In Defence of Service NSW's Digital Licence

Trust in the digital age

The Service NSW Digital Driver's Licence (DDL) has made international news lately thanks to Dvuln's research into the ease of forging the digital licence. In 2021 I too had a poke at the DDL and quickly hacked together a Frida PoC to dynamically change values of the licence whilst retaining security features. This allowed me to spoof licence information within the original, official Service NSW app. E.g Einstein's DoB:

Performed locally; no government system was touched.
Java.perform(function() {
  var textView = Java.use("android.widget.TextView");
  var charSequence = Java.use("java.lang.CharSequence");
  var string = Java.use('java.lang.String');
  xxx xxx = xxx.xxx("xxx.xxx.xxx");

  xxx.xxx.xxx("xxx", "xxx").xxx = function(x, y) {
    xxx (xxx == "xxx") {
      xxx xxx = xxx.xxx(string.$new("14 Mar 1879"), xxx);
      xxx xxx = xxx.xxx(xxx, xxx).xxx(xxx, xxx.xxx(), xxx);
      [REDACTED] HTTP STATUS 451
      xxx xxx.xxx(xxx, xxx);
    }
    xxx xxx.xxx(xxx, xxx);
  }
});

Both of our items of research point to one thing: digital or physical, you cannot trust what you are presented because the owner has full control over the asset. Further, there is nothing Service NSW can do to fix this. Think about it. They can't stop me etching a new date of birth into a physical licence, much like how they can't stop me "etching" new date of birth values into a phone I have full control over.

So in terms of identification, a digital licence is just as fallible as a physical one. But the beauty of a digital licence is that a dynamic QR code can be generated which can be independently validated against Service NSW's databases. At which point, you're no longer trusting the end-users' licence, but the authoritative record which can be cross referenced with what's presented to you. This is why licence spoofing can't be fixed in software. Validators (police, bouncers etc.) need to be trained to actually scan and validate the QR code. That said, Service NSW could make some tweaks to tighten the security of the app.

This story has nice parallels to the recent paradigm shift to zero-trust network architectures. Just because someone is on a company owned laptop or enters their password doesn't necessarily mean the correct user is using that access. Who's to say the laptop wasn't left on a train or their credentials weren't stolen? Multi-Factor Authentication (MFA) and User Entity and Behavior Analytics (UEBA) is a must for authentication these days.

Trust no one.