SoylentNews is people
SoylentNews
A litany of security flaws allows forgeries that are easy, quick, and cheap:
In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.
Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. [...]
DDLs require the use of an iOS or Android app to display the personal credentials. Security features that are built-in include things like a dynamic QR code and holograms and watermarks. The data used to generate these things are stored encrypted on the smart device. But there's one little problem:
The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it's only four digits long, there are only 10,000 possible combinations. [...]
From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device.
With that, the ServiceNSW app will display the fake ID and present it as genuine.
A variety of design flaws make this simple hack possible.
The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. [...]
The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what's stored on the iPhone matches records maintained by the government department. [...]
The third shortcoming is that using the "pull-to-refresh" function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. [...]
Fourth, the QR code transmits only the DDL holder's name and status as either over or under the age of 18. [...]
The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. [...]
This video shows how easy it is to decrypt the data stored on the phone.
We seem to be inexorably marching towards a future requiring everyone to carry smartphone-like devices around all the time (with software written by the lowest bidder?).
(Score: 0) by Anonymous Coward on Thursday May 26 2022, @03:55PM
https://www.washingtonpost.com/transportation/2022/05/25/maryland-digital-drivers-licenses/ [washingtonpost.com]
It looks like here that it is a picture you take of your license (don't know how it is validated by the state) and it is stored in a TSA approved manner in at least the Apple Wallet (which I hope is more secure than a 4-digit PIN). I only skimmed the article at this point, so I might have missed some details.