Australian state’s mDL takes criticism for security flaws
May 25, 2022, 5:46 pm EDT | Tyler Choi
Australia’s Queensland will test out a mobile driver’s license app for an eventual statewide release in 2023, while California may also test out a digital driver’s license secured with biometrics in the near future. States may need to be cautious about the implementation, however. A blog post from digital security company Dvlun says design security flaws for the New South Wales government’s mDL app remain uncorrected and pose a significant vulnerability.
Queensland to trial mDL app
The Australian state of Queensland will pilot a mobile driver’s license (mDL) app in the city of Townsville with plans to rollout the app across the entire state in 2023.
The National Retail Association writes in a blog post that the state government will trial a digital license app that will contain a driver’s licence, marine licence and photo ID card in late 2022. It will allow users to control the information they wish to display, such as just showing their photo and age without exposing their date of birth and address.
The Association says that the app will be secured with the phone’s security system and a six-digit PIN set by the user. The app itself does not appear to have biometric security, though it may be featured according to the phone’s security systems that may include biometric modalities like fingerprints or a face.
The app can be verified by checking for visual security features like a pulsating Queensland Coat of Arms or the last online refresh date, and scanning a QR code with the app or a verifier app. It will be provided for free and will not replace physical ID cards, according to the Association.
In 2020, Queensland passed a law to distribute digital driver’s licenses from Thales.
Security firm exposes ongoing security holes with New South Wales digital driver’s licenses
Meanwhile immediately to the South, Dvlun, an Australian digital security company, says that the New South Wales’ mDL remains vulnerable to attacks and significant design flaws despite warnings from almost three years ago.
In a blog post, Dvlun says security researchers pointed to security flaws in the release of the New South Wales government’s digital driver’s license, such as the ability to manipulate data and create fraudulent identities. Despite the warning, Dvlun says there was no formal response from the government, and its own analysis of the app on iOS showed the possibility of generating fraudulent mDLs without needing modifications or repackaging of the app itself.
Dvlun presents a timeline of the app’s security faults, from a security researcher in 2019 demonstrating how he could edit mDL details like the user’s photograph with a portrait from a Pokemon character while retaining the security features, to youths allegedly creating fake mDLs in 2022.
The company’s research into the mDL found secure design flaws with the lack of secure encryption, the lack of client-side validation, the failure to refresh a licence once edited, a code API that only transmits the name and minor status of the user, and application data that is backed up and can be restored.
About 3.9 million New South Wales residents use the mDL, about 70 percent of the population. Dvlun says the threats from a poorly secured app include identity fraud that can affect debt and credit scores, minors purchasing alcohol, and medical identity theft.
To resolve these problems, Dvlun recommends stronger encryption, client-side validation with the New South Wales government, refreshing the details of the edited license with a swipe, including a photo of the license holder during the QR code phase, and excluding certain file system properties to prevent restoration after back-up.
A report from 2019 that reviewed Australia’s digital ID system that was published in May 2022 stated that the country’s digital ID system contained many weaknesses and deficiencies. It recommended the problems be remedied with biometrics.
California readies for digital driver’s license trial amid privacy concerns
California is looking to take a step forward into state-wide biometrically-secured mDLs, according to the Los Angeles Times, joining several other American states with their mDLs and digital IDs.
In 2021, Californian lawmakers authorized the state’s Department of Motor Vehicles (DMV) to perform a trial of a mDL and ID cards within a year. This gave the California DMV about a year to conceive a timeline and cost estimate for the pilot.
Such a mDL will likely follow in the footsteps of other states that have enacted their own, like Louisiana, Colorado, and Arizona, while Utah is also testing one. It would use the biometric modalities on a smartphone as an identity authenticator.
Proponents of a mDL argue that a digital license secured by biometrics will be more secure, private, and convenient. Critics point out that there are differences with standards that could lead to compatibility issues, that not everyone has a smartphone or tablet computer, and the potential for massive privacy intrusions.
Sources cited by the Times say that a mDL must address concerns about being tracked and access to sensitive information by law enforcement during a search. To address the privacy worries, some have recommended a blockchain like verifiable credentials or an entirely decentralized system like self-sovereign identity.
But the Times reports that the state’s DMV is still talking to multiple vendors about possible approaches and there is no date set for the launch of any pilots. Idemia Identity & Security North America announced in March it had been chosen to produce physical licenses and mDLs for California for 12 years.
Californian lawmakers did however lay out a series of conditions for a mDL trial, such as no forced participation, no tracking or data mining from an app, no warrantless searches, and no extra data provided.