In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic driver’s license” citizens had used for decades.
Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.
“To be clear, we do believe that if the Digital Driver’s Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver’s Licence would provide additional levels of security against fraud compared to the plastic driver’s licence,” Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.
A Better Mousetrap Hacked With Minimal Effort
“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won’t know that the fraudster has combined their own identification photo with someone’s stolen driver’s licence details,” he continued. As things have stood for the past 30 months, however, DDLs make it “possible for malicious users to generate [a] fraudulent Digital Driver’s Licence with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.”
DDLs require an iOS or Android app that displays each person’s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic and current include:
- Animated NSW Government logo.
- Display of the last refreshed date and time.
- A QR code expires and reloads.
- A hologram that moves when the phone is tilted.
- A watermark that matches the license photo.
- Address details that don’t require scrolling.
The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video showing the process on an iPhone.
Once a fraudster gets access to someone’s encrypted DDL license data—either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise—the brute force gives them the ability to read and modify any of the data stored on the file.