A litany of security flaws allows forgeries that are easy, quick, and cheap:
In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.
Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. [...]
DDLs require the use of an iOS or Android app to display the personal credentials. Security features that are built-in include things like a dynamic QR code and holograms and watermarks. The data used to generate these things are stored encrypted on the smart device. But there's one little problem:
The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it's only four digits long, there are only 10,000 possible combinations. [...]
From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device.
With that, the ServiceNSW app will display the fake ID and present it as genuine.
A variety of design flaws make this simple hack possible.
The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. [...]
The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what's stored on the iPhone matches records maintained by the government department. [...]
The third shortcoming is that using the "pull-to-refresh" function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. [...]
Fourth, the QR code transmits only the DDL holder's name and status as either over or under the age of 18. [...]
The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. [...]
This video shows how easy it is to decrypt the data stored on the phone.
We seem to be inexorably marching towards a future requiring everyone to carry smartphone-like devices around all the time (with software written by the lowest bidder?).
(Score: 5, Interesting) by Fluffeh on Thursday May 26 2022, @03:49AM
Luckily, this was brought to you by the same folks (in a roundabout way) that brought you online medical records that are totally more secure than records at the doctors office...
Given the rush of people opting out of the system just before it was released [ieee.org], it was really good to see that all the fuss was in vain, and there was no breaches or inappropriate use of these records.
Oh wait... [zdnet.com]
(Score: 2, Disagree) by MostCynical on Thursday May 26 2022, @04:10AM (3 children)
the main issues with any 'device' relate to the device itself.
1. the current problems with connectivity mean that no device is always connected
2. devices are meant to be easy to use
3. storing a credential on a device requires security.
so...
you have to allow for 'offline' validation.
you have hackable pins/codes
security is compromised by easy hackable codes
give up 'easy to use' or make it that the device only works when 'online'
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Insightful) by Anonymous Coward on Thursday May 26 2022, @04:30AM (2 children)
Offline validation of data blobs signed by a central authority is a solved problem. This can be easy to use, work offline, and be secure.
The government can just sign the license data with their private key, and the validation system can know the public key. Allows for easy offline validation. Maybe use existing certificate and key rotation technology like we use for HTTPS, or just just use PGP: there are plenty of existing standards with freely available implementations that handle this use case just fine.
With QR codes supporting 2953 byte payloads, you should be able to fit a robustly signed name, age, and some basic biometrics (height, eye color etc), and a cryptographic hash of the photo.
I'll concede fitting a decent photo in the QR code data might not work well, but having it as an optional extra if you have more bandwidth (ex: via nfc) could offer some value.
Note that this same setup (QR code and optional ncf: I suspect thats what my US enhanced drivers license) can work on both a classic card and as a phone app. Also the less powerful (no photo) version works fine on printed paper.
This does not have to be heading toward a "future requiring everyone to carry smartphone-like devices around all the time". Its just more of politicians delegating to people who like money instead of people with domain relevant skills, and some selection bias to pick the worst example world wide. Most implementations are better.
(Score: 3, Interesting) by bzipitidoo on Thursday May 26 2022, @08:53AM (1 child)
Yes, this.
Designing a new cryptographic method is hard. But there are many existing methods that are good. They've been extensively studied, so while there is always a chance someone will discover a weakness, it's less.
In this case, they bungled, badly. No method can overcome the weakness inherent in limiting keys to just 10k possibilities. Modern computers, heck, PCs of the 1980s, can brute force that in a few seconds.
Another mistake they might make is "self-validation". If they do that, it's too easy to change the validation software to simply report that an invalid license is valid.
(Score: 2) by maxwell demon on Thursday May 26 2022, @04:13PM
Not only that, it's a low enough key space that you can even brute force it by hand.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Thursday May 26 2022, @05:15AM (4 children)
How can an app contain a hologram? Holograms are physical objects, after all. Or is there a second meaning of “hologram” I'm not aware of (similar to watermarks, that are originally a physical feature of paper, but these days may also refer to some identifying information hidden in a file)?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Interesting) by Anonymous Coward on Thursday May 26 2022, @05:22AM (2 children)
From what I took from the article, it isn’t a hologram, but a "hologram." Just like how traditional holograms implanted on licenses change color as you change your view angle, these mimic the behavior by changing color as you tilt the smartphone.
(Score: 2, Funny) by Ironrose on Thursday May 26 2022, @05:57AM (1 child)
I am now licensed to drive vehicles of less than 45,000 kilos, all over Australia, except in 'Roo zones, or Mad Max territory. Furiosa qualification is pending.
(Score: 2, Funny) by Anonymous Coward on Thursday May 26 2022, @07:24AM
So many words to say you don't hold a license to drive in any place in Australia.
(Score: 2) by tangomargarine on Thursday May 26 2022, @02:30PM
And non-digital watermarks usually involve holding up the bill or whatever to light to see what shows through.
"Sir, I'm sorry, but I can't see through your phone. No watermark--this must be a forgery."
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Funny) by SomeGuy on Thursday May 26 2022, @11:47AM (2 children)
"iPhone or Android device to show proof of identity and age"
And the found a way to fake this.
No fucking shit. Duh.
"Phones" are not magically a source of authoritative identity than any other electronic device. But idiots love their glorious cell phones soooo much they can't see that.
I'd rather keep my seperate plastic drivers license. It can't get hacked as easily, it is less likely to get stolen, I don't have to worry about dead batteries, I don't have to worry about authenticating with some remote server, I don't have to worry about replacing the entire thing every couple of years at the whim of hardware manufacturer. I could go on and on and on.
But, but, but, but, but, CELLPHONES!!!!!1111!1
(Score: 2) by Freeman on Thursday May 26 2022, @02:02PM (1 child)
But, they're smartphones now, so they must obviously be better. Certainly, they must be smarter than that dumb piece of plastic.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Touché) by Anonymous Coward on Thursday May 26 2022, @03:57PM
There are some people I used to think this way about, but so far most of them have not demonstrated this level of proficiency.
(Score: 1, Touché) by Anonymous Coward on Thursday May 26 2022, @03:03PM
Instant comedy: when some noodlebrain wants to install some kind of 2FA/Timekeeping/Tracking/whatever app on your smartphone for convenience, drop a non-smartphone on the table and tell them to go for it. Or even something almost-there, like a WinCE device.
It's like watching a six year old kid realise that those chocolate easter bunnies are hollow, and the chocolate isn't even good. Entertainment!
"Uhm ... oh, how do you ... wow, I've never seen one of ... where is the ... OK, do you have another phone?"
They always look so hopeful when asking that question, and so crushed when they realise that they're out of options.
So sad.
(Score: 0) by Anonymous Coward on Thursday May 26 2022, @03:55PM
https://www.washingtonpost.com/transportation/2022/05/25/maryland-digital-drivers-licenses/ [washingtonpost.com]
It looks like here that it is a picture you take of your license (don't know how it is validated by the state) and it is stored in a TSA approved manner in at least the Apple Wallet (which I hope is more secure than a 4-digit PIN). I only skimmed the article at this point, so I might have missed some details.
(Score: 0) by Anonymous Coward on Thursday May 26 2022, @05:34PM
Why not implement PKI cards?