Service NSW has downplayed a security vulnerability affecting the state’s digital driver’s licences that researchers say could let people create fake IDs.
Earlier this month, Sydney security firm Dvuln’s Noah Farmer published a blogpost outlining how the NSW government’s digital driver’s licence security features could be cracked “in minutes”.
“Upon the launch of Service NSW’s Digital Driver Licence there were multiple security researchers who publicly reported a number of security issues including but not limited to the ability to manipulate digital licence data and create fraudulent digital identities,” he wrote.
Much like the loophole in the security digital vaccine certificate system, the security issues depend on design flaws that allow modification of client-side information — a fancy way of saying the data that’s kept on your phone, not on Service NSW’s servers. This means that a user could change any details other than the licence name or under-18 status, including but not limited to the photograph and address, while keeping the app’s verification features like its pull-to-refresh, hologram, and QR code scanning.
Service NSW allows device data to be included in device back-ups. This means that — unlike some exploits which can only be done on jailbroken (hacked) devices — modifying a digital driver’s licence can be done on a normal phone by modifying the device backup.
Service NSW told Crikey that the department is aware of the vulnerability and maintains that a digital driver’s licence is more secure than a physical version.
“Importantly, if the tampered licence was scanned by police, the real-time check used by NSW Police (scanning MobiPol) would show the correct personal information as it calls on DRIVES,” it said. “Upon scanning the licence it would be clear to law enforcement that it has been tampered with.”
Farmer’s post agrees, but points out the current vulnerability could allow people to use a digital licence that is identical to a real one unless checked by police. This could allow minors to purchase restricted products only available to adults or access adult-only venues, or to commit identity theft.
Importantly, replicating a digital licence is more accessible than creating a convincing fake physical licence, which would require a card printer, holographic security foil and other security features.
“As far as we can see, there appears to be no formal public response from Service NSW regarding the acknowledgment or remediation of such issues,” Farmer said.
Modifying a phone’s backup data is non-trivial and is not going to change the data stored on the phone unless you then restore the phone from the modified backup. I’m not sure about android phones but an iOS backup has checksums to prevent manual editing of the raw data so the scenario you outline is not possible without state-level expertise and expense. No script kiddie is going to have the resources to edit this data.
And rejected by Avis for an existing advance booking at Heathrow – letter to Age Traveller 27-28 May 22.