‘Tough to Forge’ Digital Driver’s Licenses Are—Yep—Easy to Forge

Digital driver's licenses were rolled out in New South Wales in Australia. The new licenses allowed people to show proof of their identity and age with their phones at bars, stores, hotels, and other places. The plastic driver's license had been used for decades by citizens, but ServiceNSW promised to provide additional levels of security and protection against identity fraud.

It is trivial for anyone to use the digital driver's licenses to forge fake identities, according to security researchers. People under drinking age can change their date of birth and fraudsters can forge fake identities with the technique. The process takes less than an hour, doesn't require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. Security was a key priority for the DDL system.

If the Digital Driver's Licence was improved by implementing a more secure design, we would agree with the statement made by ServiceNSW.

There is a better mousetrap hacked.

When a victim scans the fraudster's QR code, they won't know that the fraudster has combined their own identification photo with someone's stolen driver. It is possible for malicious users to generate a fraudulent Digital Driver's Licence with minimal effort on both jailbroken and non-jailbroken devices.

Each person's credentials need to be displayed in an app on an iPad or a phone. Police and venues can use the same app to verify credentials. The features designed to confirm the ID are current.

• Animated NSW Government logo.
• Display of the last refreshed date and time.
• A QR code expires and reloads.
• A hologram that moves when the phone is tilted.
• A watermark that matches the license photo.
• Address details that don’t require scrolling.

Simple technique.

The technique for overcoming these safeguards is very simple. The ability to brute- force the PIN is the key. There are only 10,000 possible combinations since it is only four digits long. Someone can learn the correct combination in a few minutes using publicly available script and a commodity computer, as shown in the video below.

Once a fraudster gets access to someone's DDL license data, either with permission, or by stealing a copy stored in an iPhone backup, the brute force gives them the ability to read and modify any of the data.