At the end of 2019, the New South Wales government in Australia issued digital driving licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during police checks on the road or in bars, shops, hotels and other places. ServiceNSW, as the government agency is commonly referred to, promised that it would “offer additional levels of security and protection against identity fraud, compared to the plastic driver’s license” that citizens had used for decades.
Now, 30 months later, security researchers have shown that it is trivial for almost anyone to forge fake identities using digital driver’s licenses or DDL. The technique allows minors to drink to change their date of birth and scammers to falsify identities. The process takes less than an hour, does not require any special hardware or expensive software and will generate false identifications that pass the inspection by the electronic verification system used by the police and participating sites. All this, despite the guarantees that security was a key priority for the newly created DDL system.
“To be clear, we believe that if the digital driver’s license is improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would be true, and we would agree that the digital driver’s license would provide levels Fraud security compared to the plastic driver’s license, “wrote Noah Farmer, the researcher who identified the defects, in a publication published last week.
A better hacked mouse with minimal effort
“When an unsuspecting victim scans the fraudster’s QR code, everything will be checked and the victim will not know that the fraudster has combined their own ID photo with the details of someone’s stolen driver’s license,” he continued. However, as things have been for the past 30 months, DDLs make it possible for “malicious users to generate [a] Fraudulent digital driver’s license with minimal effort on both jailbroken and non-jailbroken devices without having to modify or package the mobile application itself.
DDLs require an iOS or Android application that displays each person’s credentials. The same app allows police and sites to verify that credentials are authentic. Features designed to confirm authentication are authentic and current include:
- NSW Government Animated Logo.
- View the last updated date and time.
- A QR code expires and reloads.
- A hologram that moves when the phone is tilted.
- A watermark that matches the photo on the license.
- Address details that do not require scrolling.
The technique for overcoming these guarantees is surprisingly simple. The key is the ability to brute force the PIN that encrypts the data. Since it has only four digits, there are only 10,000 possible combinations. With publicly available scripts and a basic computer, one can learn the right combination in minutes, as shown in this video showing the process on an iPhone.
Once a scammer accesses encrypted data from someone’s DDL license, either with permission, stealing a backup stored in an iPhone backup, or through a remote compromise, brute force gives you the ability to read and modify any of the data stored in the file. .