR code, moving hologram and watermark, according to the researcher. Farmer writes that all this only creates a “false sense of security.”
Representatives from Service NSW, the government agency that runs the app of the same name, told The Register that the problems Farmer found do not pose a threat to users or the integrity of driver’s licenses.
Importantly, if the fake driving license is scanned by the police, the real-time check used by the NSW Police will display the correct personal details. Also, after scanning the driver’s license, it will be clear to law enforcement that it is forged.
The digital driver’s license has been evaluated by independent cyber experts and is safer than the plastic version.”says a Service NSW spokesperson.
The developers insist that a rights change attack can only deceive a person, for example, if you need to present an identity card and prove age when entering a bar or renting a car. But using such rights as a full-fledged fake document will not work.
Farmer describes darker uses for such fakes, including getting prescription drugs in someone else’s name, or identity theft with all the consequences that come with it, like bad credit history and accruing debt in someone else’s name.
The researcher also says that it is not difficult to strengthen the protection of digital driver’s licenses: it is enough to use, for example, the built-in SecRandomCopyBytes in iOS, which enhances encryption by generating random bytes, and also prohibit iOS from backing up confidential data.
