Australian Cyber Security Failure,
18 May 2022

NSW digital driver’s licences ‘easily forgeable’

Underage people allegedly go drinking with fake IDs.

Source: NSW digital driver’s licences ‘easily forgeable’ | iTnews

Related Service NSW and State Government reports.

Update, 19/5 6.30pm: Service NSW told iTnews that the issue is known and does not pose a risk to customers.

Security researchers have analysed the NSW digital driver’s licence (DDL), and found that it’s “trivial” to get past the security measures implemented to protect the identity credential, and forge the data presented by the application.

Dvuln researcher Noah Farmer went through the Apple iOS version of the NSW DDL, inspired by the prior testing by another researcher in 2019, that showed it was possible to modify the data on the credential to display false information.

Farmer observed that social media users reported that a number of underage people were using fake DDLs that are easy to make, to visit drinking establishments in the state.

“The blogger has manipulated their own Digital Driver Licence (DDL) information on their local device. No other customer data or data source has been compromised,” a Service NSW spokesperson said.

“It also does not pose any risk in regard to unauthorised access or changes to backend systems such as DRIVES.

“Importantly, if the tampered licence was scanned by police, the real time check used by NSW Police (scanning mobipol) would show the correct personal information as it calls on DRIVES,” the spokesperson added.

The earlier researcher, Yaakov_H, reported his findings to Service NSW, but it’s unclear if the agency took any steps to remediate the bug discovered.