“Tough to Forge” Digital Driver’s License Is... Easy to Forge

upstart writes:

A litany of security flaws allows forgeries that are easy, quick, and cheap:

In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. [...]

DDLs require the use of an iOS or Android app to display the personal credentials. Security features that are built-in include things like a dynamic QR code and holograms and watermarks. The data used to generate these things are stored encrypted on the smart device. But there's one little problem:

The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it's only four digits long, there are only 10,000 possible combinations. [...]

From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device.

With that, the ServiceNSW app will display the fake ID and present it as genuine.

Read more of this story at SoylentNews.