Overview

The New South Wales government launched the Digital Driver Licence (DDL) in November 2019, making it convenient for residents to access a digital version of their driver licence. By February 2022, over 3.9 million people had opted into the program, representing approximately 70% of eligible users in NSW. The DDL quickly became a cornerstone of identification and verification in daily life, underscoring its importance to public trust and security.

Despite years of penetration testing and bug bounty initiatives, Dvuln’s independent assessment uncovered several critical vulnerabilities, demonstrating that malicious users could manipulate the DDL without jailbreaking or repackaging the application.

Objective

Dvuln sought to provide a comprehensive analysis of the ServiceNSW mobile application (iOS), identifying design flaws and security weaknesses that could enable fraudulent activities. Our goal was to deliver actionable recommendations to strengthen the application’s security.

Approach

To address the task at hand, Dvuln employed an advanced methodology focused on real-world attack scenarios. Our team simulated the techniques used by adversaries to test the robustness of the application against sophisticated threats. By leveraging cutting-edge tools and expertise, we went beyond conventional testing practices to uncover hidden vulnerabilities.

Key Findings

Dvuln’s analysis revealed critical weaknesses that could undermine the reliability of the DDL as a secure form of identification:

1. Fraudulent Licence Generation

   • Attackers could manipulate the DDL to create counterfeit licences, retaining key verification features such as QR codes and holograms.

2. Weak Data Protection

   • Sensitive licence data lacked adequate safeguards, increasing the risk of unauthorised access and misuse.

3. Inadequate Validation

   • The system relied heavily on client-side data without robust backend checks, enabling modifications to go undetected.

Strategic Impact

Our findings demonstrated the potential for these vulnerabilities to facilitate identity theft, fraudulent transactions, and other malicious activities. Addressing these issues was crucial to maintaining user trust and ensuring the DDL remained a reliable form of identification.

Outcome

Dvuln’s recommendations enabled ServiceNSW to:

• Strengthen data encryption and protection measures.

• Implement rigorous validation processes to ensure the authenticity of DDL data.

• Enhance system architecture to address weaknesses and improve resilience.

Conclusion

This case study highlights the importance of ongoing security evaluations, even for systems subjected to prior testing. Dvuln’s expertise provided ServiceNSW with the insights needed to fortify the Digital Driver Licence against evolving threats, ensuring its continued reliability and safeguarding millions of users.