New South Wales digital driving license has several implementation flaws which allow for easy counterfeits.
This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.
A 4-digit App PIN (which is set during initial onboarding when a user first installs the app) is the encryption password used to protect or encrypt license data.
The problem here is that an attacker who has access to the encrypted license data (whether by accessing a phone backup, direct device access, or a remote compromise) could easily brute force this PIN. to 4 digits using a script that tries all 10,000 combinations….
The second attacker-friendly design flaw is that the digital driving license data is never validated against the primary authority which is the Service NSW API/DB.
This means that the app does not have a native method to validate the digital driver’s license data that exists on the phone and therefore cannot perform other actions such as notifying users when that data has changed.
As the digital license is stored on the customer’s device, validation must take place to ensure that the local copy of the data actually matches the digital driver’s license data that was originally downloaded from the API Service NSW.
As this verification does not take place, an attacker is able to view the changed data on the Service NSW application without any preventive factors.
There is a lot more in the blog.
*** This is a syndicated blog from the Security Bloggers Network of Schneier on safety written by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2022/05/forging-australian-drivers.html