Service NSW has downplayed a security vulnerability affecting the state’s digital driver’s licences that researchers say could let people create fake IDs.
Earlier this month, Sydney security firm Dvuln’s Noah Farmer published a blogpost outlining how the NSW government’s digital driver’s licence security features could be cracked “in minutes”.
“Upon the launch of Service NSW’s Digital Driver Licence there were multiple security researchers who publicly reported a number of security issues including but not limited to the ability to manipulate digital licence data and create fraudulent digital identities,” he wrote.
Much like the loophole in the security digital vaccine certificate system, the security issues depend on design flaws that allow modification of client-side information — a fancy way of saying the data that’s kept on your phone, not on Service NSW’s servers. This means that a user could change any details other than the licence name or under-18 status, including but not limited to the photograph and address, while keeping the app’s verification features like its pull-to-refresh, hologram, and QR code scanning.
Service NSW allows device data to be included in device back-ups. This means that — unlike some exploits which can only be done on jailbroken (hacked) devices — modifying a digital driver’s licence can be done on a normal phone by modifying the device backup.
Service NSW told Crikey that the department is aware of the vulnerability and maintains that a digital driver’s licence is more secure than a physical version.
“Importantly, if the tampered licence was scanned by police, the real-time check used by NSW Police (scanning MobiPol) would show the correct personal information as it calls on DRIVES,” it said. “Upon scanning the licence it would be clear to law enforcement that it has been tampered with.”
Farmer’s post agrees, but points out the current vulnerability could allow people to use a digital licence that is identical to a real one unless checked by police. This could allow minors to purchase restricted products only available to adults or access adult-only venues, or to commit identity theft.
Importantly, replicating a digital licence is more accessible than creating a convincing fake physical licence, which would require a card printer, holographic security foil and other security features.
“As far as we can see, there appears to be no formal public response from Service NSW regarding the acknowledgment or remediation of such issues,” Farmer said.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.