Forging Australian Driver’s Licenses

The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries.

This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.

The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….

[…]

The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.

This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.

As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.

As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

There’s a lot more in the blog post.

Tags: , , ,

Posted on May 23, 2022 at 6:09 AM17 Comments

Comments

Ted May 23, 2022 8:31 AM

Something interesting is that a different Australian state – Queensland – is planning to roll out their own version of a digital driver’s license in 2023.

It’s only the third Australian state to do so, following South Australia (2017) and New South Wales (2019). They contracted the development with Thales, a French engineering “heavyweight,” alongside others.

“This solution is an Australia-first, meeting the International Mobile Driver Licence Standard ISO 18013-5, which was published last year,” he said.

“This will allow the state’s digital driver licences to be recognised and used all over the world.”

https://www.itnews.com.au/news/queensland-locks-in-2023-for-digital-drivers-licence-rollout-576490

cmeier May 23, 2022 10:15 AM

Sigh. Thinks back to the early 1970s when Tennessee drivers licenses had no picture, were printed on heavyish card stock, and some manipulations with a xerox machine and a typewriter were required to produce a DL convincing enough to the average store clerk that you were old enough to buy alcohol.

Dang digital kids these days have it easy when all they have to do is change a few bits of info on a digital copy of their license. Now get off my lawn.

cmeier May 23, 2022 10:38 AM

@John

A few years ago, a friend of mine who had acquired a couple of fake IDs was pulled over by a cop. The policeman, of course, asked for his license. He asked his wife to retrieve it from the glove box. She replied, “Which one?”

John May 23, 2022 7:49 PM

Looks like this designed by someone with a CISSP certification or an MBA!

Now-a-days everyone is trying to be a Cybersecurity professional including CISO with no background in Security Engineering. Especially happening large scale in the USA in the name of so called vCISO services.

Savita May 24, 2022 1:50 AM

Reminds me of the State of Western Australia, funnily enough located in the country of Australia.

They have an alleged ‘pandemic’ utility – a ‘check in’ application which might be part of the states larger services app (for licencing and other government services)

It underwent an audit recently. I’d like to say the report was
damning but there wasn’t even a slap on the wrist. There were many serious breaches of protocol however including non existent security. No encryption! Everyones personal data was being logged transmitted and stored with no encryption.
Who do they hire for these things? It was obviously deliberate.

The drivers licence situation is so bad one is forced to suspect it must be deliberate also. There must be some higher reward at hand for someone if only resale of data.

Oh as for the comment quoted by Ted. Only the Queensland government could believe they are so special their new drivers licence could be ‘recognised and used all over the world’. No state licence is worth anything for identification, or even driving purposes on its own merit, outside of Australia.

ResearcherZero May 24, 2022 4:00 AM

Failing the Corruption Road Test

A damning ICAC report has found a “pattern of wrongdoing” among some individuals within the driver licensing industry and says the systems in place to prevent corruption are “less than adequate”.
https://indaily.com.au/news/2022/05/18/icac-report-finds-bribery-issues-in-driver-licensing-sector/

If your drivers license is suddenly declared void, or you keep failing to pass your test, you may of forgotten to pay the bribe.

Denton Scratch May 24, 2022 5:42 AM

That sounds amazingly incompetent.

I’m not a big believer in mobile apps. Nor smartphones, for that matter; I have a smartphone, mainly because I own equipment that only works with a mobile app. I use it mainly as a camera.

I’m also disinclined to trust software developed by government departments (and their contractors). I’ve worked in that particular sausage factory, and it put me off sausages. I suppose not all government-issued software is crap, but as they say, security is a process. Like a broken watch that tells the right time twice a day, even a crap process sometimes produces software that works.

EvilKiru May 24, 2022 8:28 AM

@Savita: Many countries have diplomatic agreements that recognize each other’s country, state, and/or province, etc. issued drivers licenses as valid for visitor driving rights in each others countries. I know this to be true of Iceland and the US, Iceland and the UK, and the UK and the US and I can’t imagine it being untrue for Australia and the US.

Paul S. May 25, 2022 1:26 AM

Various Australian states have been blundering around with digital/smart-card driver’s licenses for at least ten years, wasting tens and possibly hundreds of millions of dollars on projects that their techs told them from the start could never work… that’s not the usual techie naysaying, it’s trying to tell the mgt. that issuing certificates on an IBM mainframe stored in ISAM files talking to Java connectors with… ohgodohgod I’m getting horror flashbacks just starting to write this up. I was involved with the Queensland fiasco (distinct from the NSW fiasco, the Victoria fiasco, the … ) earlier on… there’s an IT failure book in there waiting to be written once I retire and don’t have to worry about work-related consequences any more… you could do an entire season of Utopia from it only the Utopia guys got more done.

Paul S. May 25, 2022 2:49 AM

@cmeier: That actually made the old physical Australian drivers licenses quite secure, the laminated stock they were printed on was so old it hadn’t been made for years so it was very difficult to create a fake one, you couldn’t just go out and buy a thousand blanks and run off you own copies…

@Ted: You mean it’s their latest attempt of many failed attempts to roll out a new driver’s license… I’m not holding my breath.

Paul S. May 25, 2022 3:08 AM

@Savita: They got that part right at least… they’ve actually been pushing the “whole world will follow us” line for at least ten years, the justification for the massive spend-up at the time was that they’d set the standard that the whole world would eventually follow so it’d all be worth the cost. The whole world did end up following them, but only as an example of how not to do it… actually I think most of the world didn’t even know what they were up to, but those who did could see what a train wreck it was and avoid it.

SpaceLifeForm May 25, 2022 5:24 PM

In the olden daze…

I actually made it thru customs with some coworkers, even though I had somehow forgotten my Drivers License.

The fact that I was hand carrying a large 9-track tape reel and politely requested that it not be X-Rayed may have been a factor.

Upon return, they did not even care as I left with the same 9-track reel in hand, again asking that it not be X-Rayed.

SpaceLifeForm May 26, 2022 4:26 PM

In the olden daze…

When a Drivers License was plastic with raised type, if one was careful, you could slice out a subset of numeric characters with an exacto knife, and glue them back in. In different positions of course so you could get into the bar.

I saw this long ago, and I had to really look closely to spot the alteration.

Someone checking ID at a bar is not going to catch the alteration.

Savita May 26, 2022 10:36 PM

EvilKiru

I’m sure you’re not really evil. Thanks for your response.
You are correct of course people drive internationally. I can’t speak for other countries but I can comment on the situation in Australia.

An ‘international licence permit’ is obtained from a motoring club (for some reason!) called ‘NRMA’. It is valid for only one year and is literally just cardboard with a passport photo. About AUD$50

When reviewing regulations for overseas travel. It is said that a few countries will accept the driver licence outside of australia yet virtually everyone else requires the licence to be accompanied by the cardboard permit. Hence my comment about the State of Queensland licence been useless ‘on its own merit’, let alone’ the whole world will recognise it’.

Thankyou ResearcherZero for the paper on bribes in the state of South Australia! It’s unusual to see corruption so formally and publically acknowledged in this country. Australia has an unusual head in the sand relationship with corruption. Government bends over backwards trying to pretend it doesn’t exist.

That paper was shocking to me simply because of the road safety implications

Thankyou Paul S for your feedback

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.