In January 2020 the Icelandic government announced their plans of introducing electronic driver’s licenses (e-licenses), following in the footsteps of countries like Norway. The minister of justice was the first to reveal that the plans were underway (sharing a picture of her own driver’s license in the process). E-licenses were presented as an innovation and an improvement of the level of service provided by the government.
🚙Hversu oft er þetta með í för þegar þú ferð út að keyra?— Áslaug Arna Sigurbjörnsdóttir (@aslaugarna) January 29, 2020
📲Hversu oft er síminn með?
💁♀️Ég veit að þessi mynd er æði. pic.twitter.com/xgLewROM3N
The development of the licenses was supervised by the working group Digital Iceland which operates within the Ministry of Finance. In a press conference1 on 1 July 2020, the licenses were presented. This project was a cooperation between three ministries, i.e. the ministries of justice, transportation and finance.
In interviews2 and public comments, leading up to the publication of the licenses, the Minister of Justice discussed the licenses frequently and made her plans clear that this e-license was supposed to be equivalent to the physical one in every way, including as a personal ID. Therefore, people were supposed to be able to use them to buy alcohol, collect prescription medicine and vote.
Now, to take a step back, Iceland has a weird quirk when it comes to personal IDs. The government does issue government IDs, but almost no one has them. Since we are a car and travel crazy nation, almost everyone has a driver’s license or a passport. Therefore our driver’s licenses are valid as travel documents within some Schengen countries (but not our government IDs). As a result, our driver’s licenses include a variety of security measures3.
The adoption of the licenses was very fast. Within the first day, 12.000 Icelanders had fetched their e-license. Within three days, they were 44.000 and at the end of 2020, around 92.000 e-licenses were in circulation (over 25% of the Icelandic population).
What’s in a license
When it comes to such important and secure documents as driver’s licenses, it’s interesting to consider which technology was chosen to implement them digitally. In this case, the government opted for Apple’s Wallet passes, distributed using the Passkit API.
The Wallet API is an open standard that anyone can implement. The Apple wallet is, e.g., used to store everything from cafe coupons to credit cards, so it was interesting to see how the government would apply this technology to the e-licenses.
On 1 July 2020, the wait was over and the new licenses could be inspected.
Apple wallet passes are distributed as PKPass files. Apple has a native wallet app to load these files into, and Android has a choice of wallet apps to use. These PKPass files are in essence a signed ZIP archive, i.e., a file that contains multiple files and a signature to detect if the files have been changed.
The e-licenses PKPass files contain 6 files
The first three are images,
icon.png is the logo of the publisher of the e-licenses,
logo.png is the image presented in the header of the license (crest) and
thumbnail.png is the photo of the license holder.
This file contains a complete description of the license, including metadata and license holder details. This includes the background and text color of the license, serial number, as well as the personal details about the license holder and details about the types of vehicles they are permitted to operate.
manifest.json and signature
Together these files form the digital signature of the license. The file
manifest.json contains a manifest of the hashes of all files included in the license and
signature contains a digital signature of the manifest. The signature is generated by the license issuer which must obtain a signing key from Apple in order to add passes to apple wallets.
The digital signature ensures that, if anything within the license is changed, e.g. photos, name, date of birth, then the signature will become invalid. Therefore, if anyone attempts to alter the license, without a signing key, apple wallet will reject it.
Although the digital signature sounds good on the surface, there are two main problems with it. First, it is sufficient to have an Apple developer account to obtain a signing certificate for wallet passes, and therefore they can be obtained by anyone. Thus, anyone can alter the license and obtain a new valid license by updating the manifest and signing with their own signing key, thereby creating a e-license near indistinguishable from one issued by the government
The second issue with the signatures is that Syndis was unable to find any Android app that actually validated the signature. Therefore, if you use Android, you can alter the contents of the license to your heart’s content, and the Android wallet apps will have no problem importing the new and improved license.
In multiple interviews2 leading up to the introduction of the e-licenses, a scanner was discussed. The purpose of the scanner was to scan the PDF417 barcode, that is included in the e-licenses, and verify that the license was authentic and showing valid information.
Considering that anything can be displayed on the screen of a phone, such a scanner should not be consider optional but an essential part of the e-license system. Without such a scanner, validating e-licenses is impossible. I.e., without a scanner, any sufficiently sophisticated forgery, such as an app built to imitate a wallet app, would be impossible to detect without a forensics investigation of the mobile device.
However, despite the rumours and discussions, no scanner was released when the licenses were introduced, and no scanner has been released publicly at the time of writing.
As mentioned before, without a scanner, anyone requiring an ID can only rely on the “look and feel” of the ID presented to verify its authenticity. Forgery, therefore, revolves around trying to replicate the appearance of an e-license.
Screenshots are, perhaps, the first thing that come to mind. They are easy to generate, and can be easily modified with image processing software. This was pointed out on Twitter a week after the launch, when someone had modified a screenshot of a license using Snapchat.
Pæling. Er ekki allt of einfalt að falsa þessi rafrænu ökuskírteini ef hugsunin er að fólk eigi að geta auðkennt sig með þeim? Tveggja mínútna föndur á Snapchat og 17 ára ég get komið við í ríkinu á leiðinni á B5 pic.twitter.com/94wRpAnZD4— Ari Steinn (@AriSteinn) July 8, 2020
Although the screenshots can deliver on the look front, the feel of the screenshots are a bit lacking, as with even a little inspection most people can see that what is being presented is not a wallet app. Furthermore, the e-license’s details (commonly referred to as the “back side”) cannot be inspected.
Multiple services on the Internet, and even mobile apps, allow you to design your own pass for Apple wallets. These services sign the passes for you, so no need to obtain a signing key from Apple. Making a replica of an e-license (feel free to download it and try it out) takes around 5 minutes with the service Pass2U.
Similar services to Pass2U include:
The drawback of these services is that the timestamp displayed below the license’s barcode is not automatically updated upon refresh. This timestamp is not a standard functionality of apple wallet passes and is therefore not available from these services.
There are two ways around this shortcoming. The forger can either update the license in the pass service just before using it. In this case, the timestamp presented will be very recent. The other is to interact with the pass service’s API to automatically update the timestamp periodically.
Forgeries using pass services have almost certainly been in circulation in Iceland. In a Facebook post4 in an Icelandic group dedicated to cyber security, a commenter mentions having generated a license for the news outlet of the Icelandic national radio (RUV) on the day the licenses were introduced. The reporters, however, did not find these forgeries interesting enough to report on.
Furthermore, in a news story from 7 July 2021, the deputy director of the Icelandic liquor store (Vínbúðin) states that the e-licenses are easy to fake and hard to validate5. She specifically mentions that the forgeries that they are seeing are not screenshots, but are actual passes in a wallet.
It’s just screenshots
Just three weeks prior to the story voicing the deputy’s concerns, 19 June 2021, another news story6 came out, stating that teenagers were using forged e-licenses to appear older in order to enter nightclubs and bars in downtown Reykjavík.
The director of Digital Iceland (the operator of the e-license system) was quoted in the news report saying that “bouncers need to be vigilant”, effectively shifting the responsibility to the people who are inspecting the e-licenses. Furthermore, the director asserts that these forgeries are just altered screenshots of real licenses, and that the licenses themselves cannot be altered.
Giving Digital Iceland the benefit of the doubt, the Icelandic liquor store news story, where the deputy director states that the fake licenses are actual wallet passes, not screenshots, came out three weeks after this. However, in February 2021, Digital Iceland published instructions for parties that want to use the e-licenses for personal identification7. The instructions detail how to verify that an e-license is valid in three steps.
- Check whether the license is expired
- “Turn the license around” (inspect the license details) to verify that the license is not a screenshot.
- If the timestamp below the barcode is not recent, ask the license holder to refresh the license. This is to ensure that the license is connected to the Police database. All dates should be updated after refresh.
After reading these instructions, it is clear that their author is aware of the fact that fake licenses can be added to wallet apps, otherwise, there would be no step 3. The third step also specifically mentions timestamps, which are the hardest thing to replicate using pass generators. Two questions then arise.
- Why are representatives of Digital Iceland asserting that the forgeries are screenshots, when they are aware that more sophisticated forgeries are not only possible, but arguably easier?
- If a timestamp of a license, generated using a pass generator, is updated a few seconds before presenting it, it will pass all three assertion steps of the instructions. Why, then, is Digital Iceland shifting the blame towards the inspectors?
It must be emphasized that even with e-licenses generated using pass generators, these three validation steps can be easily passed. Consequently, it is impossible for anyone to verify if these e-licenses are genuine or not.
Scanner is coming
On 6 July 2021 an individual posts to a group for programmers in Iceland asking for help to scan the barcode of e-licenses8. This individual knows a few bouncers which are having trouble validating the licenses, and he wanted to help them out by creating a scanner.
The official account of Digital Iceland responds to the post saying that a scanner is in the works and will be ready in the fall. No reason is given for why it has taken more than a year to add basic security measures to the system.
Absentee voting for the upcoming parliament elections in Iceland (25 September 2021) started 13 August 2021. On 26 August 2021, a member of the Icelandic Parliament attempted to vote with his e-license, but the electoral commission turned him away, asking for a better form of ID9.
The discussion of how these e-licenses can be easily forged has been ongoing for a while, and therefore the commission likely decided not to accept them. However, after the MP’s complaints, the Ministry of Justice made it clear to the commission that the licenses were to be taken as valid.
Again, a representative of Digital Iceland was quoted in the news story.
The marketing director of Digital Iceland, which issues the e-licenses, told reporters last month that a software solution is being developed that will allow users to scan the licenses, which will simplify validation.
Still, Digital Iceland wrongly claims that validation is possible without a scanner, and the scanner will merely simplify the process.
The same day as the MP was not allowed to vote, Digital Iceland hosted a conference10. The director gave a talk where he admitted that “they had hit a few walls” when it came to implementing the e-licenses, and emphasized that this was a learning experience.
As often before, the director attempts to make light of the forgeries. Comparing the forging of personal identification to running a red light. He continues by saying that certain types of driver’s licenses can be as easily forged as the e-licenses, but neglects to mention that the last license of that type was issued over 20 years ago.
…the technology needs to adapt. The people in the service industry, they don’t know technology. They don’t know how to accept these electronic IDs, and validate them. Because it is easy to take a screenshot of these electronic IDs and change the national ID, etc.
Again, a representative of Digital Iceland claims that validation is possible without a scanner and shifts the blame to the people trying their best to achieve an impossible task, i.e., validating good forgeries. Furthermore, the only method of forgery that he recognizes is screenshots.
In the talk, the director goes on to demo the upcoming scanner, which scans the barcode of the e-license, and presents the scanner with a photo, name and date of birth. When the scanner will be available is, however, not mentioned.
The only conclusion we can come to is that Digital Iceland has no (or does not want to have any?) comprehension of the technical specification of the e-license system and the system’s shortcomings.
Furthermore, it is interesting to observe that both Digital Iceland and the Icelandic media only consider forgeries to be lucrative for teenagers trying to get into nightclubs and buying alcohol. No news stories have discussed the possibilities the system offers to criminals trying to obtain prescription medicine or even the impact these licenses can have on the ongoing elections.
Estonian ID-cards vulnerability
To provide contrast, in 2017 a vulnerability researcher in Estonia discovered a security flaw in the Estonian government issued ID-cards. These ID-cards also include a chip with a private key that Estonians can use for authentication in online services and for signing documents. The vulnerability was reported on 30 August 201711. The researcher discovered that the private keys of ID-cards, issued in a certain period, could be computed if the public key was known. Theoretically, this flaw could allow an attacker to take control of a person’s identity in an electronic environment without being in possession of the ID-card.
This type of vulnerability is very serious, but does require a highly skilled attacker to exploit. Nonetheless, the reaction from the Estonian government was swift and decisive. The police and border control was notified the day after the disclosure and an investigation was started. This was a challenging vulnerability to mitigate, and work on remediation started almost immediately. Less than a week after the disclosure, a press conference was held to notify the public of the vulnerability. By the beginning of November, just over two months after discovery, the issue had been addressed, all affected ID-cards had been revoked, and the vulnerability research had been published.
One of the lessons learned from the Estonian case was the importance of involving and informing the public.
Estonia’s e-Governance is based on trust. E-services would be useless if people didn’t have trust in using them. To build and keep trust, people have to be communicated with openly, including about threats.
The head of the Estonian Information Systems Authority (RIA), the government organization responsible for information systems, was quoted as follows in a press briefing regarding the incident12.
“We need to deal with cyber attacks publicly, not privately, as would be supposed for the defense sector from where I am from. Public debate definitely helps to build trust among citizens”
We have discussed how Digital Iceland would not recognize any forgeries beyond screenshots. We have also shown that even simple forgeries can pass all checks presented in their instructions. But, still, we have the problem with the timestamp not updating. Can we do better?
The simple answer is yes, much better. We can create forgeries that cannot be told apart from authentic e-licenses without a forensics investigation of the device containing the e-license.
One of the easiest ways of obtaining a good forgery is to take a valid license, extract its contents, modify them and repackage it. As mentioned above, this will result in the signature being invalidated, but luckily, on an Android device, that doesn’t matter.
Android users, therefore, have a simple way of creating good forgeries. Simply take a valid e-license, modify what is needed, and repackage. Any Android wallet will happily accept your modified license, and Syndis found that one Android app will even update the timestamp below the barcode! You can test this type of forgery by adding Mickey Mouse’s license to your wallet (if you are not using iOS).
Implementing the PKPass API
So we have discovered a method of forgery that results in licenses that are indistinguishable from authentic licenses, but they only work on one Android app. Can we do better?
As mentioned above, the PKPass API, which the e-license infrastructure is based on, is an open standard. Anyone can implement the standard, and many have. This standard is used by a countless number of companies, e.g. cafes, for discount coupons, flight tickets for airlines, credit card companies, etc. Many open source implementations are available, and even services that generate passes, as we discussed earlier.
To demonstrate this method of forgery, Syndis decided to implement the PKPass API and an accompanying service that issued fake driver’s licenses. The whole implementation was around 200 lines of Python, as the standard only requires the implementation of 5 endpoints. Syndis obtained a signing key from Apple in less than 15 minutes.
The following video shows a license issued from the service. The license is indistinguishable from an authentic license in any observable way. The timestamp updates when the certificate is refreshed and its details and appearance is the same as the ones issued by the Police. In fact, it would require a forensics investigation, inspecting the
signature files of the PKPass to determine that the license is fake.
As a security company, Syndis has learned the importance of demonstrating impact. Although demonstrations and detailed technical findings are important, often a demonstration of impact is what is needed to make people realise the gravity of a security vulnerability. As much as we would like to make the fake license system available to the public, our lawyer has advised against it. Instead, we have decided to release a modified version of the system that publishes cake licenses (it’s a pun in Icelandic, bear with us). You can try it yourself.
With the addition of the scanner, the e-license will become usable, not just improved, as its operators have stated, and it is, of course, crucial that the design of the scanning system is well thought out and secure. However, as the scanner has yet to be released, there is nothing to inspect yet.
Update 09.09.2021: Following the initial publication of this blog, information has been received that the scanner has been made available to polling staff for verifying e-licenses of voters 13. The Ministry of Justice and interviewed poll workers stated that the scanner had been in use since the beginning of the week starting on 30 August 2021. The scanner is still not publicly available, but all emphasis should now be put on getting it into the hands of the services that need them, such as pharmacies, liquor stores etc.
Can we do better?
It is clear from how well these licenses were received and discussions online that the main benefit people see in these e-licenses is to have an electronic personal ID. In this case, it just happens to be a driver’s license. However, in general, personal IDs should not be tied to your right to operate machinery.
Taking this into account, electronic personal IDs should be the focus. The Icelandic physical personal IDs should also be improved to include the same security measures as the driver’s licenses. The physical IDs could even include a government issued digital certificate that can be used to authenticate against online services and sign documents.
A scanner must be implemented against the digital personal IDs, and it is crucial that anyone can scan the ID of anyone else. The scanner should employ data minimization, such that the person scanning only receives the necessary information. E.g., if a customer goes to the liquor store and an employee scans their ID, the employee only needs a picture of the customer (to verify that they are not using someone else’s ID) and a message stating whether the customer is over the legal drinking age or not.
In addition to that, the system should require informed consent. E.g., when the employee of the liquor store scans the ID of the customer, the customer should be informed that an employee of the liquor store wants to receive the necessary information to verify you are over the drinking age, and the customer should then be able to consent or reject.
Personal IDs can also be used as a basis for all other government issued licenses. E.g., if the police can verify that a person is who they say they are, then looking up that person’s driver’s license or gun license should be no problem.
It is disappointing to see how a truly useful and popular idea has been mishandled and poorly implemented. E-licenses are clearly a system that people want, but with the regular news stories about forgery, the risk of public distrust in the system increases.
Digital Iceland is tasked with the important responsibility of digitizing the interaction between the Icelandic government and its citizens. Most of the organization’s work is well performed, and it has introduced many new and innovative ideas to software development for the Icelandic government. As an example, most projects developed for the organization are open source and the work is highly diversified, as multiple different companies are hired to implement individual components. One benefit of this approach is avoiding the problem of vendor lock-in, which is a common occurrence for government organization around the world.
The issuing of e-licenses, therefore, appears to be an outlier in Digital Iceland’s record which only serves to undermine all the other good work the organization has done.
The main lesson to take away from this case is that security should never be an afterthought. Security is not an add-on that can be established later. Security is not something you add a year after deployment. Security should be the first priority. Security needs to be a concern in the design stages, implementation stages, deployment stages and operational stages of all high-value infrastructure.