Shocker: Australia’s Digital Driver’s License Is Easily Forged
Researchers have uncovered surprising security flaws in New South Wales’ digital license, first rolled out in 2019.
The state of New South Wales in Australia rolled out its new Digital Driver's Licence (DDL) back in 2019, with the ID living in a smartphone app that runs on an iPhone or Android device. Security researchers have since dived in to investigate the technology, finding some concerning flaws along the way, reports ArsTechnica.
Curious choices in the security architecture of the DDL system have left it wide open to tampering. A video posted to YouTube by DVULN demonstrates how it's done. It's a remarkably simple job, and doesn't even require a jailbroken device to run custom code.
First, a backup is created of the iPhone carrying the DDL app using iTunes on a home computer. This backup contains the encrypted files storing the license data. Amazingly, the license data is only encrypted with a four-digit PIN that can readily be brute-forced by a computer. Once decrypted, details like the date of birth, address, or other data can be faked, along with the license photo. It's then a simple matter of re-encrypting the file and restoring the backup to the iPhone.
The DDL app can then be used to display the tampered license data. The app doesn't refresh the license data from the NSW government servers. Instead, it merely updates a QR code that can be scanned by venues like bars and clubs to check validity. When venues scan the QR code, they merely get notified whether the ID is valid or not. As the QR code is from a valid ID, everything checks out. There are no cross-checks as to whether the displayed name, dates, or photos are matching. Thus, modifying a valid ID with a different name and photo can readily create a passable fake.
There's little reason for the system to be so insecure. Apple readily provides methods for apps storing secure data to be excluded from backups, which would stop the hack in its tracks. Similarly, encrypting the data with a properly-secure key instead of a four-digit PIN would make the job much harder, too. Finally, the app should realistically pull down fresh license data regularly, rather than relying on the phone-side copy to be properly secure and legitimate.
The government department in charge of the license rollout, Service NSW, responded to requests from Ars Technica for comment. In a statement, the department noted that "The issue is known and does not pose a risk to customer information," highlighting the fact that "blogger has manipulated their own Digital Driver Licence (DDL) information on their local device." The department also notes that the tampering method will not work against NSW Police, who can readily query the ID database for full license details, rather than simply getting a valid/not valid response from the system.
The department also points out that "altering the DDL is against the law," and has doubled down on claims that the system is "more secure than the plastic card." The statement released reaffirms that no customer license data has been compromised.
However, tech-savvy individuals who aren't shy about modifying a few files on a phone would likely disagree with that. It's certainly a lot more straightforward than traditional techniques of modifying or duplicating traditional plastic licenses.
In any case, there are serious questions to be raised about the quality of work done by those charged with developing the DDL. Encrypting data with a four-digit PIN, and allowing secure files to be backed up are both major faux pas, and should not have passed the independent security assessments arranged by Service NSW. It's likely that some hurried patches will be rushed out to shore up these obvious flaws in short order.
Got a tip? Let the author know: email@example.com