The next major drawback is that amazingly the DDL data is never validated against the backend database to ensure that what is stored on the iPhone matches the records maintained by the government department. Without a means to naturally validate data, there is no way to tell when information has been tampered with. As a result, attackers can display the forged data in the Service NSW application without any means of preventing or detecting the fraud.
The third shortcoming is that using the pull-to-refresh function—a cornerstone of the DDL validation scheme designed to ensure the most current information is displayed—fails to refresh any of the data stored in the eCertificate. Instead, it only updates the QR code. A better answer would be for the pull-to-refresh function to pull the latest copy of the DDL from the ServiceNSW database.
Fourth, the QR code only conveys the name and status of the DDL holder as over or under 18 years of age. The QR code is supposed to allow the ID verifier to scan it with their own ServiceNSW app to confirm that the data presented is authentic. To bypass verification, a fraudster only needs to obtain the driver’s license details from a stolen or otherwise obtained DDL and replace it locally on their phone.
“When an unsuspecting victim scans the fraudster’s QR code, everything will be verified and the victim will not know that the fraudster has combined their own photo ID with someone else’s stolen driver’s license details,” explained Farmer. If the system had returned the legitimate image data, the scanning party would have easily seen that the fraudster had forged the DDL, as the face returned by Service NSW would not match the face shown in the application.
The last flaw the researcher identified is that the app allows the data it stores to be backed up and restored at all. Although all files stored in the Documents and Library/Application Support/ folders are backed up by default, iOS allows developers to easily exclude certain files from being backed up by calling NSURL setResourceValue:forKey:error: with the NSURLisExcludedFromBackupKey switch.
With a reported 4 million NSW residents using DDL, the blunder could have serious consequences for anyone who relies on DDL to verify identity, age, address or other personal information. It is unclear how or even if Service NSW plans to respond. Due to the time differences between San Francisco and New South Wales, department officials were not immediately available for comment.
Farmer noted this tweetwho called out a hotel bar for refusing service to someone who only had a physical ID and instead only accepted a DDL. “I know 10 kids you run regularly with fake digital licenses because they’re easy to do,” the person claimed.
While the truth of this claim cannot be verified, it certainly sounds plausible given the ease and effectiveness of the hack shown here.
This story originally appeared on Ars Technica.
