Noah Farmer was able to compromise his Service NSW application using only Python script and a regular laptop. He discovered numerous vulnerabilities in the security system that allowed the data on the driver’s license to be changed.

Digital rights: not very secure

More than half of Service NSW’s eight million residents use it, according to Australian officials. The service offers access to many other government services, in addition to viewing driver’s licenses.

According to the expert, he Five separate shortcomings in the appendix.

• Specifically, a four-digit PIN is used to unlock; this is also the decryption key of the driver’s license stored in the JSON file. With the help of the Python script and the laptop, Farmer was able to brute-force the PIN code in a matter of minutes and gain access to the driver’s licenses and the ability to modify the data in it.
• It turned out that the program did not reconcile registered driver’s license data with government records and was unable to “update” driver’s license data as necessary.
• In addition, the application transmits minimal information in the QR code (which can also be changed) and contains data on rights in backup copies of the device; this means that attackers or someone else’s rights can change their data without needing to change it. jailbreak the device.

• Once replaced, all Australian digital rights protections remain, including the animated New South Wales logo, refresh rate, QR code, animated hologram and watermark.

Farmer explains some dire options for using such counterfeits, including taking prescription drugs on someone else’s behalf or identity theft with all the consequences such as a bad credit history and accruing debt on someone else’s behalf.

What the developers say

Representatives of Service NSW, the government agency that manages the app of the same name, say the identified “vulnerabilities” do not pose a threat to users or the integrity of their driver’s licenses.

This issue is known and does not pose a risk to customer data. blogger [Ной Фармер] manipulated only digital driver’s license information on their local device,
– Says the Service NSW representative.

The developers insist that changing the data on the rights can only deceive a person. For example, if you need to show your ID at the bar and prove your age or rent a car. But using rights like a full-fledged fake document will not work.