UK National ID Card Cloned In 12 Minutes

Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."

Outstanding.

[palegray.net]

I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."

Re:Outstanding.

[Rakishi]

And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?

Re:Outstanding.

[siloko]

I think there are two things of note. First the article is in the Daily Mail which has a populist agenda usually veering alarmingly to the right. They have jumped on the anti-id bandwagon so maybe this article should be taken with a pinch of salt. Secondly if it is true it raises some interesting points. Who did the UK Government get to test the security on these cards? How do you respond to such a public relations disaster? How to you tally lax security with bullet proof identification and if this is not possible what plausible reason is there for rolling these things out nationally? I would be very interested to get a Government spokesmen on Question Time squirming to reply to those questions, because they are essentially unanswerable whilst still clinging to the existing policy. And too much money has been spent for this Government to change it now . . .

Re:Outstanding.

[FourthAge]

Anti-ID card people, not just the "right wing" (ohnoes!) Daily Mail, always said that something like this was inevitable regardless of the effort put into securing the cards. The Government always brushed their concerns aside while expanding the list of people who would have access to the National ID Register.

If you got a Government spokesman on Question Time, and you were able to get into QT to ask an awkward question, then he would be as evasive as they have always been. Probably he'd just try to distract attention from the real issues. But the point is moot because all QT questions are vetted. The BBC wouldn't want to put the Government on the spot.

Re:Outstanding.

[IBBoard]

You're allowed to buy alcohol from 18 in the UK, but they're now asking for ID if you look under 25. Also, my 35 year old sister-in-law has been asked for ID several times in Colorado, USA (where she lives). It's not just the young 'uns who need ID ;)

Re:Outstanding.

[TheRaven64]

Who did the UK Government get to test the security on these cards?

They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.

Re:Outstanding.

[CodeArtisan]

BBC is no more going to criticize the government's ideas, than would PBS criticize the Congress.

I'm guessing you live outside the UK. The BBC has a long and well documented history of complaints from all factions of UK Government. Google "Jeremy Paxman" or "Robin Day" to discover how political interviews should be conducted. Programmes like "Newsnight" and "Panorama" frequently run stories that are highly critical of government policy.

Re:Outstanding.

[goaliemn]

Actually, you are incorrect. There are court cases saying you have to present ID if demanded by a cop.

The cop was responding to a possible house break in. He had to "cross the threshold" to verify this, and he had to verify the person he was talking to was the actual owner. If they believe that a crime is/has occured, there are lower thresholds to entering a possible crime scene. Their job, at that point, is to verify that a crime hasn't occured, and hold anyone who may have committed the crime.

It wasn't an anonymous tip. The woman who made the call has been harassed and ridiculed for the call. I don't see how that's an anonymous tip.

I'll throw in that the professor shouldn't have started by showing the cop his college ID. That doesn't verify that you live at the house, and not everyone knows all the professors at a school.

Re:Outstanding.

[hairyfeet]

Yeah...uh huh. You haven't actually had to deal with the cops, have you? You see they have this little thing called "disorderly conduct" that pretty much means whatever the fuck they want it to mean that day. Don't show ID? Well he was being 'disorderly" so we had to haul him in, where of course we ran his prints and found out who he was.

Trust this old greybeard son, you don't get phrases like DWB (driving while black) or testilying integrated into the language by actually having cops give a shit about the constitution. I have traveled all over the south, and talked to many that go cross country pretty much constantly and our findings match. For every 1 decent cop you got about a half dozen "bullies with badges" that are just DYING for you to give them even the flimsiest excuse to seriously fuck with you.

I had a friend that was a long time cop take early retirement just to get away from all of his fellow cops. He said the new recruits were more like gangbangers than cops and pretty much spent their days looking to "stir up some shit", his words. So you go right ahead and tell that 220 pound steroid monster with a badge who thinks he IS the law how you know your rights and refuse to show ID and see how quick you are in the back of that patrol car. Lets just hope he doesn't decide you are "resisting arrest" while he is at it. Look up "tuning up" a suspect if you don't get the reference.

Re:Outstanding.

[PitaBred]

No, you don't. You have to identify yourself if asked, but you DO NOT HAVE TO PRODUCE ID. If the cop says "Show me some ID" it's perfectly legal and appropriate to say "I'm Pitabred. I don't need to show you any ID."

The grandparent poster was correct, and your correction scares the hell out of me. Learn your rights. Use them. Or you lose them.

The solution is simple...

[nadamucho]

Just ban cell phones and laptop computers!

Re:The solution is simple...

[GeorgeStone22]

"The real shame is the government has spent billions of our tax dollars without acknowledging this fact. Is it even a British company thats producing the cards? Or are these tax dollars going to another economy?"

What a great comment from the daily mail article.
Tax dollars in the UK. Amazing.

Took longer than I'd have expected.

[webreaper]

Guess they got spent a bit longer on the security aspect than most Government IT projects then.

Re:Hang on

[sifi]

I unfortunately read the article...

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

Lets hope this puts the final nail in the coffin for this stupid idea.

Re:Hang on

[krou]

Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.

Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.

Can't have digital security

[HetMes]

If it's digital, exact copies are possible.
If it's digital, because of the convenience, analogue security measures will be taken less seriously.
If it's digital, uninformed politicians will think it cool, and believe in it like some do in 70 virgins.
If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
If it's digital, tampering is undetectable.

Either way, this digitally secure ID thing can only lead to government saying: "Look! We've tried, and you also know that the only way to do this properly is to put you all in a database and track your every move."

Can we perhaps agree on forsaking digital security just because it's cheaper and faster in cases where we don't need it anyway (i.e. when people aren't up to no good)?

Re:Can't have digital security

[Koookiemonster]

What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.

Re:Can't have digital security

[Keeper+Of+Keys]

You're right. Unfortunately they only listen to the geeks they are paying to create systems like this, who are of course saying "yes, we can make an uncrackable security system" and suppressing their sniggers until they've made it out of the room with their fat cheque.

Re:Can't have digital security

[Cyberax]

Neither cards nor verification hardware require the master private key to be present.

Just like SSL, in a good implementation of ID cards each card is issued its own private and public keys, signed by the root private key (which is kept in secrecy). Then ID card uses this PK to encrypt communications. Verification hardware only needs the root public key to check that the ID card is legit.

Re:The thing that no one ever thinks of..

[TheLink]

Of course it can be copied. However if I try to show YOUR ID card "as is", to a guard it might not work - he might realize that I look a bit different from you.

If the ID contains a digital store of your photo and other biometrics on it that is digitally _signed_, even though it can be copied it'll be much harder to tamper with it. And you can only create a new ID if you can sign it with a valid signature.

Of course in the real world, the _printed_ photo might be all the guards check.

Also in the real world, creating fake IDs might not be that hard - you might be able to bribe/trick someone to create a new legit ID for you, or steal/borrow the signing machines + keys (or the backup certs+keys).

BUT, once they realize what has happened, they can revoke your certs (and maybe even those who were responsible for helping you). While this sort of thing might not be that effective against suicidal terrorists, it works well for oppressing your own citizens.

If they start tying these IDs to travel and payment, then it works even better for keeping the sheep in line...

Go figure.

Surprising

[AdamInParadise]

I work in the smartcard industry and most of the time those "breaks" mean nothing: usually the "hacker" simply reads the publicly available information and claims that the system is "broken". The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not explain them very well.

However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent. This article is heavier on details than many others and that makes it more credible, but the details are still muddy. I hope that the journalist missed a crucial point and that this card is not as insecure as he thinks.

Small-scale, private smartcard-based systems can be cracked, usually because they are badly installed and used. Large-scale, private smartcard-based systems can be cracked (just look into the MiFare Classic debacle) but it involves months of hard work from people with PhDs and access to expensive equipement. Large-scale, govermental smartcard-based systems can be cracked, but I would be really surprised if it took only a few minutes. Unless that hacker presents the attack in details, I will file this one in the "baseless fearmongering in order to sell more papers" folder (which is already bursting BTW).

Re:Hang on

[makomk]

Oh, no doubt you can clone a new card with modified data. The real question is - can you get it to verify as genuine in Government readers now you've modified it? Unless the Government's really screwed up, the cards should have digital signatures, which means any unauthorised changes to the data will make them invalid. The Daily Mail article not only doesn't do a good job of addressing this issue, it fails to realise how significant an obstacle it is. I bet they only bothered to check the card in unofficial readers that don't verify anything...

Re:The thing that no one ever thinks of..

[martyros]

If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."

IOW, there's no security, signing, encryption, anything at all (or if there is it's so broken that it might as well not be there). The fact that it's computerized makes it easier to fake out rather than harder, and simultaneously gives the illusion of being more reliable rather than less. It's bad all around.

It copies, but does it validate?

[sulliwan]

Storing a simple hash of the card contents with the hardcoded UID of the card and checking if they match when reading a card is enough to prevent any such attack. While you can copy the card and even change contents on it, it will never validate as an authentic card. Aside from that, smartcards have really gotten quite smart, as far as I know, there are no practical attacks against the newer MiFare cards(most hacks on Desfire or newer systems target the implementation of the system, not the cards themselves).

Expensive Equipment?

[TerraGreyling]

Unless there have been leeps and bounds in smart card technology in the past couple of years I think this is an overstatement. A few years back I made most my money buying blank smart cards, copying the information from the satelite TV smartcards, changing a few places in the hexidecimal coding, and selling full unblocked TV. Of course we would tell the user to remove the cards from the boxes at night when the companys would do system checks that fry any unauthorized cards. And the cost of such equipment, $49.95. Not expensive and on about average, 15 minutes of work. If the UK is using the same format, that would be a real easy "hack".

Re:The thing that no one ever thinks of..

[daem0n1x]

Here in Portugal we've had ID cards since the 19th century. We were pioneers in the usage of smart cards as ID cards, together with Belgium and Finland.

While our old paper ID cards were easily falsifiable, the new smart card is virtually impossible to falsify. It has a lot of physical security measures, a few holograms, engravings, etc. As to the chip, all the data in the chip is digitally signed by the government. The RSA private keys inside are generated by the card during personalisation, and are not extractable. I dare you try to create a false one. The British card seems to be a cheap piece of shit.

Anyway, what's all the fuss about ID cards? What do you use to identify yourself? Social Security card? Driver's license? How hard it is to forge one of these?

Re:The thing that no one ever thinks of..

[IBBoard]

What do you use to identify yourself? Social Security card? Driver's license?

ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.

How hard it is to forge one of these?

It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.

Anyway, what's all the fuss about ID cards?

It's generally:

a) the extra crap that the government wants to store on there for no good reason
b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
c) the extra expense to get said extra information
d) the fact that the main argument is "do it or teh terrorororoists winz!"
e) the fact that so much money has been poured in to them and they're obviously so broken
f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"

Re:Hang on

[gsslay]

Indeed. Please tag this story "DailyFail".

I've no grounds for arguing with the facts, and certainly agree with the disgust for these ID cards, but any story in the Mail that touches on "scrounging foreigners damaging our property values and insulting the sacred memory of Princess Di" is not to be trusted.

This is the biggest problem

[Anonymous+Brave+Guy]

And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail.

I think this is symptomatic of the biggest single problem with so many government powers.

Things will inevitably go wrong in any system as large and complicated as running a national government. This will be true even if everyone tries to be diligent and acts with nothing but good intentions. There is no point either pretending that this won't happen or pretending that it would be better if we dropped all government systems that could possibly cause such problems no matter how much good they might otherwise do.

However, there should always be a system in place that allows mistakes to be detected and put right quickly, and without making things any worse for the unlucky victim. This is particularly true in cases of mistaken identity or other factual errors, where the consequences might be anything from financial loss such as being denied benefits or overtaxed, through loss of reputation and all the damage to relationships and career that might entail, right through to violent arrest and detention (or worse).

As a declaration of interest, I am particularly sceptical about any claims relating to ID, because I was once overtaxed significantly due to a case of mistaken identity at a government tax office. It was bad enough that I was left short of money to pay my rent without warning, but even worse that it took nearly three months and a huge amount of effort on my part to get it put right, and I never received so much as a real apology or full explanation afterwards. I can forgive a data entry error by someone who's probably earning near the minimum wage and typing hundreds or thousands of these numbers every day. I can't forgive a system that damages me for months afterwards because it can't acknowledge that it made a mistake.