Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Digital Driver License. Show all posts

Multiple Vulnerabilities Identified in NSW Digital Driver License

 

In Australia, the government of New South Wales launched digital driver's licenses in late 2019, claiming they were more secure than a physical license. Last month, security firm Dvuln released a report on the multiple security flaws that make forging a New South Wales digital driver’s license (DDL) easy. 

The researchers demonstrated multiple vulnerabilities in the digital license, now used by nearly 4 million people – more than half the state’s drivers. The company warned the flaws undermine trust in the government by creating the risk of identity fraud and fake licenses being used by thieves and teenagers. 

The primary issue with the DDLs is that the only thing guarding their encryption is a 4-digit PIN which Dvuln brute-force in minutes. Secondly, no verification process for the DDLs on users' devices takes place. 

Furthermore, the mobile device backups include a DDL's data, which allows threat actors to edit them without jailbreaking a phone. Going through the trouble of jailbreaking a device makes forgeries even easier. The way a DDL transmits a user's age is also vulnerable. 

Combined, these vulnerabilities pave an easier path for a scammer to pull a license off of a device, edit it, re-encrypt it, and pass it off as legitimate. It may even be easier than acquiring the materials to forge a physical license like the right plastic, foil, and printer. Dvuln doesn't suggest the government scrap the DDLs, but rather fix the security loopholes. 

A ServiceNSW spokesperson said exploits are “known” but insisted it does not pose a threat to customer data. “The blogger has manipulated their own Digital Driver Licence (DDL) information on their local device,” the spokesperson told a local media outlet. “No other customer data or data source has been compromised. It also does not pose any risk in regard to unauthorized access or changes to backend systems such as Drives [one of the central systems for motor vehicle registration and driver licensing in NSW].” 

“If the tampered license was scanned by police, the real time check used by NSW Police (scanning mobipol) would show the correct personal information as it calls on DRIVES. Upon scanning the license, it would be clear to law enforcement that it has been tampered with.” 

New South Wales isn't the first place where DDLs are being tested, nor the only place where they're accepted. The British government has been testing DDLs since 2016, and Secretary of State for Transport Grant Shapps said they may arrive before 2024. Last year, Apple Wallet introduced the service to Georgia and Arizona, with plans to expand to Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah.