Profile
iPhone
Android
Ars Technica
WIRED's
Condé Nast
DDL
the Digital Driver's Licence
ServiceNSW
QR
iOS
ID
PIN
Apple
Service NSW
phone.“When
Library/Application Support/
the US bioeconomyHow
Affiliate Partnerships
Dan Goodin
Ars TechnicaTo
Noah Farmer
Shein
Maximoff
️
No matching tags
California Privacy Rights.
New South Wales
Australia
San Francisco
No matching tags
All of this, despite assurances that security was a key priority for the newly created DDL system.“To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence,” Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone’s stolen driver's licence details,” he continued. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video showing the process on an iPhone.This content can also be viewed on the site it originates from.Once a fraudster gets access to someone’s encrypted DDL license data—either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise—the brute force gives them the ability to read and modify any of the data stored on the file.From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device. “If this was used to encrypt the Digital Driver's Licence rather than the 4 digit PIN, it would make the task of brute-forcing much harder if not completely infeasible for attackers,” Farmer wrote.The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what’s stored on the iPhone matches records maintained by the government department.
As said here by Wired