Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

“Tough to Forge” Digital Driver’s License Is... Easy to Forge

posted by hubie on Thursday May 26 2022, @03:36AM   Printer-friendly
from the 13.3-bit-encryption-key dept.

upstart writes:

A litany of security flaws allows forgeries that are easy, quick, and cheap:

In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. [...]

DDLs require the use of an iOS or Android app to display the personal credentials. Security features that are built-in include things like a dynamic QR code and holograms and watermarks. The data used to generate these things are stored encrypted on the smart device. But there's one little problem:

The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it's only four digits long, there are only 10,000 possible combinations. [...]

From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device.

With that, the ServiceNSW app will display the fake ID and present it as genuine.

A variety of design flaws make this simple hack possible.

The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. [...]

The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what's stored on the iPhone matches records maintained by the government department. [...]

The third shortcoming is that using the "pull-to-refresh" function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. [...]

Fourth, the QR code transmits only the DDL holder's name and status as either over or under the age of 18. [...]

The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. [...]

This video shows how easy it is to decrypt the data stored on the phone.

We seem to be inexorably marching towards a future requiring everyone to carry smartphone-like devices around all the time (with software written by the lowest bidder?).

Original Submission

 
This discussion has been archived. No new comments can be posted.
“Tough to Forge” Digital Driver’s License Is... Easy to Forge | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by maxwell demon on Thursday May 26 2022, @05:15AM (4 children)

    by maxwell demon (1608) on Thursday May 26 2022, @05:15AM (#1247927) Journal

    DDLs require the use of an iOS or Android app to display the personal credentials. Security features that are built-in include things like a dynamic QR code and holograms and watermarks.

    How can an app contain a hologram? Holograms are physical objects, after all. Or is there a second meaning of “hologram” I'm not aware of (similar to watermarks, that are originally a physical feature of paper, but these days may also refer to some identifying information hidden in a file)?

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2, Interesting) by Anonymous Coward on Thursday May 26 2022, @05:22AM (2 children)

    by Anonymous Coward on Thursday May 26 2022, @05:22AM (#1247928)

    From what I took from the article, it isn’t a hologram, but a "hologram." Just like how traditional holograms implanted on licenses change color as you change your view angle, these mimic the behavior by changing color as you tilt the smartphone.

    • (Score: 2, Funny) by Ironrose on Thursday May 26 2022, @05:57AM (1 child)

      by Ironrose (17236) on Thursday May 26 2022, @05:57AM (#1247930) Journal

      I am now licensed to drive vehicles of less than 45,000 kilos, all over Australia, except in 'Roo zones, or Mad Max territory. Furiosa qualification is pending.

      • (Score: 2, Funny) by Anonymous Coward on Thursday May 26 2022, @07:24AM

        by Anonymous Coward on Thursday May 26 2022, @07:24AM (#1247948)

        I am now licensed to drive vehicles of less than 45,000 kilos, all over Australia, except in 'Roo zones, or Mad Max territory.

        So many words to say you don't hold a license to drive in any place in Australia.

  • (Score: 2) by tangomargarine on Thursday May 26 2022, @02:30PM

    by tangomargarine (667) on Thursday May 26 2022, @02:30PM (#1248006)

    And non-digital watermarks usually involve holding up the bill or whatever to light to see what shows through.

    "Sir, I'm sorry, but I can't see through your phone. No watermark--this must be a forgery."

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"