At the end of 2019, the government of New South Wales (NSW) in Australia launched a digital driver's license. The new license allows people to use their iPhone or Android devices to display identification and age certificates during roadside police checks or in bars, stores, hotels and other places. This service commitment, called servicensw by the government - compared with the plastic driving license that citizens have used for decades, the digital version will provide additional security and protection to prevent identity fraud.
Now, after a 30 month review, security researchers point out that almost anyone can use a digital driver's license (DDL) to forge a false identity. The technology allows people under drinking age to change their date of birth and allows fraudsters to fake identities. This process takes less than an hour and does not require any special hardware or expensive software. In addition, it can generate fake ID cards checked by the electronic verification system used by the police and participating places.
Noah farmer, a researcher who found these defects, wrote in an article published last week: "clearly, we do believe that if the digital driver's license is improved by implementing a safer design, the above statement made on behalf of servicensw is indeed true, and we will agree that the digital driver's license will provide an additional level of security against fraud compared with the plastic driver's license."
He continued: "when unsuspecting victims scan the fraudster's QR code, everything will be checked out. Victims will not know that the fraudster combines their own identity photos with the details of someone's stolen driver's license. However, in the past 30 months, DDL makes it possible for 'malicious users to generate (one) on jailbroken and non jailbroken devices with minimal effort Fraudulent digital driver's license without modifying or repackaging the mobile app itself. "
It is reported that DDL needs an IOS or android app to display everyone's credentials. The same application allows police and places to verify whether credentials are authentic. The functions in the application to confirm that the ID is real and current include:
Simulated NSW government logo;
Display the date and time of the last refresh;
An expired and reloaded QR code;
A hologram that moves when the phone tilts;
A watermark matching the license photo;
Address without scrolling.
The technology to overcome these safeguards is surprisingly simple. The key is to brutally crack the pin code of encrypted data. Because it has only four digits, there are only 10000 possible combinations. Using a public script and a commodity computer, one can learn the right combination in a few minutes.
Once the fraudster obtains someone's encrypted DDL license data - whether by license or by stealing stored on iPhone Backup copies or compromise remotely - brute force gives them the ability to read and modify any data stored in files.
The precise steps on iPhone are as follows:
Use iTunes backup to copy and store iPhone content with vouchers that the fraudster wants to modify;
Extract the encrypted file from the backup stored on the computer;
Use violence software to decrypt the file;
Open the file in a text editor and modify the date of birth, address or other data they want to forge;
Re encrypt the file;
Copy the re encrypted file to the backup folder;
Restore the backup to iPhone.
In this way, the servicensw application will display the fake ID card and display it as genuine.