"The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations," Farmer wrote.
"A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data. While the application data file in Javascript Object Notation (JSON) format is encrypted with AES-256-CBC and uses Base64 text to binary encoding, this might not be sufficient protection, Farmer notes. In his analysis, Farmer found several security design issues with the NSW DDL application.
Farmer observed that social media users reported that a number of underage people were using fake DDLs that are easy to make, to visit drinking establishments in the state.
0 kommentar(er)
