In 2019, New South Wales in Australia launched a digital driver’s license (DDL) program to replace the physical driving licenses of drivers from the state. The officials who implemented the project claimed that the DDL is more secure, but security experts say otherwise.
As of 2021, over half of the state’s population has used the “Service NSW” app, which displays the drivers’ DDL information and grants access to other government services in New South Wales. However, when security experts analysed the said app, they discovered some design flaws that could potentially compromise the digital driving licenses.
A researcher revealed to have successfully brute-forced into the Service NSW app using a Python script. Several security flaws were found upon hacking into the government-owned app, including a method to deface and alter drivers’ DDL information.
Despite officials claiming that the digital driving licenses are more secure than the traditional plastic cards, security analysts found flaws in the Service NSW app that threat actors could abuse if given a chance.
From the details shared by the analysts, they explained that, first of all, the Service NSW app requires a four-digit PIN to unlock, which also stands as the license’s decryption key stored in a JSON file. The success of the Python script used by the analysts in brute-forcing their way into the app is a red flag about its security.
In addition to the app’s issues, the analysts found out that it does not validate the stored DDL data with NSW government records, it does not properly update the license data, it transmits insufficient information in its QR code, and it includes the licenses data in backups of every device. These discovered flaws made the analysts conclude that any hacker could easily modify and alter an individual’s digital license even if their devices have not been jailbroken.
In response to the analysts’ discoveries, the New South Wales officials stated that the issues presented do not threaten users’ security and the DDL’s integrity.
Furthermore, upon observing the procedures made by the analysts in finding the alleged flaws, they said that the analysts have only demonstrated the manipulation of their digital driving licenses in their local device, thus not proving any compelling evidence that the application is hackable.
The officials added that many cybersecurity specialists had been hired to assess the security of the DDL before its implementation, including a consistent review of the application’s security.
Researchers still believe that the Service NSW app’s security is questionable lest its developers would implement a more improved design that could further assure its security among all users.