Security News > 2022 > May > Australian digital driving licenses can be defaced in minutes
New South Wales, Australia's most populous state, launched its DDL program in 2019, and as of 2021 officials there said that slightly more than half of the state's eight million people use the "Service NSW" app that displays the DDL and offers access to many other government services.
"The DDL is hosted securely on the new Service NSW app, locks with a PIN and can be accessed offline. It will provide additional levels of security and protection against identity fraud, compared to the plastic driver licence," NSW Minister for Customer Service Victor Dominello said in 2019 when the service launched.
With a Python script and a laptop, Farmer was able to brute force the app in minutes, giving him access to the DDL. Additionally, the app never validates stored DDL data with NSW government records, fails to "Refresh" license data properly, transmits minimal info in its QR code and includes license data in device backups, "Which means that attackers or anyone wanting to commit fraud can modify their license details without needing to jailbreak their device," Farmer said.
According to Farmer, all of the security features included in NSW's DDLs, like an animated NSW government logo, refresh rate, QR code, moving hologram and watermark, are retained when making changes to license data, which he said "Creates a false sense of trust."
Service NSW, the government agency that runs the app of the same name, told The Register the flaws Noah found are not a threat to users or the integrity of the DDL. "This issue is known and does not pose a risk to customer information," a spokesperson said.
"The DDL has been independently assessed by cyber specialists and is more secure than the plastic card," the spokesperson added, before pointing out that altering the DDL is against the law and that Service NSW constantly reviews the security of its offerings.