Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK National ID Card Cloned In 12 Minutes

Posted by timothy on from the but-it's-secure-says-so-right-on-the-label dept.

Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."

9 of 454 comments (clear)

  1. Re:Outstanding. by Rakishi · · Score: 5, Insightful

    And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?

  2. Re:The thing that no one ever thinks of.. by TheLink · · Score: 4, Insightful

    Of course it can be copied. However if I try to show YOUR ID card "as is", to a guard it might not work - he might realize that I look a bit different from you.

    If the ID contains a digital store of your photo and other biometrics on it that is digitally _signed_, even though it can be copied it'll be much harder to tamper with it. And you can only create a new ID if you can sign it with a valid signature.

    Of course in the real world, the _printed_ photo might be all the guards check.

    Also in the real world, creating fake IDs might not be that hard - you might be able to bribe/trick someone to create a new legit ID for you, or steal/borrow the signing machines + keys (or the backup certs+keys).

    BUT, once they realize what has happened, they can revoke your certs (and maybe even those who were responsible for helping you). While this sort of thing might not be that effective against suicidal terrorists, it works well for oppressing your own citizens.

    If they start tying these IDs to travel and payment, then it works even better for keeping the sheep in line...

    Go figure.

    --
  3. Re:Hang on by makomk · · Score: 4, Insightful

    Oh, no doubt you can clone a new card with modified data. The real question is - can you get it to verify as genuine in Government readers now you've modified it? Unless the Government's really screwed up, the cards should have digital signatures, which means any unauthorised changes to the data will make them invalid. The Daily Mail article not only doesn't do a good job of addressing this issue, it fails to realise how significant an obstacle it is. I bet they only bothered to check the card in unofficial readers that don't verify anything...

  4. Re:Outstanding. by FourthAge · · Score: 4, Insightful

    Anti-ID card people, not just the "right wing" (ohnoes!) Daily Mail, always said that something like this was inevitable regardless of the effort put into securing the cards. The Government always brushed their concerns aside while expanding the list of people who would have access to the National ID Register.

    If you got a Government spokesman on Question Time, and you were able to get into QT to ask an awkward question, then he would be as evasive as they have always been. Probably he'd just try to distract attention from the real issues. But the point is moot because all QT questions are vetted. The BBC wouldn't want to put the Government on the spot.

    --
    The tao of democracy: the government you can vote for is not the real government.
  5. It copies, but does it validate? by sulliwan · · Score: 5, Insightful

    Storing a simple hash of the card contents with the hardcoded UID of the card and checking if they match when reading a card is enough to prevent any such attack. While you can copy the card and even change contents on it, it will never validate as an authentic card. Aside from that, smartcards have really gotten quite smart, as far as I know, there are no practical attacks against the newer MiFare cards(most hacks on Desfire or newer systems target the implementation of the system, not the cards themselves).

  6. Re:Outstanding. by CodeArtisan · · Score: 4, Insightful

    BBC is no more going to criticize the government's ideas, than would PBS criticize the Congress.

    I'm guessing you live outside the UK. The BBC has a long and well documented history of complaints from all factions of UK Government. Google "Jeremy Paxman" or "Robin Day" to discover how political interviews should be conducted. Programmes like "Newsnight" and "Panorama" frequently run stories that are highly critical of government policy.

  7. Re:Outstanding. by goaliemn · · Score: 5, Insightful

    Actually, you are incorrect. There are court cases saying you have to present ID if demanded by a cop.

    The cop was responding to a possible house break in. He had to "cross the threshold" to verify this, and he had to verify the person he was talking to was the actual owner. If they believe that a crime is/has occured, there are lower thresholds to entering a possible crime scene. Their job, at that point, is to verify that a crime hasn't occured, and hold anyone who may have committed the crime.

    It wasn't an anonymous tip. The woman who made the call has been harassed and ridiculed for the call. I don't see how that's an anonymous tip.

    I'll throw in that the professor shouldn't have started by showing the cop his college ID. That doesn't verify that you live at the house, and not everyone knows all the professors at a school.

  8. Re:Outstanding. by hairyfeet · · Score: 4, Insightful

    Yeah...uh huh. You haven't actually had to deal with the cops, have you? You see they have this little thing called "disorderly conduct" that pretty much means whatever the fuck they want it to mean that day. Don't show ID? Well he was being 'disorderly" so we had to haul him in, where of course we ran his prints and found out who he was.

    Trust this old greybeard son, you don't get phrases like DWB (driving while black) or testilying integrated into the language by actually having cops give a shit about the constitution. I have traveled all over the south, and talked to many that go cross country pretty much constantly and our findings match. For every 1 decent cop you got about a half dozen "bullies with badges" that are just DYING for you to give them even the flimsiest excuse to seriously fuck with you.

    I had a friend that was a long time cop take early retirement just to get away from all of his fellow cops. He said the new recruits were more like gangbangers than cops and pretty much spent their days looking to "stir up some shit", his words. So you go right ahead and tell that 220 pound steroid monster with a badge who thinks he IS the law how you know your rights and refuse to show ID and see how quick you are in the back of that patrol car. Lets just hope he doesn't decide you are "resisting arrest" while he is at it. Look up "tuning up" a suspect if you don't get the reference.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  9. Re:Outstanding. by PitaBred · · Score: 4, Insightful

    No, you don't. You have to identify yourself if asked, but you DO NOT HAVE TO PRODUCE ID. If the cop says "Show me some ID" it's perfectly legal and appropriate to say "I'm Pitabred. I don't need to show you any ID."

    The grandparent poster was correct, and your correction scares the hell out of me. Learn your rights. Use them. Or you lose them.

    --
    My blog. Good stuff (when I remember to update it). Read it.