Forgot your password?
typodupeerror
Security Government Privacy News

UK National ID Card Cloned In 12 Minutes 454

Posted by timothy
from the but-it's-secure-says-so-right-on-the-label dept.
Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."
This discussion has been archived. No new comments can be posted.

UK National ID Card Cloned In 12 Minutes

Comments Filter:
  • Outstanding. (Score:5, Interesting)

    by palegray.net (1195047) <philip DOT paradis AT palegray DOT net> on Friday August 07, 2009 @04:53AM (#28983663) Homepage Journal
    I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."
    • Re:Outstanding. (Score:5, Insightful)

      by Rakishi (759894) on Friday August 07, 2009 @05:04AM (#28983713)

      And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?

      • by Anonymous Brave Guy (457657) on Friday August 07, 2009 @11:26AM (#28986447)

        And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail.

        I think this is symptomatic of the biggest single problem with so many government powers.

        Things will inevitably go wrong in any system as large and complicated as running a national government. This will be true even if everyone tries to be diligent and acts with nothing but good intentions. There is no point either pretending that this won't happen or pretending that it would be better if we dropped all government systems that could possibly cause such problems no matter how much good they might otherwise do.

        However, there should always be a system in place that allows mistakes to be detected and put right quickly, and without making things any worse for the unlucky victim. This is particularly true in cases of mistaken identity or other factual errors, where the consequences might be anything from financial loss such as being denied benefits or overtaxed, through loss of reputation and all the damage to relationships and career that might entail, right through to violent arrest and detention (or worse).

        As a declaration of interest, I am particularly sceptical about any claims relating to ID, because I was once overtaxed significantly due to a case of mistaken identity at a government tax office. It was bad enough that I was left short of money to pay my rent without warning, but even worse that it took nearly three months and a huge amount of effort on my part to get it put right, and I never received so much as a real apology or full explanation afterwards. I can forgive a data entry error by someone who's probably earning near the minimum wage and typing hundreds or thousands of these numbers every day. I can't forgive a system that damages me for months afterwards because it can't acknowledge that it made a mistake.

    • Re: (Score:3, Funny)

      by IBBoard (1128019)

      Or "You want to buy alcohol*? Can I see some ID? Can you prove that's your real age and not a faked infallible ID card?" :)

      * Proper phrase inserted since I'm English ;)

    • Re:Outstanding. (Score:5, Interesting)

      by siloko (1133863) on Friday August 07, 2009 @05:43AM (#28983917)
      I think there are two things of note. First the article is in the Daily Mail which has a populist agenda usually veering alarmingly to the right. They have jumped on the anti-id bandwagon so maybe this article should be taken with a pinch of salt. Secondly if it is true it raises some interesting points. Who did the UK Government get to test the security on these cards? How do you respond to such a public relations disaster? How to you tally lax security with bullet proof identification and if this is not possible what plausible reason is there for rolling these things out nationally? I would be very interested to get a Government spokesmen on Question Time squirming to reply to those questions, because they are essentially unanswerable whilst still clinging to the existing policy. And too much money has been spent for this Government to change it now . . .
      • Re:Outstanding. (Score:5, Insightful)

        by FourthAge (1377519) on Friday August 07, 2009 @06:04AM (#28984029) Journal

        Anti-ID card people, not just the "right wing" (ohnoes!) Daily Mail, always said that something like this was inevitable regardless of the effort put into securing the cards. The Government always brushed their concerns aside while expanding the list of people who would have access to the National ID Register.

        If you got a Government spokesman on Question Time, and you were able to get into QT to ask an awkward question, then he would be as evasive as they have always been. Probably he'd just try to distract attention from the real issues. But the point is moot because all QT questions are vetted. The BBC wouldn't want to put the Government on the spot.

        • it's always the same problem. as soon as you start using an identification device as an authentication device, you're screwed, as identity thefts all over the world could concentrate on a convenient and small target. too much incentive on cracking the card for it to work.
      • Re:Outstanding. (Score:5, Informative)

        by TheRaven64 (641858) on Friday August 07, 2009 @07:23AM (#28984419) Journal

        Who did the UK Government get to test the security on these cards?

        They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.

        • Re: (Score:3, Informative)

          by langelgjm (860756)

          Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded.

          For those who don't know, the Gower's report was on intellectual property policy.

          I wish the U.S. did something similar - getting together an independent panel of experts, not hand-picked bureaucrats, to look in-depth at important issues. And of course, actually act in keeping with the reports. Another UK report of interest to slashdot - the Byron Report, which looked at the effects of video games and the Internet on children. Quite even-handed, and makes notes about how there is a "polarisation of research

    • Is there a country in the World that has an ID card system that can't be forged/cloned??? Although I object to the idea of a national ID card what has me really worried is the amount of info they are talking about putting on it. I don't really want my entire medical history + NI number stored on a chip that can be hacked from 20 feetaway
      If you think ID theft is bad now just wait until these things come out.
      • Re: (Score:3, Insightful)

        by AlecC (512609)

        I think unforgeable ID is up there with Perpetual Motion Machines on the list of impossible. Just as good (and expensive) engineering can make machines that will run for a long time. good (and expensive) engineering can make the cost of forgery high, This is the way money is protected from forgery: the cost of the machinery to make it is very high. This is no problem for the Mint, which amortizes it of millions of banknotes. But for criminals, it means the number of notes they have to circulate before getti

  • Advertizing (Score:2, Funny)

    by doktorstop (725614)

    I think that will boost Nokia sales in the UK!

    • And lower Labour Party sales at the same time ;)

      • Re: (Score:3, Funny)

        by Opportunist (166417)

        Huh? Labour is for sale again?

        I knew it, damn socialists. Those Tories are somewhat more honorable, once bought they at least stay bought.

  • by SirFozzie (442268) on Friday August 07, 2009 @04:55AM (#28983687)

    With these things, that if it can be read by a device, then it can be broken. All that differs is how long will it take to break it..

    • by TheLink (130905) on Friday August 07, 2009 @05:29AM (#28983835) Journal
      Of course it can be copied. However if I try to show YOUR ID card "as is", to a guard it might not work - he might realize that I look a bit different from you.

      If the ID contains a digital store of your photo and other biometrics on it that is digitally _signed_, even though it can be copied it'll be much harder to tamper with it. And you can only create a new ID if you can sign it with a valid signature.

      Of course in the real world, the _printed_ photo might be all the guards check.

      Also in the real world, creating fake IDs might not be that hard - you might be able to bribe/trick someone to create a new legit ID for you, or steal/borrow the signing machines + keys (or the backup certs+keys).

      BUT, once they realize what has happened, they can revoke your certs (and maybe even those who were responsible for helping you). While this sort of thing might not be that effective against suicidal terrorists, it works well for oppressing your own citizens.

      If they start tying these IDs to travel and payment, then it works even better for keeping the sheep in line...

      Go figure.
      • by martyros (588782) on Friday August 07, 2009 @05:47AM (#28983943)

        If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."

        IOW, there's no security, signing, encryption, anything at all (or if there is it's so broken that it might as well not be there). The fact that it's computerized makes it easier to fake out rather than harder, and simultaneously gives the illusion of being more reliable rather than less. It's bad all around.

        • by TheLink (130905)
          Yeah I know, I'm just talking about the next step that they're probably going to suggest as a solution, and how that might not be so wonderful either ;).
      • Re: (Score:2, Redundant)

        by raju1kabir (251972)
        RTFA please. They altered the information on the cloned card and it read true. Clearly there is either no, or a very weak, cryptographic validation mechanism.
        • by TheLink (130905)
          That's nice. Since I am not a UK citizen, I think it is good for me if they continue to use such a broken system.

          Because if my country becomes even crappier, it might make it easier for me to move to the UK, and get an ID that's "Entitled to benefits" :).

          Seriously though, I was just talking about the proper way of doing things, and how even the proper way won't work that well against the evil terrorists (which is what is often used as an excuse to introduce such systems).
    • by IBBoard (1128019)

      Ditto for DRM.

      The DRM thinking: "I know, lets give people the lock and the key and hope they don't break it"
      The "cram stuff on a smart chip" thinking: "I know, lets give people all of the data that we wrote there in some way and assume that they can't change it"

      So much for "never trust a user's input" (which should cover anything that the user has access to).

      You'd have thought that some kind of checksum on top of the data might have helped a bit. At least then you need a large stash of valid cards to revers

      • by TheLink (130905)
        DRM is a different thing from ID.

        If I copy your DVD, the player doesn't care - it works.

        The ID problem is different - just because I took your _genuine_ passport, doesn't mean I can use it to travel. The guy would notice that I look different from the photo.

        If they digitally sign the ID, it doesn't make copying or reading harder, but it makes tampering and forgery harder.

        A Dictatorship will find it very useful to be able to revoke certs of dissidents. Such things might be more useful against troublesome she
        • by IBBoard (1128019)

          Yes, DRM is different to ID, but they're making what appears to be a very similar mistake by assuming that they can give all of their important information to a user (e.g. lock and key or biometrics etc) and assuming that nothing bad can happen with it.

          The best idea with keeping information secure is to not give it away, but the ID cards don't seem to follow that idea in the slightest.

    • by daem0n1x (748565) on Friday August 07, 2009 @06:10AM (#28984057)

      Here in Portugal we've had ID cards since the 19th century. We were pioneers in the usage of smart cards as ID cards, together with Belgium and Finland.

      While our old paper ID cards were easily falsifiable, the new smart card is virtually impossible to falsify. It has a lot of physical security measures, a few holograms, engravings, etc. As to the chip, all the data in the chip is digitally signed by the government. The RSA private keys inside are generated by the card during personalisation, and are not extractable. I dare you try to create a false one. The British card seems to be a cheap piece of shit.

      Anyway, what's all the fuss about ID cards? What do you use to identify yourself? Social Security card? Driver's license? How hard it is to forge one of these?

      • Re: (Score:2, Insightful)

        by Vanders (110092)

        Anyway, what's all the fuss about ID cards?

        It isn't the physical card. I couldn't give a rats ass about the card (Other than it's a cheap piece of shit, as you point out). It's the gigantic, interlinked database that will go with the card, which will track everything I do, and be accessible by almost every public worker you can imagine.

        • Re: (Score:2, Insightful)

          by daveime (1253762)

          As opposed to your National Insurance Number, which you only need when applying for a passport, a bank account, a job, hospital treatment and to pay your taxes. Did I miss anything ?

          • Re: (Score:3, Informative)

            by pjt33 (739471)

            You missed checking your post for accuracy. You don't need an NI number to apply for a British passport. I don't think you need one to open a UK bank account, although I haven't done that for several years so I'm not 100% sure: if you do then it's only to pay taxes. You don't need one to apply for a job, although if you get the job you will need to obtain one, if you don't have one, and supply it so that they can pay taxes. You don't need one for hospital treatment - there is an NHS number, but that's admin

        • Re: (Score:3, Interesting)

          by daem0n1x (748565)

          So, that is a problem with central information systems, it has nothing to do with ID or cards. The government can track everything you do without any ID cards, they will simply use other data, like SS number, simply your name, or even credit card.

          In Portugal, we have an interesting system. It's constitutionally illegal to identify someone towards the several state services using a single number. We used to have several cards, for ID, for health care, for social security, for taxes, for voting.

          Now, we h

      • by IBBoard (1128019) on Friday August 07, 2009 @06:20AM (#28984107) Homepage

        What do you use to identify yourself? Social Security card? Driver's license?

        ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.

        How hard it is to forge one of these?

        It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.

        Anyway, what's all the fuss about ID cards?

        It's generally:

        a) the extra crap that the government wants to store on there for no good reason
        b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
        c) the extra expense to get said extra information
        d) the fact that the main argument is "do it or teh terrorororoists winz!"
        e) the fact that so much money has been poured in to them and they're obviously so broken
        f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"

        • Re: (Score:3, Insightful)

          by Aceticon (140883)

          Simply put:

          The fuss is not about ID cards per-se, the fuss is about the UK government trying to create yet another tool to spy-upon, track and control UK residents.

          CCTV all over the place, 28 days detention without trial (which the government tried to extend to 45), police abuses against peaceful demonstrators, extra-strong anti-libel laws used to silence whistle-blowers, anti-terrorist laws which are mostly used for things which have nothing to do with terrorism, attempts at setting up an infrastructure fo

      • by FourthAge (1377519) on Friday August 07, 2009 @07:04AM (#28984327) Journal

        Although both Vanders and IBBoard are exactly right, security problems are very important, the real problem is the effect on individual liberty.

        As citizens, we don't need the state, except to defend borders and keep the peace. But ID cards tell us that we do need the state, and that without it's blessing, we are nobody. The state is still (notionally) our servant, but now it will not help us unless we do as it says.

        In a free country, the function of government is not to tell citizens what to do. It is not to control the population, to exercise power against them, to interfere in their lives. ID cards change that and this is why I do not approve of them.

  • by nadamucho (1063238) on Friday August 07, 2009 @04:58AM (#28983697)
    Just ban cell phones and laptop computers!
  • by Rosco P. Coltrane (209368) on Friday August 07, 2009 @05:03AM (#28983709)

    I bet they head-hunted members of the Windows XP team [zdnet.com.au] to implement this in the UK. That can't be a coincidence. Great move guys...

  • by webreaper (1313213) on Friday August 07, 2009 @05:13AM (#28983747) Homepage
    Guess they got spent a bit longer on the security aspect than most Government IT projects then.
  • Does anyone have any technical details on how this was achieved?

    • by siloko (1133863)

      Does anyone have any technical details on how this was achieved?

      I guess you aren't familiar with the Daily Mail [dailymail.co.uk], they are usually quite thin on details. Great at hyperbole though!

  • by HetMes (1074585) on Friday August 07, 2009 @05:25AM (#28983811)
    If it's digital, exact copies are possible.
    If it's digital, because of the convenience, analogue security measures will be taken less seriously.
    If it's digital, uninformed politicians will think it cool, and believe in it like some do in 70 virgins.
    If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
    If it's digital, tampering is undetectable.

    Either way, this digitally secure ID thing can only lead to government saying: "Look! We've tried, and you also know that the only way to do this properly is to put you all in a database and track your every move."

    Can we perhaps agree on forsaking digital security just because it's cheaper and faster in cases where we don't need it anyway (i.e. when people aren't up to no good)?
    • by Koookiemonster (1099467) on Friday August 07, 2009 @05:29AM (#28983839)

      What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.

    • Re: (Score:2, Interesting)

      by sdiz (224607)

      If it's digital, exact copies are possible.
      [...]

      If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics

      [...]

      If it's digital, tampering is undetectable.

      hmm.. in fact, there are smart card with microprocessor empowered with strong public key encryption that would make cloning very difficult and always detectable.

      But the government just don't care (or can't tell the different)

      • Re: (Score:2, Insightful)

        by HetMes (1074585)
        All it takes is theft of a single piece verification hardware, or a single breach of security to extract the private key. This will probably even go unnoticed. And we can't simply give everyone new ID each time an unauthorized person had access to a government computer, can we?
        • by Cyberax (705495) on Friday August 07, 2009 @06:50AM (#28984257)

          Neither cards nor verification hardware require the master private key to be present.

          Just like SSL, in a good implementation of ID cards each card is issued its own private and public keys, signed by the root private key (which is kept in secrecy). Then ID card uses this PK to encrypt communications. Verification hardware only needs the root public key to check that the ID card is legit.

  • This is the sort of news which I would think the Government would suppress, as it undermines the validity of the card.

    Not only does it make the card next to useless for performing any more than basic "You look like the guy on here, so you're that guy" driving-license-type identification, but it also gives "reasonable doubt" to the whole ID card technology.

    Now all we need is someone to get these details onto the National ID Database (when constructed, if Labour stay in, which I sincerely hope they don't) a
  • Surprising (Score:5, Interesting)

    by AdamInParadise (257888) on Friday August 07, 2009 @05:37AM (#28983893) Homepage

    I work in the smartcard industry and most of the time those "breaks" mean nothing: usually the "hacker" simply reads the publicly available information and claims that the system is "broken". The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not explain them very well.

    However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent. This article is heavier on details than many others and that makes it more credible, but the details are still muddy. I hope that the journalist missed a crucial point and that this card is not as insecure as he thinks.

    Small-scale, private smartcard-based systems can be cracked, usually because they are badly installed and used. Large-scale, private smartcard-based systems can be cracked (just look into the MiFare Classic debacle) but it involves months of hard work from people with PhDs and access to expensive equipement. Large-scale, govermental smartcard-based systems can be cracked, but I would be really surprised if it took only a few minutes. Unless that hacker presents the attack in details, I will file this one in the "baseless fearmongering in order to sell more papers" folder (which is already bursting BTW).

    • Expensive Equipment? (Score:4, Interesting)

      by TerraGreyling (1605413) on Friday August 07, 2009 @06:08AM (#28984045)
      Unless there have been leeps and bounds in smart card technology in the past couple of years I think this is an overstatement. A few years back I made most my money buying blank smart cards, copying the information from the satelite TV smartcards, changing a few places in the hexidecimal coding, and selling full unblocked TV. Of course we would tell the user to remove the cards from the boxes at night when the companys would do system checks that fry any unauthorized cards. And the cost of such equipment, $49.95. Not expensive and on about average, 15 minutes of work. If the UK is using the same format, that would be a real easy "hack".
      • Unless there have been leeps and bounds in smart card technology in the past couple of years [...]

        Yes, there have been. But one has to keep in mind that security is expensive and that only some applications warrant an investement in modern, secure cards. Govermental ID is certainly one of them.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        TV unblocking is relatively simple, they use a (symmetric) master key that is used to derive session keys. These keys need to be in memory because they are required for the decoding, which needs a lot of performance. Also, you can always "share" the smart card between friends, the smart card does not know who is requesting the session keys. These are cheap cards. Or at least, this is how it used to be, I don't keep a close watch on this.

        These cards use Passive Authentication making sure that the biometric d

    • Re: (Score:3, Insightful)

      by pjt33 (739471)

      The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not know what they are either.

      FTFY. From the politicians' point of view the goal of the system is either a) to protect against every possible threat to individual or national security; or b) to help them keep their seats - depending on how cynical they are.

  • The logic is simple:
    If you fight City Hall, you WILL lose.
    The Govt. is a beast and it will now put this hacker on a terror list, and for good measure add him to the s3x-offender list too.
    This poor guy will spend ALL his money to fight the Govt. in courts, while the Govt. uses his tax money to fight him.
    Until he squeals: "If the Govt. does it, then it must be the best.", the Govt. will continue to gag him and all others who criticize it.

  • Love the Ending (Score:2, Insightful)

    My favorite part of this article, was the response by the officials. Excuse us we need time to come up with an excuse, err.. a response to these allegations. We could just say, "Yes we care about the protection of your identity, but first I need to doublecheck the validity of that statement. Thank you."
  • The system is perfectly safe ... just don't let your card out of your sight for more than 11m59s. Citizens do have to take some responsibility after all!
  • by sulliwan (810585) on Friday August 07, 2009 @06:05AM (#28984033)
    Storing a simple hash of the card contents with the hardcoded UID of the card and checking if they match when reading a card is enough to prevent any such attack. While you can copy the card and even change contents on it, it will never validate as an authentic card. Aside from that, smartcards have really gotten quite smart, as far as I know, there are no practical attacks against the newer MiFare cards(most hacks on Desfire or newer systems target the implementation of the system, not the cards themselves).
  • by Vollernurd (232458) on Friday August 07, 2009 @07:02AM (#28984319)

    Whilst this is a failure of some rudimentary security system that was supposed to protect the data stored on the chip, this is anot a cloned card per se.

    The chips on these ID cards, and the new UK passports, are there to enhance the integrity of the DOCUMENT, not be secure stand-alone identifiers alone. For instance you can easily copy the data on a chip once the security has been defeated but to accurately copy the paper part of the document including the watermarks, UV sensitive fibres, holograms, raised ink, irridescent coatings, etc. takes a lot of time and effort that most people won't bother with. Some do bother as a lot of bent banknotes will testify to.

    These cards like the passports SHOULD when tested/checked be read by a human being who knows how to check the security features (e.g running your fingers over the top of a banknote to check the raised ink), check the details and the photo are correct and do not seem to have been tampered with, then they can check that the data on the chip matches the data printed on the paper/plastic. If they match then there's a very high chance that the card/passport is genuine.

    Just checking one portion rather than the other defats the purpose of these designs.

    Weak systems will always be exploitable. UK Border Control staff/Police/Home Office drones need to know that that no document is unforgeable and to maintain the integrity of a system requires knowledge and training on the part of those who are attempting to enforce it.

You can now buy more gates with less specifications than at any other time in history. -- Kenneth Parker

Working...