Multiple security flaws emerge in Australian digital driver's licenses

Daniel Sims

Posts: 452   +18
Staff
Facepalm: The government of New South Wales in Australia introduced digital driver's licenses in late 2019, claiming they were harder to forge than physical identification. A security company recently outlined multiple reasons why this isn't the case.

Last week, security company Dvuln released a report on the multiple security flaws that make forging New South Wales digital drivers license (DDL) easy. This could be a big help to identity thieves and teenagers.

A few months before the introduction of DDLs, a developer held a presentation at PyCon Australia pointing out flaws in their design and reported them to the government. Three years later, Dvuln has explained methods for forging them and pointed out unverified reports of minors using forged IDs.

The first problem with the DDLs is that the only thing protecting their encryption is a 4-digit PIN which Dvuln brute-forced in minutes. Secondly, no verification process for the DDLs on users' devices takes place. Another problem is that mobile device backups include a DDL's data, which allows hackers to edit them without jailbreaking a phone. Going through the trouble of jailbreaking a device makes forgeries even easier. The way a DDL transmits a user's age is also vulnerable.

Combined, these flaws make it relatively simple for a fraudster to pull a license off of a device, edit it, re-encrypt it, and pass it off as legitimate. It may even be easier than acquiring the materials to forge a physical license like the right plastic, foil, and printer. Dvuln doesn't suggest the government scrap the DDLs, but rather improve them.

Permalink to story.

 

QuantumPhysics

Posts: 6,308   +7,247
I should be able to double click the sleep wake button on my phone to bring up the WALLER which will give me a choice between the credit cards and the licenses/ ID.

Then Facial recognition clears me to access it.

Then I present it to the office.

Why is this so hard?

The License and Registration can be on just one page.

Police Officer can scan it or look it over.

Done.
 

Darth Shiv

Posts: 2,277   +828
Except for one small problem. Police have backend authentication. Nobody gives a **** about whether you can forge a license as they electronically verify it with the uncompromised data in the backend.
Then they will charge you with having a forged license.
 

Watzupken

Posts: 603   +501
Digital is always more convenient for users, and easier for providers to "manage" your data. On the flipside, it will never be as secure. So this news don't come as a surprise.
 

Darth Shiv

Posts: 2,277   +828
Digital is always more convenient for users, and easier for providers to "manage" your data. On the flipside, it will never be as secure. So this news don't come as a surprise.
Security comes from what you consider trustworthy. Why would ANYONE consider a personal device a secure item for the purposes of identification? Especially when the authentication data is in the authorities hands? If you are going to VERIFY an identity, physical licenses were ALWAYS at risk.

This is poor process and implementation if people expect the client side device is trustworthy.