Apple Plans to Expand iPhone Driver's Licenses to These 7 U.S. States

[wdfly]

Yes the phone may not be fully unlocked but you are authenticating to a higher level of information and initiating a radio communication. If this cannot be taken advantage of at the moment, it is always possible to do so in the future. This is what I am going with my concern. As someone who teaches how to intercept these types of communications and leverage them for ill will (with permission), among many other things, I have concerns about this technology, at least at the moment. I am not trying to fear-monger, just expressing a concern, especially when data breaches have become so common that people are almost numb to them now. This is all I am saying, I will not use this technology, simply out of an abundance of caution. With a previous version of iOS, 17 something, I was able to clone multiple cards on an iPhone when the radio was engaged even when a specific card was queued to broadcast. I have not tried with the current version of iOS but will be doing so in a few weeks in class.

Edit: I reported this behavior to Apple, I can only assume they corrected it.

 

[Alan Wynn]

I had a post that showed the screen shot from just a couple of seconds into the video where it says "unlock your phone".

Yes, it shows that on the screen. Then it shows the process and it is just like using Apple Pay/Wallet. In neither case does your iPhone need to be unlocked. In fact, given your paranoia, one can use one’s Apple Watch and never even pull out one’s iPhone, authenticating with a device securely attached to you.

Yes I watched it and it is indeed in there. now for the rest of your post, you know what is not contained in that barcode on the license, all of the content on your phone......

Also, not on one’s Apple Watch. However, in either case, one is not handing over one’s iPhone and as is clear from simple experiments, even if an officer illegally grabbed it from you hand (not sure why one would do that as there are much easier ways for them to do it legally), it is still not unlocked. If one is concerned about FaceID, one just disables FaceID at the beginning of the stop (trivial to do), and then even if the officer had your iPhone it cannot be unlocked without your PIN (something that most courts have ruled you do not need to provide).

None of this is relevant, as the only way an officer takes possession of your iPhone is if he takes it illegally. If you are worried about lawless behavior on the part of law enforcement, there are much easier ways for an officer to get your phone that would be much harder for one to challenge: “I smell marijuana. Please step out of your vehicle so I can search it. While you are outside of your vehicle, I need to do a protective pat down to ensure you have no weapons that can harm me. Before I begin, empty your pockets.” The officer is now in possession of your phone without needing to illegally grab it from you.

I do not care if you disagree with me, but there are security risks involved in this, you simply do not understand them.

Instead of just asserting such risks, please explain them. In particular, please explain how an officer legally gains possession of one’s phone that remains in one’s hand (or even better one’s Apple Watch).

 

[Alan Wynn]

Yes the phone may not be fully unlocked but you are authenticating to a higher level of information and initiating a radio communication. If this cannot be taken advantage of at the moment, it is always possible to do so in the future.

Please provide a specific example of how this can be done. If you cannot, you are simply engaging in spreading FUD, asserting risks with no evidence.

This is what I am going with my concern. As someone who teaches how to intercept these types of communications and leverage them for ill will (with permission), among many other things, I have concerns about this technology, at least at the moment. I am not trying to fear-monger, just expressing a concern, especially when data breaches have become so common that people are almost numb to them now.

Moving from a very specific process involving Apple Secure Enclave to general assertion of “data breaches” is exactly fear mongering.

This is all I am saying, I will not use this technology, simply out of an abundance of caution.

No, you are asserting there are risks everyone else is too stupid to understand, but not providing any evidence of them. If you are a faculty member and one of your students presented a paper that made those claims with no supporting evidence would you accept it? If not, why should anyone else take you seriously?

With a previous version of iOS, 17 something, I was able to clone multiple cards on an iPhone when the radio was engaged even when a specific card was queued to broadcast.

Do you have evidence of this? When you “cloned the cards” were you able to use them in some way? What exactly do you mean “clone”? Given how the data is stored in protected memory and secured against replay attack, I am quite curious about your process.

I have not tried with the current version of iOS but will be doing so in a few weeks in class.

Just to make sure I understand, you found a security hole in previous version Apple’s Wallet system, and you have not yet bothered to see if it still exists in iOS 18 (released months ago), but are going to try it live in class for the first time?

Edit: I reported this behavior to Apple, I can only assume they corrected it.

You are a security researcher and you reported this to Apple through their security reporting system and you have not received an acknowledgement from them (with a reward), but just assume it is fixed? Got it. Seems completely legit.

Any way, let me know when you can demonstrate an actual, meaningful, exploitable, security vulnerability and I will pay attention to your comments. Until then it is just spreading FUD.

 

[DeepIn2U]

I agree that kindness goes a long way but to be honest I’m very familiar with how this technology works. I teach it every semester and am aware of issues surrounding nfc and it’s limited protections and the capacity to abuse the information that is being shared. I am also familiar with the number of data breaches that happen every year and am opposed to digitizing PII excessively.

As you're a teacher .... and as I've stated before ...

ALL THE MORE reason NOT to be arrogant! Maybe teaching isn't what you should be doing if on forums you're going to arrogant to others. you gain absolutely nothing by doing that. trust me I had to be corrected several times over the years on these boards and I've evolved and happier for it. maybe you could be too? Just saying.

 

[DeepIn2U]

Speaking for GA:

1 - the digital DL is a supplement, not replacement. you retain your physical DL
2 - that's a far bigger question not relevant to this discussion about digital DL, but the short answer is few platforms have any interest in making it easy for you to leave their environment
3 - irrelevant, see #1.

Thanks.

 

[wdfly]

As you're a teacher .... and as I've stated before ...

ALL THE MORE reason NOT to be arrogant! Maybe teaching isn't what you should be doing if on forums you're going to arrogant to others. you gain absolutely nothing by doing that. trust me I had to be corrected several times over the years on these boards and I've evolved and happier for it. maybe you could be too? Just saying.

I’m not being arrogant, simply stating fact. Apologies if I do not consider your opinion on my profession, rather I will consider my achievements in revamping my program and becoming the #1 destination for cyber security in the region.

If I have come across as arrogant that certainly was not my intention, writing/reading text loses the context of emphasis. I will apologize for that.

 

[wdfly]

Please provide a specific example of how this can be done. If you cannot, you are simply engaging in spreading FUD, asserting risks with no evidence.



Moving from a very specific process involving Apple Secure Enclave to general assertion of “data breaches” is exactly fear mongering.



No, you are asserting there are risks everyone else is too stupid to understand, but not providing any evidence of them. If you are a faculty member and one of your students presented a paper that made those claims with no supporting evidence would you accept it? If not, why should anyone else take you seriously?



Do you have evidence of this? When you “cloned the cards” were you able to use them in some way? What exactly do you mean “clone”? Given how the data is stored in protected memory and secured against replay attack, I am quite curious about your process.



Just to make sure I understand, you found a security hole in previous version Apple’s Wallet system, and you have not yet bothered to see if it still exists in iOS 18 (released months ago), but are going to try it live in class for the first time?



You are a security researcher and you reported this to Apple through their security reporting system and you have not received an acknowledgement from them (with a reward), but just assume it is fixed? Got it. Seems completely legit.

Any way, let me know when you can demonstrate an actual, meaningful, exploitable, security vulnerability and I will pay attention to your comments. Until then it is just spreading FUD.

You engage the radio and set the reader (skimmer) to request certain blocks of information. Now you have to know what to ask for but certain credit cards have certain preambles on their data blocks so you set the skimmer to request certain preambles with very specific escaped wildcards and with a little luck can get another cards data when it is not the one queued to transmit. I was also asked by Apple if I wanted to be in the reward program and told them I was not interested. I do now have a free developer account so there is that.

If you are saying that being concerned with data breaches is fear mongering then I simply have no words for that level of apathy other than to consider it proof of my statement that the masses have become numb to these occurrences.

 

[wdfly]

Instead of just asserting such risks, please explain them. In particular, please explain how an officer legally gains possession of one’s phone that remains in one’s hand (or even better one’s Apple Watch).

Officer: the reader is t working, let me have your phone.

You: no

Officer: give me your drivers license.

You: I don’t have it

Officer: step out of the car please.

And it can escalate from there. Not saying it would happen. But that it could.

 

[Alan Wynn]

You engage the radio and set the reader (skimmer) to request certain blocks of information. Now you have to know what to ask for but certain credit cards have certain preambles on their data blocks so you set the skimmer to request certain preambles with very specific escaped wildcards and with a little luck can get another cards data when it is not the one queued to transmit.

Does this exploit enable one to use the additional card received for charges?

If you are saying that being concerned with data breaches is fear mongering then I simply have no words for that level of apathy other than to consider it proof of my statement that the masses have become numb to these occurrences.

No, I am saying that raising the issue of data breaches as an argument against mDL is fear mongering. Data breaches are a serious issue but have no connection to mDL. All the mDL license information is stored local on one’s device. In reality, mDL would mitigate some instances of data theft.

For example: Instead of presenting one’s actual driver’s license to a doorman at a club where he can scan and record all the data without you knowing, one presents one’s mDL that delivers only if one is of age or not. Since reading the mDL needs an entitlement to access the NFC reader that Apple will not provide without a reference to the statutory information required and since the mDL shows what information is being requested, one is better protected using an mDL.

 

[wdfly]

Does this exploit enable one to use the additional card received for charges?


No, I am saying that raising the issue of data breaches as an argument against mDL is fear mongering. Data breaches are a serious issue but have no connection to mDL. All the mDL license information is stored local on one’s device. In reality, mDL would mitigate some instances of data theft.

For example: Instead of presenting one’s actual driver’s license to a doorman at a club where he can scan and record all the data without you knowing, one presents one’s mDL that delivers only if one is of age or not. Since reading the mDL needs an entitlement to access the NFC reader that Apple will not provide without a reference to the statutory information required and since the mDL shows what information is being requested, one is better protected using an mDL.

1. I was not able to do that as there is a full exchange with Apple pay that must happen, however, this may be different if one has a debit card attached to their phone, I did not test that and I will not have the opportunity to do so until I am back at the school in a few weeks as the skimming device is technically the property of the school and I do not like taking it off premises. I may not be able to reproduce it on my latest version of iOS as well if they have corrected the issue.

I do have to agree the driver's license would be convenient but I will simply stick to the old fashioned card as long as they have it.

Another thing for everyone to consider, do not enable express mode for things like digital keys, it makes it easy to pull that data and it may be able to be replayed. I can do this with a flipper0 currently with my digital key to the gym at the school and all I need to do to recreate this is to copy the initialization broadcast from the key reader and replay that near any phone or watch to kick off the key broadcast. We did this as a project last fall where students cloned the initiator from the key reader and then copied the key from my phone in my pocket. It took two fippers to get it done, one replaying the initiator, another to clone my phone's key broadcast.

It was obvious to me what was happening, however, with some clever criminals, it could be done with little to no knowledge from the victim, perhaps in a crowded elevator or busy walkway.

 

[Alan Wynn]

Officer: the reader is t working, let me have your phone.

In this example, are you arguing that this is a pretextual request to gain access to your phone, or that the officer’s reader really is not working?

If the former, it makes no sense because the officer has no way to know if the driver is going to present an mDL and/or if he is currently in possession of his physical license. In addition, if the officer’s reader was in his hand, the driver, the device’s log and likely the body cam footage would all show if it was true.

On the other hand, the officer can say that he smells marijuana and ask the driver to stop out, frisk him directly and take his phone with much less risk that he will have an issue for an unlawful seizure.

If the latter, and the officer’s mDL scanner really is not working and really needs to be determine the driver’s information, what would happen is that the officer would request one’s name, address, and birthdate and would request wants and warrants over the radio, as there is no way for him to gain that information from one’s phone without a reader.

And it can escalate from there. Not saying it would happen. But that it could.

The more concerning scenario that actually has happened is getting shot pulling one’s regular driver’s license out of one’s pocket. While in many/most cases, one’s phone would be visible and accessible thanks to be connected for charging/CarPlay.

I will not claim that your scenario could not happen, just that both of mine are much more likely as the first set leaves no negative paper/video trail, and the second has already happened (just not many times).

 

[Alan Wynn]

1. I was not able to do that as there is a full exchange with Apple pay that must happen,

So you have an exploit that you know does not leak meaningful information in one case (credit cards), and might not leak meaningful information in another case (debit cards), but you have not bothered to test that (nor do you know if your serious exploit still exists because in the 4 months since iOS 18 was released - not even counting the extra months in the beta period - you have not bothered to go to campus and test whether it is still there). Do I have that right?

I do have to agree the driver's license would be convenient but I will simply stick to the old fashioned card as long as they have it.

It is not only more convenient, in many (if not all cases), it is safer than the paper alternative. In addition to example of the doorman I gave earlier, not having one’s physical license makes it harder for a bad actor to gain your home address in the event one loses one’s wallet.

That makes it harder to exploit one’s credit cards fraudulently.

Keeping one’s physical driver’s license at home in a safe place would mean that one was able to replace one’s mDL without needing a trip to the DMV.

Another thing for everyone to consider, do not enable express mode for things like digital keys,

Is this true only for digital keys, or for all express mode wallet items? Are you saying that all digital keys (including Apple’s HomeKey) are replayable?

…my digital key to the gym at the school and all I need to do to recreate this is to copy the initialization broadcast from the key reader and replay that near any phone or watch to kick off the key broadcast.

Did you verify that the cloned key would grant access? Was this an actual key or just one’s gym membership that would bring up one’s picture on the monitor for an attendant to verify?

 

[deeddawg]

Officer: the reader is t working, let me have your phone.

Exactly what legitimate purpose would that serve?

The only information displayed by the phone is first name, last initial, and issuing state. Nothing else is available without a reader.

(and the scenario is presently moot in GA since O.C.G.A § 40-5-29 still requires drivers to have their conventional license. The digital DL is supplemental not a replacement)

 

[wdfly]

Exactly what legitimate purpose would that serve?

The only information displayed by the phone is first name, last initial, and issuing state. Nothing else is available without a reader.

(and the scenario is presently moot in GA since O.C.G.A § 40-5-29 still requires drivers to have their conventional license. The digital DL is supplemental not a replacement)

View attachment 2470741

None, unless you've purposefully or accidentally unlocked your phone from the pretty easy to accidentally do face unlock, now they have your unlocked phone and can (illegally) do a lot of things. It can happen is all I am saying and that is a risk that I am not willing to take, and anyone concerned about privacy and security should be concerned with as well.

 

[wdfly]

So you have an exploit that you know does not leak meaningful information in one case (credit cards), and might not leak meaningful information in another case (debit cards), but you have not bothered to test that (nor do you know if your serious exploit still exists because in the 4 months since iOS 18 was released - not even counting the extra months in the beta period - you have not bothered to go to campus and test whether it is still there). Do I have that right?




It is not only more convenient, in many (if not all cases), it is safer than the paper alternative. In addition to example of the doorman I gave earlier, not having one’s physical license makes it harder for a bad actor to gain your home address in the event one loses one’s wallet.

That makes it harder to exploit one’s credit cards fraudulently.

Keeping one’s physical driver’s license at home in a safe place would mean that one was able to replace one’s mDL without needing a trip to the DMV.



Is this true only for digital keys, or for all express mode wallet items? Are you saying that all digital keys (including Apple’s HomeKey) are replayable?



Did you verify that the cloned key would grant access? Was this an actual key or just one’s gym membership that would bring up one’s picture on the monitor for an attendant to verify?

yes, the replayed key unlocked the door numerous times without issue. This key was not a membership key, rather a key that will eventually be used to unlock all doors to the school. The gym was simply an inexpensive test-run of the system before full adoption. I demonstrated this to campus security and the IT department, they have not (and probably will not) tell me what actions they are planning to take regarding the issue.

 

[wdfly]

So you have an exploit that you know does not leak meaningful information in one case (credit cards), and might not leak meaningful information in another case (debit cards), but you have not bothered to test that (nor do you know if your serious exploit still exists because in the 4 months since iOS 18 was released - not even counting the extra months in the beta period - you have not bothered to go to campus and test whether it is still there). Do I have that right?




It is not only more convenient, in many (if not all cases), it is safer than the paper alternative. In addition to example of the doorman I gave earlier, not having one’s physical license makes it harder for a bad actor to gain your home address in the event one loses one’s wallet.

That makes it harder to exploit one’s credit cards fraudulently.

Keeping one’s physical driver’s license at home in a safe place would mean that one was able to replace one’s mDL without needing a trip to the DMV.



Is this true only for digital keys, or for all express mode wallet items? Are you saying that all digital keys (including Apple’s HomeKey) are replayable?



Did you verify that the cloned key would grant access? Was this an actual key or just one’s gym membership that would bring up one’s picture on the monitor for an attendant to verify?

I can replay apples home key if I clone it within just a very short amount of time, just seconds so it is not practical to clone that one.

I did not test a debit card because I did not have, nor will I ever use, a debit card digitally in my phone. I do not use debit cards at all due to the lower protections than what is available for credit cards.

No I have not tested it since we did the project in class, being the department head, managing all of the infrastructure for my department because campus IT does not manage our equipment and we are on a separate network completely air-gapped from the campus network, and building (still in progress) the first cyber range to be hosted by a small college in our state, I've had very little time to do anything not deemed critical. I do plan to do it again in a couple of months (week 9 is cloning and replay attacks and hash cracking) and if I can remember to do so, will update my findings from class.

as for the express mode, I would leave that turned off, I only tested the homekey to see if I could get it to trigger from a clone of the door lock initilization and could. This may have not been my best test as I did not give it time to see if there is a rolling broadcast that is time-dependent. Perhaps I will try that later as well. The brand of the lock was Schlage if that is important to anyone.

 

[deeddawg]

Exactly what legitimate purpose would that serve?

None [...]

Correct. There is no digital drivers license related circumstance in which you would have reason to hand over your phone, regardless of it being locked or unlocked, since there's no accessible drivers license data without a reader.

[...] now they have your unlocked phone and can (illegally) do a lot of things. It can happen is all I am saying and that is a risk that I am not willing to take, and anyone concerned about privacy and security should be concerned with as well.

Per above, your concern of handing over an unlocked phone is moot - there's no legitimate DL related reason for an officer to ask, and thus no legal requirement for you to comply.

As to an officer seizing your phone and going through it - they can physically (and illegally) do that whether or not your have a digital drivers license. Should you find yourself in a situation where this is truly a concern, hard-locking your phone takes two seconds, disabling faceID until you enter your passcode (which presently cannot be legally coerced).

 

[wdfly]

And the police never do anything illegal I guess.......

 

[CarlJ]

And the police never do anything illegal I guess.......

Yes, some of them do sometimes. But you keep using that as an argument in favor of this specific situation, without ever taking the next step. Yes, an officer could grab your unlocked iPhone out of your hand and scroll through your messages. They could also take out their gun and shoot you, and claim your were belligerent and they thought you were going for a gun. Why express so much concern for one scenario and none for the other?

 

[wdfly]

Yes, some of them do sometimes. But you keep using that as an argument in favor of this specific situation, without ever taking the next step. Yes, an officer could grab your unlocked iPhone out of your hand and scroll through your messages. They could also take out their gun and shoot you, and claim your were belligerent and they thought you were going for a gun. Why express so much concern for one scenario and none for the other?

Who says I do not? I concern myself with a great number of risks and try to avoid them as often as possible, to the rest I try to mitigate or transfer the risks, all others, I am forced to accept. This topic is a risk I have chosen to avoid, and that is my personal choice. If others wish to continue to ridicule, they may do so, however, it has no bearing on my decision, just as my concerns seem to have no bearing on theirs.

 

[deeddawg]

And the police never do anything illegal I guess.......

Who says I do not? I concern myself with a great number of risks and try to avoid them as often as possible, to the rest I try to mitigate or transfer the risks, all others, I am forced to accept. This topic is a risk I have chosen to avoid, and that is my personal choice. If others wish to continue to ridicule, they may do so, however, it has no bearing on my decision, just as my concerns seem to have no bearing on theirs.

You keep avoiding the part where you provide the specifics of how adding a digital drivers license increases your risk of someone going through your phone contents.

There is no legitimate circumstance in which you'd hand your phone to the officer.

If the officer chooses to illegally seize your phone and attempt to search the contents, it won't be unlocked. Though he or she could of course hold it up to your face - but at that point it is moot whether you had a digital drivers license installed or not.

 

[wdfly]

You keep avoiding the part where you provide the specifics of how adding a digital drivers license increases your risk of someone going through your phone contents.

There is no legitimate circumstance in which you'd hand your phone to the officer.

If the officer chooses to illegally seize your phone and attempt to search the contents, it won't be unlocked. Though he or she could of course hold it up to your face - but at that point it is moot whether you had a digital drivers license installed or not.

I have not avoided it at all, I've given some specific examples. I do not feel the need to explain it any further than the more copies you have of your data and the more diverse platforms it resides on, the larger the threat surface for it becomes.

 

[deeddawg]

I have not avoided it at all, I've given some specific examples. I do not feel the need to explain it any further than the more copies you have of your data and the more diverse platforms it resides on, the larger the threat surface for it becomes.

Your examples were founded on the assumption of the driver needing to hand over their phone.

Since there is no such legal requirement - with or without digital drivers license - the scenarios are invalid.

 

[wdfly]

Your examples were founded on the assumption of the driver needing to hand over their phone.

Since there is no such legal requirement - with or without digital drivers license - the scenarios are invalid.

I disagree with your sentiment, events do not require legal sentiment to happen anyway. For example, Joe dives his car down the road, perfectly legal, Joe drives his car through a crowd of people, not legal, but it can happen anyway. You and I will simply have to agree to disagree, however, your disagreement with me does not invalidate the concerns with this in any way.

 

[Johnny Jackhammer]

Any way, let me know when you can demonstrate an actual, meaningful, exploitable, security vulnerability and I will pay attention to your comments. Until then it is just spreading FUD.

No one is going to waste their time attempting to convince any one of anything on this board. Time is money. Either take people at their word or be a cynic... Just remember you don't "win" because you've challenged someone to prove something and they choose not to accept.