In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic driver’s license” citizens had used for decades.
Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, does not require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.
“To be clear, we do believe that if the Digital Driver’s License was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver’s License would provide additional levels of security against fraud compared to the plastic driver’s license, ”Noah Farmer, a researcher who identified the flaws, wrote in a post published last week.
A Better Mousetrap Hacked With Minimal Effort
“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim will not know that the fraudster has combined their own identification photo with someone’s stolen driver’s license details,” he continued. As things have stood for the past 30 months, however, DDLs make it “possible for malicious users to generate [a] fraudulent Digital Driver’s License with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself. ”
DDLs require an iOS or Android app that displays each person’s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic and current include:
- Animated NSW Government logo.
- Display of the last refreshed date and time.
- A QR code expires and reloads.
- A hologram that moves when the phone is tilted.
- A watermark that matches the license photo.
- Address details that do not require scrolling.
The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video showing the process on an iPhone.
Once a fraudster gets access to someone’s encrypted DDL license data — either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise — the brute force gives them the ability to read and modify any of the data stored on the file .