![](\"https:\/\/media.wired.com\/photos\/628d5f5f2563a9a2cb377a1b\/master\/pass\/security-fake-ddl.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Dan Goodin, Ars Technica| Date: Wed, 25 May 2022 13:00:00 +0000<\/strong><\/p>\n Dan Goodin, Ars Technica<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n In late 2019,<\/span> the government of New South Wales in Australia rolled out digital driver\u2019s licenses. The new licenses allowed people to use their iPhone<\/a> or Android<\/a> device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised<\/a>\u00a0it would \u201cprovide additional levels of security and protection against identity fraud, compared to the plastic driver's license\u201d citizens had used for decades.<\/p>\n This story originally appeared on Ars Technica<\/a>, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Cond\u00e9 Nast.<\/p>\n Now, 30 months later, security researchers have shown that it\u2019s trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn\u2019t require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system<\/a>.<\/p>\n \u201cTo be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence,\u201d Noah Farmer, the researcher who identified the flaws, wrote in a post<\/a> published last week.<\/p>\n \u201cWhen an unsuspecting victim scans the fraudster\u2019s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone\u2019s stolen driver's licence details,\u201d he continued. As things have stood for the past 30 months, however, DDLs make it \u201cpossible for malicious users to generate [a] fraudulent Digital Driver's Licence with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.\u201d<\/p>\n DDLs require an iOS or Android app that displays each person\u2019s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic<\/a> and current include:<\/p>\n The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it\u2019s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video<\/a> showing the process on an iPhone.<\/p>\n This content can also be viewed on the site it originates<\/a> from.<\/p>\n Once a fraudster gets access to someone\u2019s encrypted DDL license data\u2014either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise\u2014the brute force gives them the ability to read and modify any of the data stored on the file.<\/p>\n From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device. The precise steps on an iPhone are:<\/p>\n With that, the ServiceNSW app will display the fake ID and present it as genuine.<\/p>\n The following video<\/a> shows the entire process from start to finish.<\/p>\n This content can also be viewed on the site it originates<\/a> from.<\/p>\n A variety of design flaws make this simple hack possible.<\/p>\n The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. Apple provides a function named SecRandomCopyBytes<\/a> for producing random bytes that can be used to generate secure keys. \u201cIf this was used to encrypt the Digital Driver's Licence rather than the 4 digit PIN, it would make the task of brute-forcing much harder if not completely infeasible for attackers,\u201d Farmer wrote.<\/p>\n The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what\u2019s stored on the iPhone matches records maintained by the government department. With no means to natively validate the data, there\u2019s no way to tell when information has been tampered with. As a result, attackers are able to display the falsified data on the Service NSW application without any means to prevent or detect the fraud.<\/p>\n The third shortcoming is that using the \u201cpull-to-refresh\u201d function\u2014a cornerstone of the DDL verification scheme intended to ensure the most current information is showing\u2014fails to refresh any of the data stored in the electronic credential. Instead, it updates only the QR code. A better response would be for the pull-to-refresh function to download the latest copy of the DDL from the ServiceNSW database.<\/p>\n Fourth, the QR code transmits only the DDL holder\u2019s name and status as either over or under the age of 18. The QR code is supposed to allow the person checking the ID to scan it with their own ServiceNSW app to validate that the data presented is authentic. To bypass the check, a fraudster only needs to obtain the driver's license details from a stolen or otherwise-obtained DDL and replace it locally on their phone.<\/p>\n \u201cWhen an unsuspecting victim scans the fraudster\u2019s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone's stolen Driver's Licence details,\u201d Farmer explained. Had the system returned the legitimate image data, the scanning party would easily see that the fraudster had forged the DDL, since the face returned by Service NSW wouldn\u2019t match the face displayed on the app.<\/p>\n The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. While all files stored in the Documents and Library\/Application Support\/ folders are backed up by default, iOS allows developers to easily exclude certain files from backup by calling NSURL setResourceValue:forKey:error: with the NSURLIsExcludedFromBackupKey key.<\/p>\n With a reported 4 million NSW residents using the DDLs, the gaffe could have serious consequences for anyone who relies on DDLs to verify identities, ages, addresses, or other personal information. It's not clear how or even if Service NSW plans to respond. Given time differences between San Francisco and New South Wales, officials with the department weren't immediately available for comment.<\/p>\n Farmer noted this tweet<\/a>, which called out a hotel bar for refusing service to someone who had only physical ID and instead accepting only DDLs. \u201cI know 10 kids that you let in regularly with fake digital licenses because they are easy to make,\u201d the person claimed.<\/p>\n While the veracity of that claim can\u2019t be verified, it certainly sounds plausible, given the ease and effectiveness of the hack shown here.<\/p>\n This story originally appeared on<\/em> Ars Technica<\/em><\/a>.<\/em><\/p>\n