ServiceNSW won’t say if it is actively working to fix flaws in the New South Wales Digital Drivers Licence exposed by security experts this week and which allow false names and photos to be displayed in the popular app.
Security experts at Sydney app development company Dvuln on Tuesday demonstrated several flaws in the popular digital licence, now used by about 4 million people – more than half the state’s drivers. The company warned the flaws undermine trust in the system by creating the risk of identity fraud and fake licences being used by minors.
The exploits are a result of what the experts called “several secure design flaws” that allow hackers to brute force licence pins, access digital licence data, edit and re-encrypt it to display a different licence photo and details.
A ServiceNSW spokesperson said exploits are “known” but insisted it does not pose a risk to customer information.
“The blogger has manipulated their own Digital Driver Licence (DDL) information on their local device,” the spokesperson told InnovationAus.com. “No other customer data or data source has been compromised.
“It also does not pose any risk in regard to unauthorised access or changes to backend systems such as Drives [one of the central systems for motor vehicle registration and driver licensing in NSW].”
The spokesperson added that a police check of a licence tampered with in this way would identify the false information because the police scanner would reference the backend Drives system’s correct personal information.
According to the security experts at Dvuln, however, the problems they uncovered still open potential for identity fraud and for underage people to access 18+ venues and purchase alcohol using the manipulated digital licences.
Pressed on whether the issues identified by Dvuln are being addressed, ServiceNSW would not confirm or deny they are working on the specific flaws.
“The security of all digital products and services are under constant review and are regularly updated,” the spokesperson said. “This issue is known and does not pose a risk to customer information.”
Dvuln’s blog post details each flaw and includes individual recommendations for “hardening” the Digital Drivers Licence against them.
This includes more complex encryption keys, server-side validation with more secure alternatives for offline use, adding more licence details in refreshes, including the licence photo in returns for a QR code scan, and excluding sensitive files from local backups.
The office of New South Wales Minister for Customer Service and Digital Government Victor Dominello declined to comment on the issue, referring the inquiry to the ServiceNSW response.
Do you know more? Contact James Riley via Email.