The state of New South Wales in Australia launched its Australian Digital Driver’s License (DDL) program in 2019. In 2021, over half of the state’s population used the Service NSW app, which displays DDL and offers access to many government services.
Dvuln security researcher Noah Farmer was able to infiltrate the application using a Python script. The expert found numerous security vulnerabilities that made it easier to change the DDL.
There were 5 separate flaws found in the NSW DDL application. The combination of flaws “presented a favorable scenario for an attacker,” Farmer said.
The application PIN is also the license decryption key, which is stored in the JSON file. With the help of a Python script, Farmer was able to crack the .
The app doesn’t check ID data against state government records;
NSW DDL does not update license data;
The QR code contains a minimum of information. According to Farmer, the QR code can also be changed;
The application saves DDL data to the device backup,
“This means that an attacker can change their DDL data even without jailbreaking their device,” said Farmer.
persist when changes are made to the DDL and “create a false sense of security”.
Farmer says one way to increase security is to use iOS’s built-in SecRandomCopyBytes feature to encrypt by generating random numbers. Also, adding code will prevent the application from backing up sensitive data.
According to the government agency Service NSW, which manages the application, the flaws found do not pose a threat to users or the integrity of the DDL.
“This issue is known and does not pose a risk to customer information. Noah himself changed the DDL information on his device. If the fake license is scanned by the police, the check will reveal the correct personal information. After scanning the license, the police will realize that the DDL has been tampered with,” a spokesperson for the application said.