Mobile IDs are starting to emerge in a big way around the world, and, naturally, they’re coming under increasing scrutiny. With respect to the latter development, the latest and most incisive development helps to illustrate why biometrics could play such an important role in mobile ID going forward.
One of the earliest efforts to pioneer digital driver’s licenses came from Australia’s New South Wales state in 2019. The regional government launched a mobile ID app that could be used as proof of identity in interactions with police and a range of commercial settings, as well as proof of age at bars and restaurants. Now, app security specialist Dvuln Labs has published an exposé showing not only that the app can be hacked and modified, but that it’s easy to do so.
As Ars Technica reports, in essence, the hacking method is relatively straightforward. The app’s encrypted driver’s license data is stored in a file that is protected by a four-digit PIN. By running a brute force script, a hacker can easily crack the code, access the raw driver’s license data, and modify it by changing text.
Demonstrating the hacking process with an iPhone, Dvuln showed in a YouTube video how the device can be backed up to a computer – including the mobile driver’s license data – and then decrypted using a brute force attack, edited, re-encrypted, and restored to the device. From there, it can essentially be used as a fake ID, falsely proving the user’s age, address, and various other information.
There are a couple of key vulnerabilities being exploited here, and biometrics can’t solve all of them. A central one is the encryption process. Given the sensitivity of the data, a four-digit PIN is simply (perhaps wildly) inadequate. In a blog post detailing the exploit, Dvuln researcher Noah Farmer noted that if the app’s developers had taken advantage of Apple’s SecRandomCopyBytes cryptographic tool, which revolves around the generation of random bytes, “it would make the task of brute-forcing much harder if not completely infeasible for attackers.” More generally, though, a longer and more complex key would have been helpful.
The other big issue is the one that could most readily be solved using biometric technology. The actual process of identity verification using the NSW Digital Driver License revolves around a QR code scan, which transmits the user’s name and status as an adult or minor. That’s it. Any other data associated with the digital driver’s license can be changed, including the image of the user that is on file, and the QR code scan will still work. That means that, hypothetically, a fraudster could steal someone else’s device, hack into the DDL data, change the photo associated with the driver’s license to their own selfie, and then assume that person’s identity.
There are a couple of ways that biometrics can help to resolve this issue. Farmer highlights the utility of validating DDL data against the New South Wales government’s own databases during identity checks, a process in which facial recognition could potentially be used to ensure that the photo stored on the app actually matches government records. Responding to Dvuln’s post, Service NSW – the government body that oversees the app – noted that identity checks conducted by police actually do check data against external databases, so a fraudster couldn’t impersonate someone else using the app in interactions with police.
The issue with this solution is that it would require sensitive data to be transmitted externally in every identity check transaction, extending the attack surface beyond the device itself. A number of mobile ID proponents prefer an on-device approach that constrains identity verification to the device storing the virtual ID, both because it’s seen as offering greater privacy protection and because it doesn’t require a wireless connection.
This is how Apple does it. The company has built its brand to a considerable extent on protecting users’ privacy, and its pioneering mobile ID system is designed to share as little information as possible. At the moment, it can only be used for identity verification at the airport – Phoenix, Arizona’s Sky Harbor Airport, to be precise – but even in this most sensitive of security environments, the user doesn’t even have to display their digital ID to a border agent. Instead, they tap it on a contactless reader, which gives a yes-or-no answer regarding the validity of the virtual identity document.
Biometrics are key to Apple’s mobile ID process. Setting up the virtual driver’s license (or state ID card) entails an elaborate, selfie-based enrolment process that asks the user to perform a series of facial and head movements, and uses facial recognition to match the user to the image on their physical ID – a process that makes on-device authentication viable for high-risk transactions, since it anchors the user to state-issued, official ID. After that, when verifying their identity at the airport, the user must perform biometric authentication on their device, irrefutably confirming that they are the genuine holder of the registered virtual ID.
The TSA doesn’t need to worry about seeing the ID; Apple has confirmed that the user is who they claim to be.
Of course, another key security feature here is that Apple isn’t protecting encrypted user data behind a four-digit PIN. Apple wouldn’t even do that with a virtual Starbucks gift card, let alone a virtual driver’s license. On-device biometric authentication wouldn’t mean anything if it were easy to edit the biometric template stored on the device.
All that having been said, Apple’s approach probably isn’t the only viable one when it comes to secure mobile ID. But it shows one way of avoiding the kind of embarrassing hack attack that has now been demonstrated against the NSW Digital Driver License. And as more governments around the world roll out their own mobile ID and digital driver’s license systems, it’s going to be increasingly important to take strong security measures to reassure the public that their identity information is safe and can’t be easily compromised.
Biometrics could therefore have an important role to play across a number of these initiatives, and with so many under development, now is the time for vendors to reach out to government agencies and try to get involved.
May 26, 2022 – by Alex Perala
Want to have future ID Tech columns delivered straight to your inbox? Sign up for the members-only newsletter: