Digital Driver’s Licences in Australia can be Tampered With in a Matter of Minutes.

The deployment of an Australian digital driver’s license (DDL) that officials claimed was more secure than a physical license has been proved to be easily defaced, but authorities argue the credential is still secure.

New South Wales, Australia’s most populous state, launched its DDL programme in 2019, and officials there reported that slightly more than half of the state’s eight million residents use the “Service NSW” app, which displays the DDL and provides access to a variety of other government services, as of 2021.

“Tough to forge” digital driver's license is… easy to forge | Ars Technica
arc Technica

With nothing more than a Python script and a consumer laptop, a security researcher from cybersecurity firm Dvuln claims he was able to brute force his way inside the app.

“The DDL is stored safely on the new Service NSW app, which is password-protected and accessible offline. In comparison to the plastic driver’s license, it will give additional levels of security and protection against identity fraud “When the service first launched in 2019, NSW Minister for Customer Service Victor Dominello noted.

Noah Farmer, the Dvuln researcher who discovered the problem, disputed this claim.

By design, it is insecure.

The NSW DDL app was found to have five different design problems. The faults were combined to create “a favorable circumstance that might be exploited by any would-be attacker or fraudster,” according to Farmer.

First and foremost, and most importantly for cracking efforts, the app only takes a four-digit PIN to unlock, and that code is also the licensing decryption key, which is kept in a JSON file. The farmer was able to brute force the software in minutes using a Python script and a laptop, gaining access to the DDL.

Furthermore, the app fails to properly “refresh” license data, transmits minimal information in its QR code (which is also alterable), and includes license data in device backups, according to Farmer, “which means that attackers or anyone wanting to commit fraud can modify their license details without needing to jailbreak their device.”

Farmer claims that when making changes to license data, all of the security features included in NSW’s DDLs, such as an animated NSW government logo, refresh rate, QR code, moving hologram, and watermark, are retained, which he claims “creates a false sense of trust.”

Service The flaws Noah discovered are not a threat to users or the integrity of the DDL, according to NSW, the government agency that runs the app of the same name.

Farmer claims that when making changes to license data, all of the security features included in NSW’s DDLs, such as an animated NSW government logo, refresh rate, QR code, moving hologram, and watermark, are retained, which he claims “creates a false sense of trust.”

Service The flaws Noah discovered are not a threat to users or the integrity of the DDL, according to NSW, the government agency that runs the app of the same name.