UK National ID Card Cloned In 12 Minutes

Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."

Outstanding.

[palegray.net]

I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."

Re:Outstanding.

[siloko]

I think there are two things of note. First the article is in the Daily Mail which has a populist agenda usually veering alarmingly to the right. They have jumped on the anti-id bandwagon so maybe this article should be taken with a pinch of salt. Secondly if it is true it raises some interesting points. Who did the UK Government get to test the security on these cards? How do you respond to such a public relations disaster? How to you tally lax security with bullet proof identification and if this is not possible what plausible reason is there for rolling these things out nationally? I would be very interested to get a Government spokesmen on Question Time squirming to reply to those questions, because they are essentially unanswerable whilst still clinging to the existing policy. And too much money has been spent for this Government to change it now . . .

Re:Outstanding.

[commodore64_love]

You are not obligated to show a U.S. policeman your ID or any other papers unless (a) you're behind the wheel of a car (b) they have a warrant issued by a judge or (c) they saw you doing something illegal (probable cause).

This is what the cop did wrong in the case of the black professor:
- He should have never crossed the threshold of the house
- He had no right to demand ID of an owner standing inside the house

The proper course was for the officer to obtain a warrant from a judge, which then would have enabled him to get an ID or enter the home. Of course no judge would have issued that warrant because an anonymous phonecall is not probable cause, according to the U.S. Supreme Court.

The black professor had every right to be angry, and I would have acted in a similar fashion (and I'm a white guy). It's called the right of free speech. In your own home, you can stand there all day long calling cops shitheads and other curse words, and the cops have no authority to arrest you. That right is protected by the Supreme Law of the land.

President Obama, rather than invite the cop for a sitdown, should have stated accurately that the cop violated constitutional law.

Re:Outstanding.

[GNious]

If I understand correctly, a U.S. Goverment Official (e.g. Police person or personette) can demand you show your ID if you aren't a U.S. citizen. How they're to know, I've no idea.

G

Re:Outstanding.

[AndersOSU]

The case on point is Hiible. Follow the links for more info.

The ACLU also has a very good resource.

Re:Outstanding.

[internic]

I'm not debating whether the cop should have showed up to check out the call, nor whether he should have tried to verify that Gates was the homeowner. Since we have conflicting information about what happened, it's pointless to argue over whether Gates was acting reasonably. However, to the best of my knowledge (note, I haven't followed this story closely) both people agree that a) Gates eventually showed ID that satisfied the officer that he was the homeowner, and b) Gates did not attempt to physically assault the officer. Based on that information, I'd say it's totally inappropriate for him to be arrested in his own home.

Gates may well have been acting like a jerk (like I said, we can't know), but that should not be an arrestable offense in a free society. As far as waisting time, there is the charge for impeding an investigation, which could be used but only in extreme cases. The extra cost of this to the tax payer would almost certainly be extremely small, and I'm willing to pay a few more bucks of taxes if it means that police cannot arrest anyone they arbitrarily decide is a jerk or waisting their time.

Re:Outstanding.

[FourthAge]

My evidence would be the questions that are NOT asked on Question Time!

Politicians get an undeservedly easy ride on this and all BBC news programmes. The purpose of these programmes to give the impression of independence, giving the Ministers a hard time. This is created by disagreeing with the Government on minor issues. The hope is that the British people will believe that the BBC is on their side when something really important comes up.

Modern propagandists do not behave like Goebbels. They do not present one set of facts, they present two, but misrepresent and omit details about the second. This gives the illusion of independence while serving their agenda.

Re:Outstanding.

[Skjellifetti]

The trick is to prove that the judge is as guilty as the defendant. There was a case some years ago involving alleged cocaine cash seized at an airport under RICO where the prosecution sought to use as evidence the fact that the money carried by the defendant was contaminated with traces of cocaine. The defense lawyer asked for some cash from the wallet of the judge and tested it right there in the courtroom for cocaine traces. Sure enough, the judge's cash also showed traces of cocaine. The prosecutor's evidence was tossed and the government forced to return the seized money.

... form i8675j

No, you will need form twenty-seven B stroke six.

Can't have digital security

[HetMes]

If it's digital, exact copies are possible.
If it's digital, because of the convenience, analogue security measures will be taken less seriously.
If it's digital, uninformed politicians will think it cool, and believe in it like some do in 70 virgins.
If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
If it's digital, tampering is undetectable.

Either way, this digitally secure ID thing can only lead to government saying: "Look! We've tried, and you also know that the only way to do this properly is to put you all in a database and track your every move."

Can we perhaps agree on forsaking digital security just because it's cheaper and faster in cases where we don't need it anyway (i.e. when people aren't up to no good)?

Re:Can't have digital security

[Koookiemonster]

What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.

Re:Can't have digital security

[sdiz]

If it's digital, exact copies are possible.
[...]

If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics

[...]

If it's digital, tampering is undetectable.

hmm.. in fact, there are smart card with microprocessor empowered with strong public key encryption that would make cloning very difficult and always detectable.

But the government just don't care (or can't tell the different)

Re:Can't have digital security

[Keeper+Of+Keys]

You're right. Unfortunately they only listen to the geeks they are paying to create systems like this, who are of course saying "yes, we can make an uncrackable security system" and suppressing their sniggers until they've made it out of the room with their fat cheque.

Surprising

[AdamInParadise]

I work in the smartcard industry and most of the time those "breaks" mean nothing: usually the "hacker" simply reads the publicly available information and claims that the system is "broken". The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not explain them very well.

However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent. This article is heavier on details than many others and that makes it more credible, but the details are still muddy. I hope that the journalist missed a crucial point and that this card is not as insecure as he thinks.

Small-scale, private smartcard-based systems can be cracked, usually because they are badly installed and used. Large-scale, private smartcard-based systems can be cracked (just look into the MiFare Classic debacle) but it involves months of hard work from people with PhDs and access to expensive equipement. Large-scale, govermental smartcard-based systems can be cracked, but I would be really surprised if it took only a few minutes. Unless that hacker presents the attack in details, I will file this one in the "baseless fearmongering in order to sell more papers" folder (which is already bursting BTW).

Re:The thing that no one ever thinks of..

[martyros]

If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."

IOW, there's no security, signing, encryption, anything at all (or if there is it's so broken that it might as well not be there). The fact that it's computerized makes it easier to fake out rather than harder, and simultaneously gives the illusion of being more reliable rather than less. It's bad all around.

Expensive Equipment?

[TerraGreyling]

Unless there have been leeps and bounds in smart card technology in the past couple of years I think this is an overstatement. A few years back I made most my money buying blank smart cards, copying the information from the satelite TV smartcards, changing a few places in the hexidecimal coding, and selling full unblocked TV. Of course we would tell the user to remove the cards from the boxes at night when the companys would do system checks that fry any unauthorized cards. And the cost of such equipment, $49.95. Not expensive and on about average, 15 minutes of work. If the UK is using the same format, that would be a real easy "hack".

Re:Expensive Equipment?

TV unblocking is relatively simple, they use a (symmetric) master key that is used to derive session keys. These keys need to be in memory because they are required for the decoding, which needs a lot of performance. Also, you can always "share" the smart card between friends, the smart card does not know who is requesting the session keys. These are cheap cards. Or at least, this is how it used to be, I don't keep a close watch on this.

These cards use Passive Authentication making sure that the biometric data cannot be altered. Keys are stored on a central place, well secured. Furthermore, they've got protection against anti-cloning using an asymmetric smart card processor. This is not an easy hack at all, unless the verification equipment does not have the certificates to verify the signature, because the whole of these cards relies on that.

Re:The thing that no one ever thinks of..

[daem0n1x]

Here in Portugal we've had ID cards since the 19th century. We were pioneers in the usage of smart cards as ID cards, together with Belgium and Finland.

While our old paper ID cards were easily falsifiable, the new smart card is virtually impossible to falsify. It has a lot of physical security measures, a few holograms, engravings, etc. As to the chip, all the data in the chip is digitally signed by the government. The RSA private keys inside are generated by the card during personalisation, and are not extractable. I dare you try to create a false one. The British card seems to be a cheap piece of shit.

Anyway, what's all the fuss about ID cards? What do you use to identify yourself? Social Security card? Driver's license? How hard it is to forge one of these?

Which phone has RFID?

Which Nokia phone has the RFID hardware?

I was thinking of buying a dedicated rig to play with, but if I can just get a new phone instead it will work out much cheaper.

Re:The thing that no one ever thinks of..

[daem0n1x]

So, that is a problem with central information systems, it has nothing to do with ID or cards. The government can track everything you do without any ID cards, they will simply use other data, like SS number, simply your name, or even credit card.

In Portugal, we have an interesting system. It's constitutionally illegal to identify someone towards the several state services using a single number. We used to have several cards, for ID, for health care, for social security, for taxes, for voting.

Now, we have a single card that has all these numbers printed on the back. The databases are all separated. A worker from the Ministry of Finance can only use your tax payer ID and access only tax information. A Social Security worker can only access your SS data, etc.

It depends a lot on culture. In our country we don't trust the government or private institutions that much. In other countries people have more trust, so they don't mind the databases.

In the UK, there is a paradox. It's a vigilance state, in spite of the Anglo-Saxon culture being so keen on privacy and individual rights. And UK citizens (rightfully) suspect the government doesn't treat their privacy with enough care.

This is the biggest problem

[Anonymous+Brave+Guy]

And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail.

I think this is symptomatic of the biggest single problem with so many government powers.

Things will inevitably go wrong in any system as large and complicated as running a national government. This will be true even if everyone tries to be diligent and acts with nothing but good intentions. There is no point either pretending that this won't happen or pretending that it would be better if we dropped all government systems that could possibly cause such problems no matter how much good they might otherwise do.

However, there should always be a system in place that allows mistakes to be detected and put right quickly, and without making things any worse for the unlucky victim. This is particularly true in cases of mistaken identity or other factual errors, where the consequences might be anything from financial loss such as being denied benefits or overtaxed, through loss of reputation and all the damage to relationships and career that might entail, right through to violent arrest and detention (or worse).

As a declaration of interest, I am particularly sceptical about any claims relating to ID, because I was once overtaxed significantly due to a case of mistaken identity at a government tax office. It was bad enough that I was left short of money to pay my rent without warning, but even worse that it took nearly three months and a huge amount of effort on my part to get it put right, and I never received so much as a real apology or full explanation afterwards. I can forgive a data entry error by someone who's probably earning near the minimum wage and typing hundreds or thousands of these numbers every day. I can't forgive a system that damages me for months afterwards because it can't acknowledge that it made a mistake.

falsely convicted

[falconwolf]

We send people to death row on little more than unreliable eye witness testimony

We do?

The US does. The Innocence Project has proven the innocence or had arranged the pardon of 4 people this past week. Ernest Sonnier had been in prison 23 years for rape when a DNA test cleared him. A report on the lab that originally ran tests that was used to convict him "details dozens of testing errors and questionable practices uncovered at the Houston lab." I don't recall if it was Alabama or Louisiana but one of them had a problem with an investigator, he had been caught manufacturing evidence. In one case though though he had been caught the state supreme court has upheld the conviction on another person on deathrow ruling to the effect than just because he manufactured evidence once it doesn't mean he did in all cases. Yet they wouldn't allow new tests.

Falcon