The researcher hacked the electronic driver’s license system


The State of New South Wales in Australia launched its Australian Digital Driver’s License (DDL) program in 2019. In 2021, more than half of the state’s population used the Service NSW app, which displays DDL and offers access to many public services.

Dvuln security researcher Noah Farmer was able to get into the application using a Python script. The expert discovered numerous security vulnerabilities that made it easier to change DDL.

5 separate flaws were found in the NSW DDL application. The combination of flaws “presented a favorable scenario for the attacker,” Farmer said.

  • The PIN code of the application is also the decryption key of the license, which is stored in a JSON file. With the help of a Python script , Farmer was able to hack the application in a few minutes .
  • The application does not verify the identity data with the state government records;
  • NSW DDL does not update license data;
  • The QR code contains a minimum of information. According to Farmer, the QR code can also be changed;
  • The application saves the DDL data to a backup copy of the device,

“This means that an attacker can change his DDL data even without jailbreaking his device”Farmer said.

According to Farmer, all the security features of the app:

  • animated NSW government logo;
  • update frequency;
  • QR code;
  • moving hologram;
  • watermark,

are saved when making changes to DDL and “create a false sense of security”.

According to Farmer, one of the ways to strengthen protection is to use the SecRandomCopyBytes function built into iOS for encryption by generating random numbers. Also, adding code will not allow the application to back up sensitive data.

According to the government agency Service NSW, which manages the application, the detected flaws do not pose a threat to users or the integrity of DDL.

“This problem is known and does not pose a risk to customer information. Noah himself changed the DDL information on his device. If the fake license is scanned by the police, the check will show the correct personal information. After scanning the license, the police will realize that the DDL was forged”, – said the representative of the application.

Start a discussion …