In November 2019, the New South Wales government (ServiceNSW) introduced the digital drivers licence or “DDL” for short, as a means to make it easy for people to access a digital version of their driver licence.

Upon the launch of ServiceNSW’s Digital Driver License there were multiple security researchers who publicly reported a number of security issues including but not limited to the ability to manipulate Digital License data and create fraudulent digital identities.

As far as we can see, there appears to be no formal public response from ServiceNSW regarding the acknowledgement or remediation of such issues.

As of February 2022, according to the Minister for Customer Service there have been 3.9 million people who have opted-in for the Digital Driver Licence.

To put this into perspective, we can assume around 70% of people in NSW use and trust the digital driver's licence as a means of identification and verification in their day to day lives.

During Dvuln’s analysis of the ServiceNSW mobile application (iOS), we discovered that due to the existence of several secure design flaws, it is still possible for malicious users to generate fraudulent Digital Driver's Licence with minimal effort on both Jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.

This blog describes what we believe to be secure design flaws that enable the ServiceNSW application to be misused by attackers and subsequently how we recommend for the security design to be improved.

History of Security Issues

Upon its initial trial launch, the security of the Digital Driver Licence was to no one's surprise scrutinised by the public and there were multiple issues & security recommendations called out.

One example is when a researcher known as @yaakov_h presented his findings at Pycon AU 2019 with a presentation named “New Phone, Who Dis?: Human Authentication in the Digital Age” in this talk @yaakov_h asked the question as to whether or not digitising the process of digital identification actually improves the process of identity verification.

During his talk, @yaakov_h demonstrated that he was able to modify Digital Driver Licence details locally on the mobile device in order to show false information all whilst still retaining the expected security features such as the hologram.

Although in his talk @yaakov_h mentioned that he had reported this to ServiceNSW, there appeared to be no future public updates on this matter from ServiceNSW so it is unclear if this bug was considered an accepted risk or if remediation was ever attempted by ServiceNSW.

Fast forward to 2022, and there are a number of rumours going around regarding underage people using fake digital licences.

As seen below, a Twitter user claiming that they personally know of 10 kids who regularly use fake digital licences because they are easy to make.

We cannot confirm whether or not they were exploiting the poor security design or simply using a static photoshopped image, although due to the ease of exploitation, it is entirely possible that these kids were using the same method detailed in this blog.

Security Claims

ServiceNSW has also publicly referenced the security of the Digital Driver Licence including but not limited to the following examples:

1. According to a press release from the New South Wales government, the Digital Driver Licence implementation is “hosted securely on the new Service NSW app, locks with a PIN and can be accessed offline”, and “will provide additional levels of security and protection against identity fraud, compared to the plastic driver licence”. - https://www.nsw.gov.au/media-releases/nsw-digital-drivers-licence-rolled-out-statewide

2. Designed with a focus on 3 priorities; Security, privacy and a great customer experience.

3. Partnerships with cyber security and identity theft experts which have resulted in comprehensive security measures to protect your information and identity at all times.

We do not believe any of ServiceNSW’s security claims to be untrue, however - given the context of the application, we would expect far greater detailed and documented security measures to exist.

The only statement we disagree with is the comparison made between the Digital Driver's Licence compared to that of traditional plastic driver licence(s) - specifically the following statement:

It will provide additional levels of security and protection against identity fraud, compared to the plastic driver licence

Reference: https://www.nsw.gov.au/media-releases/nsw-digital-drivers-licence-rolled-out-statewide#:~:text=%E2%80%9CThe%20DDL%20is%20hosted%20securely,licence%2C%E2%80%9D%20Mr%20Dominello%20said

Given the Digital Driver Licence’s current state of security, we believe it would be far more difficult for an average fraudster to obtain the equipment necessary to produce high quality plastic NSW drivers licences.

A fraudster would need to source and obtain hardware such as but not limited to:

• a card printer

• NSW holographic security foil

• and other security features developed uniquely for the NSW identification cards such as the middle green layer

all of which are not commercially or legally available outside of the printing hardware.

To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic drivers licence.

Modifying NSW Digital Drivers Licences

At its core, this attack was possible due to the overall design of the Digital Driver Licence application & architecture.

After combining several secure design flaws, this presented a favourable scenario that could be exploited by any would-be attacker or fraudster.

One of the challenges with digital forms of identification is without proper implementation and safeguarding against forgery, having “trusted” information stored on client-sided devices can allow for malicious actors to modify this information within a trusted context, as is the case with the Service NSW application.

During our research into the storage methods used by the ServiceNSW (iOS) application, Dvuln was able to identify a number of insecure development practices, which allowed for the modification of digital driver licences.

This could be achieved by an attacker whilst retaining all of the verification features offered by the application, including the pull-to-refresh feature, QR code scanning, hologram, and others.

To understand how we were able to modify our own Digital Driver's Licence we’ve detailed the individual contributing factors or design flaws that make this attack possible below.

DDL-DV01 Licence Data Lacks Secure Encryption

The first issue is due to a lack of secure encryption.

On iOS, the Digital Driver Licence data is stored in a JSON file located at:

[app installation path]/Library/Application\ Support/com.rta.myRTA/RCTAsyncLocalStorage_V1/00d9be62e5e8706acc655eb09f58e4e2

This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.

The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations. For a practical demonstration of this, please see the below video.

During our testing this brute-forcing process only took minutes to decrypt the Digital Licence Data which could then be edited, re-encrypted and used to change the Digital Driver Licence details on the mobile device.

DDL-DV02 Lack of client-side validation

The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.

This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.

As the Digital Licence is stored on the client's device, validation should take place to ensure the local copy of the data actually matches the Digital Driver's Licence data that was originally downloaded from the Service NSW API.

As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

DDL-DV03 Failure to Refresh Licence Once Edited

One of the key “verification features” of the digital licence is the pull-to-refresh functionality, which is used to ensure you are viewing the most current licence information.

During Dvuln’s analysis, we noticed that refreshing the application only updates the QR code displayed on the licence, meaning that if a fraudster had modified their licence details and photo using the methods described in this blog, this fraudulent data would remain on the screen even after the QR code, date and time had been refreshed and updated.

As this is one of the main ways to use the NSW Digital Drivers Licence (as referenced in the Road Transport and Other Legislation Amendment (Digital Driver Licences and Photo Cards) Act 2018 No 21 legislation).

Reference: https://legislation.nsw.gov.au/view/html/inforce/current/act-2018-021#sch.1

We believe this to be a serious secure design flaw, and should be remediated by ensuring the “refresh” functionality within the Service NSW application downloads a new copy of the Digital Driver Licence from the issuing authority.

DDL-DV04 QR Code API Only Transmits Name and Under 18 Status

Each Service NSW Digital Driver's Licence includes a QR Code that can be scanned by other users using their Service NSW application.

In a typical scenario, user A shows their QR code to user B, when user B scans the QR code, user B’s ServiceNSW application will make a request in order to validate user A using the following endpoint:

https://api.g.service.nsw.gov.au/v1/dlp/licences/qrcode

At first glance this appears to be a safe verification mechanism. However, after looking at the API response, you will notice that the only data returned by the API is the Licence Holder name and their age or “under18” status of user A as seen below:

This creates yet another opportunity for misuse, as fraudsters can obtain stolen drivers licence details either digitally or physically, and then replace the base64 image data locally on their own phone.

When an unsuspecting victim scans the fraudsters QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someones stolen Drivers Licence details.

We believe this again displays a lack of secure design principles.

If the design was implemented in a more secure way, such as the https://api.g.service.nsw.gov.au/v1/dlp/licences/qrcode API also returning the legitimate image data, any potential victim could then see that the attacker had fraudulently generated their Digital Driver's Licence, as the face returned by the API (victims photo) would not match the face displayed on the Fraudsters phone (fraudsters photo).

DDL-DV05 Application Data is Backed Up and is Able to be Restored

It is fair to say that when a phone is jailbroken, any security features an application may have are almost useless as an attacker has complete root control of the device.

This means that as long as a phone is not jailbroken, certain apps can reasonably secure their users against misuse and various types of client-side vulnerabilities.

Unfortunately, due to a lack of secure design principles, some applications may be designed in such a way that they introduce high risk functionality that provides favourable conditions to attackers which can be exploited even when a device is not jailbroken due to the apps own design.

In the case of the ServiceNSW application, it was observed that Digital Driver Licence data is included in device back-ups, which means that attackers or anyone wanting to commit fraud can modify their licence details without needing to jailbreak their device.

What makes matters worse is that the Digital Driver Licence data contained in the back-up data is only protected by the 4-digit PIN as observed in the previous issue.

Do you use the Service NSW application and have you ever backed up your iPhone to your computer? If so, there’s a good chance that your private licence data (such as your name, signature, licence number, address, etc.) is sitting on your computer in a backup file right now compromised, thanks to the weak encryption built into the Service NSW application.

From a fraudsters perspective, the Digital Licence data is updated by manually editing the device backup, then the forged Digital Licence data is pushed back to the device through use of a device restore as seen below.

Regardless of whether the data is encrypted or not, this data should not be backed up under any circumstance according to secure mobile development guidelines such as OWASP Mobile Application Security Verification Standard (MASVS).

What is the impact?

As the Road Transport and Other Legislation Amendment (Digital Driver Licences and Photo Cards) Act 2018 clearly defines a Digital Driver Licence as a legal and acceptable alternative for a physical drivers licence, security regarding the Service NSW application must be kept to a very high standard.

With this overall lack of secure design, licence features such as QR code scanning, the animated NSW Government logo, last refreshed time (and swipe-to-refresh), animated Waratah hologram, licence photo watermark, horizontal view, and others appear exactly as if the licence was genuine, creating a false sense of trust.

Specifically regarding the QR code scanning feature, the fact that only the name of the licence holder and their under 18 status are utilised means that as long as the name of the original licence holder is not changed, the QR code will remain valid no matter what details are changed, including the photo.

For example, an attacker could steal the licence details of John Doe, change the licence photo and signature to their own, and successfully use the modified licence, whilst retaining the QR code feature, as can be seen below.

As can be seen from the above video, these security design flaws impact trust when using the Service NSW digital licence for identification, as there is no native method within the application to inform users that the licence is not genuine during the attack illustrated in this blog.

In the real world, this lack of secure design might allow for a wide range of misuses to take place. For example:

• Underage patrons could use these secure design flaws to enter 18+ venues

• Minors could use these secure design flaws to purchase and consume alcoholic beverages

• Fraudsters could use these secure design flaws to commit identity fraud which could involve the following impacts for anyone who has had their Driver Licence Details stolen:

  • Having debt accrued against your name

  • Being denied loans, mortgages, and employment due to prior identity misuse

  • Having your credit score impacted due to fraud

  • Having to spend months or years to try to resolve financial errors and problems

• Medical identity theft, which might also involve:

  • Difficulty obtaining prescription medicine due to a fraudster obtaining prescriptions using a fraudulent Digital Driver's Licence with your details

Hardening the Digital Drivers License

As described in this blog, this attack requires multiple secure design flaws to be combined in order to be a successful attack.

Below are our recommendations to improve security design of the Service NSW application. These may also be useful for anyone designing or developing alternative Digital Driver Licence or Digital Identity applications.

DDL-DV01 Licence Data Lacks Secure Encryption

Although the Digital Licence is encrypted on the client-side with AES-256-CBC and base64 encoded, the encryption password is the 4 digit application password.

As this decryption password will only ever be 4 digits, the decryption password can only ever be 1 out of 10,000 possible PIN combinations. This makes it trivially easy to brute-force and obtain sensitive personal data.

The encryption for the Digital Driver Licence file needs to be changed in order to reflect the sensitivity of the data contained within, by use of a longer and more complex encryption key, potentially one randomly generated and stored on the device’s secure keychain.

Apple provides a function named SecRandomCopyBytes that can generate cryptographically secure sets of random bytes, if this was used to encrypt the Digital Driver's Licence rather than the 4 digit PIN, it would make the task of brute-forcing much harder if not completely infeasible for attackers.

Reference: https://developer.apple.com/documentation/security/1399291-secrandomcopybytes

DDL-DV02 Lack of client-side validation

As the Digital Licence is stored on the client’s device, we believe validation should take place to ensure the local copy of the data does not differ from the original information that exists on backend within the issuing authorities database, in this case Service NSW.

We understand that there is a fine line between user-experience and security, and that offline usage of the Digital Driver's Licence is a much required feature, in which case we recommend validation be attempted during certain activities such as opening the application and/or refreshing the licence.

Technically speaking this would mean performing a comparison of data returned by the /v1/dlp/roads/licences API endpoint with the local licence data that exists on the device.

If such validation fails (e.g. the base64 licence holder image does not match the base64 image returned from the API endpoint), a forced refresh of licence data should occur, wiping the modified or malformed data from the device.

Note: To point out once more, the best approach would be to perform server-side validation as client-side validation can in most cases be circumvented by attackers providing enough access is granted. However, understanding the balance between security and usability is the next best thing.

As an additional measure, it may be of some benefit to ServiceNSW if JSON mismatches are recorded using client-side analytics such as datadog/firebase and reported back to Service NSW as a form of fraud detection.

DDL-DV03 Failure to Refresh Licence Once Edited

Once the Digital Driver Licence is edited on the device, refreshing the licence (dragging from the top of the screen) should refresh the details of the edited licence.

We recommend that the “refresh” functionality downloads a new copy of the Digital Driver Licence from the issuing authority and overwrites the local Digital Driver's Licence data that is currently stored on the device.

DDL-DV04 QR Code API Only Transmits Name and Under 18 Status

The API response received during the QR Code scanning functionality via the /v1/dlp/licences/qrcode endpoint, should include the photo of the licence holder from the issuing authority and render this on the device which has performed the scanning to allow users to visually detect cases in which people are using modified photos.

DDL-DV05 Application Data is Backed Up and is Able to be Restored

To avoid backing up sensitive Digital Driver's Licence data, you can indicate which files and directories the system can exclude by setting certain file system properties.

Although all the files in Documents/ and Library/Application Support/ are always backed up by default, it is possible to exclude files from the backup by calling NSURL setResourceValue:forKey:error: with the NSURLIsExcludedFromBackupKey key.

Reference: https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/