NSW digital driver's licences 'easily forgeable'

Security researchers have analysed the NSW digital driver's licence (DDL), and found that it's "trivial" to get past the security measures implemented to protect the identity credential, and forge the data presented by the application.

Dvuln researcher Noah Farmer
Dvuln

Dvuln researcher Noah Farmer went through the Apple iOS version of the NSW DDL, inspired by the prior testing by another researcher in 2019, that showed it was possible to modify the data on the credential to display false information.

The earlier researcher, Yaakov_H, reported his findings to Service NSW, but it's unclear if the agency took any steps to remediate the bug discovered.

Farmer observed that social media users reported that a number of underage people were using fake DDLs that are easy to make, to visit drinking establishments in the state.

In his analysis, Farmer found several security design issues with the NSW DDL application.

While the application data file in Javascript Object Notation (JSON) format is encrypted with AES-256-CBC and uses Base64 text to binary encoding, this might not be sufficient protection, Farmer notes.

"A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.

"The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations," Farmer wrote.

Once decrypted, the DDL data can be edited to change the details of the ID.

DDL data is never validated against the Service NSW application programming interface and database.

Attackers can display edited data on the Service NSW application, thanks to the lack of verification with an authoritative backend database.

Furthermore, the refresh mechanism for the DDL only updates the QR code displayed on the credential.

Attackers' updated licence details and photo will remain on the DDL, despite the QR code and date and time have been refreshed, Farmer found.

Other flaws including the DDL API only transmitting names and whether or not the holder is under 18, which can be faked by modifying Base64 encoded data stored locally on phones with stolen licence details.

Service NSW should implement better verification of data for the DDL, and use existing, documented operating system features that prevent PINs to be easily guessed.

The application should also be coded to avoid backing up sensitive DDL data by excluding the files and directories it uses, to avoid illicit access and modification of the information.

Update, 19/5 6.30pm:  Service NSW told iTnews that the issue is known and does not pose a risk to customers.

"The blogger has manipulated their own Digital Driver Licence (DDL) information on their local device. No other customer data or data source has been compromised," a Service NSW spokesperson said.

"It also does not pose any risk in regard to unauthorised access or changes to backend systems such as DRIVES.

"Importantly, if the tampered licence was scanned by police, the real time check used by NSW Police (scanning mobipol) would show the correct personal information as it calls on DRIVES," the spokesperson added.

DRIVES stands for the DRIver and VEhicle IT System and is used in NSW for motor vehicle registration and driver licensing.

Tampered licenses would be clear to law enforcement scanning them, the spokesperson said who added that altering the DDL is against the law.

"The DDL has been independently assessed by cyber specialists and is more secure than the plastic card," the spokesperson said.