Australian Digital Driver’s Licenses Hacked: Security Flaws Exposed

By Serena ClarkDigital Forensics

Researcher Hacks Australian Digital Driver’s Licenses

A cybersecurity expert from Dvuln has demonstrated that digital driver’s licenses, used since 2019 in the Australian state of New South Wales, can be easily compromised and have their data altered. Previously, Australian authorities reported that by 2021, more than half of the state’s 8 million residents were already using the Service NSW app, which displays digital driver’s licenses and provides access to many other government services.

Officials claimed, “The driver’s license is securely stored in the new Service NSW app, protected by a PIN code, and available even offline. This provides additional layers of security and protection against identity theft compared to traditional plastic driver’s licenses.”

However, Dvuln specialist Noah Farmer has now revealed that he was able to compromise the app using just a Python script and a regular laptop. He discovered multiple security vulnerabilities in the app that made it easy to change the data stored in the digital license.

Key Vulnerabilities Discovered

  • Farmer identified five separate flaws in the app.
  • The app uses a four-digit PIN for unlocking, which also serves as the decryption key for the license stored in a JSON file. Using a Python script and a laptop, Farmer was able to brute-force the PIN and access the license data within minutes.
  • The app does not verify the stored license data against government records and cannot properly “refresh” license information.
  • It transmits minimal information in the QR code (which can also be altered) and includes license data in device backups. “This means that attackers or anyone else can change their license data without needing to jailbreak the device,” Farmer explained.

According to Farmer, after making changes, all the security features of the Australian digital license remain intact, including the animated New South Wales logo, refresh rate, QR code, moving hologram, and watermark. Farmer notes that these features only create a “false sense of security.”

Official Response and Security Implications

Representatives from Service NSW, the government agency managing the app, told journalists at The Register that the issues Farmer found do not pose a threat to users or the integrity of driver’s licenses.

“This issue is known and does not pose a risk to customer data,” a Service NSW spokesperson said. “The blogger [Noah Farmer] only manipulated information about his own digital driver’s license on his local device. Importantly, if a fake license is scanned by police, the real-time verification used by New South Wales police will display the correct personal data. After scanning, law enforcement will be able to tell that the license is fake. Independent cybersecurity experts have assessed digital driver’s licenses as more secure than the plastic version.”

Developers insist that data modification attacks could only fool individuals, such as when showing ID to prove age at a bar or to rent a car. Such altered licenses cannot be used as fully functional fake documents.

Farmer, however, describes more serious potential uses for such forgeries, including obtaining prescription medications under someone else’s name or committing identity theft, which could lead to ruined credit histories and debts assigned to innocent people.

Improving Digital License Security

The researcher also notes that strengthening the security of digital driver’s licenses is not difficult. For example, using the built-in iOS SecRandomCopyBytes function to generate random bytes for stronger encryption, and prohibiting iOS from backing up sensitive data, would significantly improve protection.

Leave a Reply