Facepalm: The government of New South Wales in Australia introduced digital driver's licenses in late 2019, claiming they were harder to forge than physical identification. A security company recently outlined multiple reasons why this isn't the case.
Last week, security company Dvuln released a report on the multiple security flaws that make forging New South Wales digital drivers license (DDL) easy. This could be a big help to identity thieves and teenagers.
A few months before the introduction of DDLs, a developer held a presentation at PyCon Australia pointing out flaws in their design and reported them to the government. Three years later, Dvuln has explained methods for forging them and pointed out unverified reports of minors using forged IDs.
The first problem with the DDLs is that the only thing protecting their encryption is a 4-digit PIN which Dvuln brute-forced in minutes. Secondly, no verification process for the DDLs on users' devices takes place. Another problem is that mobile device backups include a DDL's data, which allows hackers to edit them without jailbreaking a phone. Going through the trouble of jailbreaking a device makes forgeries even easier. The way a DDL transmits a user's age is also vulnerable.
Combined, these flaws make it relatively simple for a fraudster to pull a license off of a device, edit it, re-encrypt it, and pass it off as legitimate. It may even be easier than acquiring the materials to forge a physical license like the right plastic, foil, and printer. Dvuln doesn't suggest the government scrap the DDLs, but rather improve them.