Pretty interesting how easy it is to spoof the animated hologram thingy in the new Digital NRIC. Managed to build a Proof of Concept (POC) within a few hours of the news release.
Govtech's response is as follow:
We refer your report submitted under the Vulnerability Disclosure Programme (VDP) on 28-Oct-2021.
The Digital IC offers a convenient alternative to physical IC for a user to present his or her identity credentials for in-person services. The animated lion crest with a holographic effect is not a cryptographic means to secure the Digital IC, rather it acts as a first layer of deterrence to guard against image tampering and screenshot spoofing. It will be absent or appear static if a person attempts to capture a screen recording of the Digital IC.
Other multi-layered security and operational measures are also in place for the use of Digital IC for in-person services. For instance, other than checking for the animated hologram to ascertain that the Digital IC screen is legitimate, agencies and businesses may request users to tap on their devices to test for interactivity and confirm that the presented identity credentials are not captured images or videos. In addition, the user’s latest photograph is displayed on the Digital IC and this further assists onsite personnel to establish the user’s identity.
Cryptographically secure options such as Singpass Verify may also be deployed by agencies and businesses which require higher in-person identity assurance. With Verify, agencies and businesses can display a QR code at their service counters which users can scan with their Singpass and consent to securely share their identity credentials with the agency/business.
We regret that you chose to publish the details of your report on LinkedIn before hearing from us. This action is not consistent with VDP conduct rules which exist to ensure responsible reporting and prevent malicious actors from exploiting unresolved vulnerabilities. We trust you will take note of this and we thank you for helping to keep digital services safe for all users.
To circumvent tapping on the device to test for interactivity, one might have to build a entire fakepass app from scratch as the Singpass app has some protection so you can't just decompile it, hardcode a couple of strings in the app to display a certain NRIC and name and recompile the app. That is more effort than I would like to undertake. I don't really understand Govtech's point on the user's latest photograph. If I wanted to spoof an NRIC, I would put my photograph there and someone else's name and NRIC, then I can enter the building assuming his identity.
Singpass Verify seems to be a more secure option as compared to the Digital NRIC. Not sure why it wasn't adopted as the de-facto standard in place of Digital NRIC. It might be confusing to the public to have so many similar verification related microservices requiring different interactions. Digital NRIC acts as a barcode and requires a scanner. Singpass Verify acts as a scanner and requires a QR code. OpenCerts requires you to upload a file and is only used to verify educational and vaccination certs and not identity documents. There isn't an overarching verification framework with a consistent approach. To be honest, I might get phished myself, if an organization asks me to scan my thumbprint and claims that it is part of a new Govtech standard called OpenFinger, I might fall prey.