Officials in New South Wales are discovering that digital driver licenses are not as airtight as promised—by a lot.
The U.S. is just beginning to experiment with digital driver’s licenses. In March, Arizona became the first state to offer digital driver’s licenses for limited use, partnering directly with Apple to develop the app. Utah also passed a bill allowing the licenses in March, despite public comments worrying that the licenses were the “mark of the beast” and proof that the New World Order was going to bring Communism to Utah.
New South Wales in Australia, however, started offering such licenses in late 2019. With all this exciting technology being developed, it may be a good idea to slow down and take a long look a how the last 30 months have gone with these supposedly super-secure app-based licenses.
ArsTechnica has an in-depth look at what happened with New South Wales’ digital licenses, and found that they’re laughably easy to hack, even by an unsophisticated, casual fraud:
ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic [driver’s license]” citizens had used for decades.
Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver’s licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.
“To be clear, we do believe that if the Digital Driver’s Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver’s Licence would provide additional levels of security against fraud compared to the plastic driver’s licence,” Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.
All you need is an average, off-the-shelf PC and a widely-available PIN-breaking script, and you’re in. Once a hacker has access to the inner workings of the DDL, they can change any data they want. An instructional video shows that the whole process takes less than a minute:
Researchers identified six major flaws in the government-approved app’s security, including a lack of adequate encryption and a failure to refresh the data. For context, we should point out that around four million Australians use this app every day as their preferred form of government identification.
At least the badly bungled program makes for fascinating reading. Check out Ars Technica’s full report on the debacle here.