Australian digital driving licenses can be defaced in minutes
Brute force attack leaves the license wide open for undetectable alteration, but back end data remains unchanged
An Australian digital driver's license (DDL) implementation that officials claimed is more secure than a physical license has been shown to easily defaced, but authorities insist the credential remains secure.
New South Wales, Australia's most populous state, launched its DDL program in 2019, and as of 2021 officials there said that slightly more than half of the state's eight million people use the "Service NSW" app that displays the DDL and offers access to many other government services.
Now, a security researcher at cybersecurity company Dvuln claims he was able to brute force his way into the app with nothing but a Python script and a consumer laptop. Once inside, he found numerous security flaws that made it simple to alter the DDL stored in the app.
"The DDL is hosted securely on the new Service NSW app, locks with a PIN and can be accessed offline. It will provide additional levels of security and protection against identity fraud, compared to the plastic driver licence," NSW Minister for Customer Service Victor Dominello said in 2019 when the service launched.
Noah Farmer, the Dvuln researcher who found the flaw, challenged that assertion.
Insecure by design
Five separate design flaws were discovered in the NSW DDL app. Combining the flaws "presented a favorable scenario that could be exploited by any would-be attacker or fraudster," Farmer said.
First, and most important for efforts at cracking the app, it only uses a four-digit PIN to unlock, and that code is also the decryption key for the license, which is stored in a JSON file. With a Python script and a laptop, Farmer was able to brute force the app in minutes, giving him access to the DDL.
Additionally, the app never validates stored DDL data with NSW government records, fails to "refresh" license data properly, transmits minimal info in its QR code (which is also alterable) and includes license data in device backups, "which means that attackers or anyone wanting to commit fraud can modify their license details without needing to jailbreak their device," Farmer said.
According to Farmer, all of the security features included in NSW's DDLs, like an animated NSW government logo, refresh rate, QR code, moving hologram and watermark, are retained when making changes to license data, which he said "creates a false sense of trust."
Service NSW, the government agency that runs the app of the same name, told The Register the flaws Noah found are not a threat to users or the integrity of the DDL.
- Australian police suggests app to record consent to sexual activity
- A bridge too far: Passengers on Sydney's new ferries would get 'their heads knocked off' on upper deck, say politicos
- Facebook deliberately took down Australian government pages during pay-for-news negotiations: report
"This issue is known and does not pose a risk to customer information," a spokesperson said. "The blogger [Noah] has manipulated their own Digital Driver Licence (DDL) information on their local device."
"Importantly, if the tampered license was scanned by police, the real time check used by NSW Police would show the correct personal information," the spokesperson added. "Upon scanning the license it would be clear to law enforcement that it has been tampered with."
"The DDL has been independently assessed by cyber specialists and is more secure than the plastic card," the spokesperson added, before pointing out that altering the DDL is against the law and that Service NSW constantly reviews the security of its offerings.
That leaves the defacement attack a route to creating a fake ID that might fool a human in the context of moments such as proving age to get into the pub, or renting a car. But identity fraud appears not to be possible.
DDLs: Coming soon to a state near you, probably
New South Wales isn't the only place where DDLs are being tested, nor the only places where they're accepted.
The UK government has been testing DDLs since 2016, and Secretary of State for Transport Grant Shapps said they may arrive before 2024. Apple Wallet added support for DDLs last year and rolled the service out to Georgia and Arizona, with plans to expand to Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah. Google recently announced that the Wallet is returning with DDL capabilities as well, though didn't say where or when it will be available. In all, more than 20 US states have signaled interest in DDLs, the Washington Post said.
Even NSW adding digital trades and credentials licenses, opening up a whole other realm of fraud possibilities.
Hardening DDLs is relatively simple, Farmer said. Using iOS' built-in SecRandomCopyBytes, which strengthens encryption by generating random bytes, is just one simple way the app could be changed to enhance security, and the addition of just a bit more code would stop the app from allowing iOS to back up sensitive data.
Fisher said that the Dvuln team believes DDLs could be more secure than physical cards, but that the NSW implementation fails to do what it claims - for now. " if the [DDL] was improved by implementing a more secure design … we would agree that [DDLs] would provide additional levels of security against fraud compared to the plastic drivers licence," Fisher wrote.