Government rubbishes ID card hack report The Home Office has dismissed an apparently successful attempt to clone and edit the data on a British identity card's microchip. Adam Laurie, who has previously found similar weaknesses in the microchips on passports, rewrote data taken from a UK Border Agency identity card issued to a foreign student, according to a report …
To shut up the government propaganda, just publish a full document detailing exactly how to do it on wikileaks. Maybe email a few newspapers and such (especially ones that don't like labour) about it too so they can publicly rubbish it too.
Seriously, if they won't admit to the fault, and aren't going to fix it, then I say full disclosure. They've been given a chance to fix it without major consequences. If they ignore that, any fallout from someone showing the world how it's done is on their own back.
It's funny that they rubbish the report, because obviously they are leading authorities in matters of security right? Oh wait...
So how do we stop this charade? Do we vote for Conservatives? They said they will scrap this scheme. I hope they are not lying, as politicians usually do!!!
While I have some sympathy with the Home Office's opinion that the story is 'rubbish' - this is the Daily Mail we're talking about - it still comes across as unbelievably arrogant.
There is no evidence because they have not made any effort to look for any evidence, which you'd think would be the first thing they would do on hearing of such a serious allegation about such an important government project.
The Home Office has dismissed the report. "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson.
Plain English: La La La La La. I can't hear you. [Puts fingers in ears and hides under blanket]
Icon: We're missing a "gross stupidity" icon here.
So the government's response is essentially 'we can't hear you' ? The details of the hack would be good to know, but at the end of the day "anything made by man can be remade by man".
I assume these magic machines (the ones the government doesn't have any of yet) will follow the official advice and listen to the noise the card makes when flicked ?
By putting their fingers in their collective ears (maybe other objects in other orifices, we've yet to find out just how dumb they can collectively be) and shouting "La la la, we can't hear you. It's fine here, move along subject."
Do these clowns seriously expect anyone to treat there utterances with any belief when they constantly loose, mail out and otherwise give away our data. They have repeatedly shown they have no idea how to secure data in any format, let alone a format that is deliberately designed to be sent out all & sundry and read in every shop, pub and school.
Here's a glass to a once great country that understood about personal freedoms and responsibility.
The electronic version of the data stored in the card is *EASIER* to fake than the physical card itself.
So the photo on the card is difficult to print, and laminate convincingly. But the electronic version of the photo in the chip is trivial to fake. The computer can tell the difference between 0101101 and 0101101, you can make a *PERFECT* clone and a *PERFECT* fake.
And all the specs for this data are defined in the internation standard they refer to making it a lot easier.
All this electronic, biometric clap trap, they would be better to make a secure PRINTED physical photo card with security screen printing on it and a telephone hotline to report suspect cards.
Well, they always said ID cards will be of great interest to those who need to prove their age (for drinking etc), now it will be of great interest to those who aren't old enough but can get a hacked id card to prove they are!
I wonder which government pleb bought the story re security on the card head line and sinker therefore can't accept it could have been compromised already!
"This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened"
Uh huh. Just the kind of responsible attitude I've come to expect from government. When they do find the inevitable bugs they will be supressed, denied and eventually legislated against. We-know-best-lets-put-our-heads-in-the-sand bullcrap.
..from Thales on this? After all they're the ones who should know. Although perhaps they do know and are well aware that the system is far from perfect and are contracted to keep schtum about it. Perhaps the Government will admit it too, but I'm more confident that our porcine friends will fly during a rare lunar event where the face of the moon appears blue.
Bloody government, bloody ID cards.
The UK-issued card may be compatible with the ICAO standard, but have some added checks.
But if this security depends on keeping the whole thing secret, it's useless.
Maybe somebody at GCHQ would qualify for a Fields Medal if they were allowed to publish. Has somebody cracked the basic math of RSA?
Or are the politicians incompetent?
What would Blaise Pascal bet on?
....that anyone could hear the Home Office spokesperson. I mean he must of sounded very muffled with his head so firmly suck in that bucket of sand.
Joking aside, this highlights one of the biggest dangers of the ID card system. The refusal of officialdom to accept that they could, in any way, be fallible.
If you find yourself a victim of identity theft or fraud where a UKID card was used as proof of ID then you won't see your money ever again or, worse, if you find yourself *accused* of fraud because your ID card implicated you, then expect to be a guest of Her Majesty for a few years because nobody will believe it wasn't you.
That would be ideal yes and, of course, as has been pointed out it shouldn't cause any legal problems because the information is supposed to be rubbish.
I mean, nothing bad ever happened to anyone who embarassed the government did it?
On an unrelated note -- that David Kelly was a nice bloke, eh?
The data on the card can be copied, but it is digitally signed so any modifications are detectable. However, last I heard governments hadn't agreed on a key distribution mechanism, so current generation card readers don't check the signature. Hence a faked card can appear to be valid.
Once the readers are fixed modified cards will be obvious. The Home Office is right: there is nothing wrong with the cards.
Thankfully, digital security is a bit more advanced than that. It relies on factorising extremely large numbers using prime numbers, which themselves are impossible to guess (well, without a really really long time). Digital security can and has been done well, the point is that this is not one of those cases. That Laurie as able to access and edit the data shows its insecure.
But yeah, this ID card thing isnt as much about protecting identity as it is about turning us into well behaved little sheep with a number stamped on our ears, sorry I meant ID card. Really, if ID theft is a problem, then make less information available! Not more. Its database this and ID card that, but nobody at UK.Gov is willing to take responsibility when things go wrong (see the recent high court ruling on that here at El Reg) or if powers are abused (see Phorm and UK.gov in cahoots).
I suspect the wording of the Finnish anti circumvention law (the one that makes it a crime to discuss circumvention of media security measures) would make it a crime to discuss the flaw here.
This card is a media carrier after all and we are discussing circumventing it's security on an organised forum.
But would suppression of the DISCUSSION flaws make the card any more secure? Just a side note.
I will add my support to this line of reasoning. It is the same with all security flaws found: Make the organisation aware of the problem, announce that there IS a problem, give organisation a reasonable time to acknowledge, then fix, the problem, then full disclosure.
If the govt are obviously going to do nothing, publish the details in full (and preferably with an 'idiots guide, or a GUI tool). If they ignore evidence of the problem, it is their own stupid fault, and full disclosure is the ONLY way they will listen (i.e. when cloned/faked cards start popping up all over the place and their ID card system is shown to be a total sham).
I personally would not object to them disclosing the details immediately even if the govt had not, as so many people have pointed out, used the 'La la la, I can't hear you' approach to security. While this would be morally questionable, so are the govts plans.
FAIL, for obvious reasons
supplied by the International Civil Aviation Organisation"
The ICAO don't check keys yet, which is why they want a ICAO Public Key Directory (PKD). The hack is more likely just writing to a blank card.
They do allow for failure of biometric while granting access and point out it's an overall security plan that matters because the ID card shows nothing about intention or risk.
It a variation of Gandhi's well known saying
First you deny it, then you rubbish it, next you say only in rare circumstances, after that you do something about it
August 2007
http://www.theregister.co.uk/2007/08/15/land_registry_denies_fraud_risk/
The Land Registry has attempted to dampen accusations that its online register leaves home owners open to ID fraud.
It has denied claims by the NO2ID group that it has not paid sufficient attention to security in making mortgage deeds and leases available online, and that they could reveal information which could be used to steal an individual's identity.
[...]
"There is no evidence that fraud has resulted from the availability of this information from Land Registry. If we receive evidence of a security risk, Land Registry in conjunction with the Ministry of Justice and the Home Office will of course investigate."
Moving on to February 2008
http://news.bbc.co.uk/1/hi/business/7251244.stm
The Land Registry says there is a growing number of cases of fraudsters transferring property ownership into their names.
[...]
Some £12m of compensation was paid out in the two financial years from 2005 to 2007.
Typically the government response is to stick their fingers in their ears and go "NA NA NA NA NA"
I'd certainly loke to see the exploits published and proven, however the response of "this is rubbish" leaves me dismayed that this government are in the driving seat.
I don't think you can modify the data directly on the card (yet).
I think what he did was:
1. Made a copy of the card (supposed to be difficult but isn't)
2. Changed the data on the copy (the easy part)
3. Made the copied card appear to be valid (supposed to be impossible)
This is significant because you can make a useful fake card that only looks vaguely like the real thing but validates correctly in an electronic reader. And because it's being electronically validated, no one notices that the card is fake.
If you're a crim or a terrorist, this is handy because when there's an arrest warrant out for you need to get through some sort of electronic "Ihre Papiere, bitte!" checkpoint, you can pop in your fake Jesus H. Christ id card and freely continue on your nefarious way...
Just look at Chip & Pin: when is the last time anyone took a look at your credit card? I bet there are loads of cards in use that don't even have a signature on them, 'cos no-one ever checks!
In the same edition of said newspaper, there was a big full page rant about Jonathan Ross and Russell Brand.
Have they not gotten bored of raking up non-stories? It's clap-trap like that which makes me skip past the 2-page "We hacked an ID card in 12 minutes" story.
AC as ashamed of reading it - I hid it in a copy of Playboy to spare my blushes
Actually reading the article both could be right.
It is possible that the data on the chip can't be altered, and apparently that was not done in this case.
What happened was a clone of the card was made and the clone successfully altered.
Rather like having a ROM chip and creating a clone in RAM.
This will of cause show up when the card is used at any point where a connection to the central database is required, however the number of places where this is likely to happen is shrinking as we get closer to the launch date.
Quite so. But that's not what Adam did, he made a *copy* and changed the data in the *copy*.
As John Lettice points out at the end of http://www.theregister.co.uk/2009/07/09/id_cards_nir_tory_lib_plans/, the chip is intended to help detect tampering with the information printed on the card.
If you can make good forgeries of the card, then Adam's cloning lets you make the chip data match. But the reported Home Office statement is still factually correct, just not what it appears at first reading.
http://www.accountingweb.co.uk/topic/tax/hmrc-issues-warning-over-stolen-id-data
“Our IT and online systems remain safe and secure. Criminals however constantly target computer users with viruses and phishing attacks and have managed to get hold of a small number of users’ details and passwords and made fraudulent claims for tax repayments.”
The Government's right on this one. Shocking, I know.
The Daily Mail didn't verify their fake card with an actual Government ID card reader, but with software intended to verify RFID passports. Thing is, since there's no method of distributing public keys for RFID passports set up yet, the software will accept anything with a valid digital signature by default. That means any Bob, Dick, or Harriet can create their own RFID passport or ID card with whatever data they like, sign it with their own key, and it'll verify - which is a famous security issue with these passports
The Government ID cards shouldn't have this problem - valid ones will only be signed with the Government key, and so any ID card readers *will* be able to verify that the data on the card is the official, unmodified version. Unless the Government or their contractors are even more spectacular idiots than usual, this hack won't be accepted by official ID card readers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
