Forging Australian Driver’s Licenses

2022-05-23 11:09

The New South Wales digital driver's license has multiple implementation flaws that allow for easy forgeries.

A 4-digit application PIN is the encryption password used to protect or encrypt the licence data.

The problem here is that an attacker who has access to the encrypted licence data could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations.

The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.

This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.

As the Digital Licence is stored on the client's device, validation should take place to ensure the local copy of the data actually matches the Digital Driver's Licence data that was originally downloaded from the Service NSW API. As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

News URL

https://www.schneier.com/blog/archives/2022/05/forging-australian-drivers.html

#australian