Monday, June 27, 2022

Ridiculously Insecure Digital Driver’s License

 Sometimes the news shared on the podcast Security Now is baffling. Take, for example, driver's licenses. Driver's licenses aren't usually considered insecure, but Australia has effectively made it so with the New South Whales Digital Driver's License ("DDL"). This story has extended to the most recent SN podcasts 873 and 874.

The first episode has Steve explaining what the DDL is and how poorly it is secured. Released in 2019, the DDL is currently being used by approximately 70% of the population, which means 3.9 million people have opted into using it.

The New South Wales government has touted the DDL as "difficult to counterfeit," but that is far from the truth. A hacking group called DVULN, known for pen testing and secure application development, revealed many security issues with the DDL.

DVULN found that DDL data can be manipulated and used to create fraudulent digital identities. In other words, if bad actors were interested in altering data, they could potentially do it straight from the NSW government's iOS app! One of the testers went so far as to prove that this is a problem publicly.

But how do we know the information on DDLs is already being altered? reported, "Farmer observed that social media users reported that a number of underage people were using fake DDLs that are easy to make to visit drinking establishments in the state."

There wasn't a formal response from the New South Wales government when Steve first brought the situation to Security Now fans, but by episode 874, there was a response that Steve found to be lacking.

The NSW rebuttal states that this issue is not a risk, that no other customer data or data source has been compromised, and that the licenses are hard to forge. And, by the way, altering a DDL is against the law.

In both episodes, Steve gives us the rundown as to why the security systems for DDLs that are in place are not enough and, even more importantly, that real-world physical driver's license counterfeiting is far more challenging to accomplish.

An exasperated Steve says, "Apparently now we believe digital, over 'real world,' 'old school' physical."

Check out both of these and future episodes of Security Now