Home Office shrugs off ID card hack demo

Home Office shrugs off ID card hack demo

Summary: A researcher shares technical details of how to clone and modify a UK identity card, a demo that the Home Office has turned down

TOPICS: Security

A researcher who claims to have cloned a UK identity card has had his offers to demonstrate the security breach turned down by the Home Office.

Adam Laurie said he had made repeated approaches to the government department since December to show how he had managed to clone and modify the chip on an ID card belonging to a foreign student. However, those approaches were rebuffed, Laurie and Steve Boggan, the investigative journalist working with the researcher, told ZDNet UK.

"There has been no invitation or request from the Home Office to demonstrate the flaws in this technology," said Boggan. "We have suggested a demonstration [to the Home Office]."

However, the Home Office said it had asked Laurie to provide the cloned card to it a "couple of weeks ago", but as he had not done so, the hacking claim was unsubstantiated.

Laurie claimed the ID card was cloned and the personal details on the chip changed, in an article by Boggan in the Daily Mail on Wednesday.

"This story is rubbish," the Home Office said in a statement. "We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened."

However, Laurie said on Friday he had not been approached by the Home Office and that it was "bizarre" the government department would claim to have requested to see evidence from him. "The Home Office has never been in direct contact with me," he said. "If they can produce documentary evidence or a paper trail of an invitation, I'd be interested to see it."

The researcher added that he would be more than happy to demonstrate the cloning and modification technology to UK government officials.

"The way I work is through responsible disclosure," said Laurie. "The only reason we went public is that the Home Office had refused repeated approaches from us and we want to make sure they make the cards secure."

Security experts have long questioned the viability of the prospective UK ID cards and David Blunkett, the architect of the scheme, admitted in April there had been a "massive drop" in public confidence in ID cards.

The chip that was modified uses the technology that will be used in cards for UK citizens, according to Laurie. Criminals could forge or obtain physical plastic cards and then insert modified chips on them, he warned.

To clone the chip, Laurie said he used a generally available USB radio frequency identification reader, the Omnikey 5321 Reader, in combination with his own RFIDIOt code. These were used to read the chip on the foreign student's card and to then transfer the personal information onto a PC.

A hacker could use a suitably equipped mobile phone, such as the Nokia 6131, to read the information, the researcher said. However, it is easier to use a modified RFIDIOt tool to download data from the card onto a PC, he added.

Laurie said he successfully managed to download all of the data from the chip, except for the fingerprint information. He later created replacement fingerprint data from scratch using a biometric file standard called CBEFF.

"We weren't able to produce a direct clone of the card, but it didn't matter, as we were later able to add fingerprint details," Laurie said.

Personal data is stored on the card using the ICAO9303 passport standard, Laurie said. The data is segregated into files called 'data groups'. While there are 16 potential data group fields, not all of them are used, Laurie said.

Four of the fields important to the breach are Data Group 1 (DG1), which contains information in the machine readable zone (MRZ) on a passport; DG2, which contains the facial image; DG3, which contains the fingerprint image; and DG14, which contains the digital certificate used for active authentication.

DG14 contains active authentication cryptographic safeguards, which are meant, in part, to ensure that the card has not been tampered with.

However, when a card is presented to a reader, the card itself tells the reader whether it should check for a digital certificate. This makes the safeguards ineffectual, as removing the data group removes the check, said Laurie.

"If the file is not present on the card, the reader doesn't ask for it," said Laurie "The card dictates to the reader what security checks to do, and since I control the card, I can tell it to do no security checks."

The digital certificate also guarantees the authenticity of the other data groups on the card. Each file has a cryptographic signature or checksum that is checked against the digital certificate. The idea is that if any of the files are tampered with, the cryptographic signature will no longer be valid.

However, Laurie said he had circumvented this measure by simply replacing the digital certificate and checksums with his own. This works because the ICAO public key directory used by the government, which is supposed to authenticate the digital certificates centrally, has had no government input yet, he said.

Laurie uploaded the modified files onto an NXP JCOP card, which is a programmable contactless smartcard. He then tested whether it would work using a Golden Reader tool validated by ICAO.

Laurie said it had taken him 12 minutes to read the original card, but that he and fellow security researchers Jeroen van Beek and Peter Guttman had then done additional work.

"This demonstrates the technology is not a universal panacea," said Laurie.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The sooner this is scraped the better

    The fact that they won't even meet the people who are trying to give them a heads up just goes to show how bad our government is.

    I can see it now innocent people being accused of crimes they did not commit then not being able to fight against it, because the government won't even acknowledge it doesn't work.
  • A ghost from the past

    What I find especially frightening is that this exact scenario was described in very many SciFi stories of the 1960s. The predictions of what could happen if the database got corrupted seemed fanciful at the time. Now they seem starkly real.
  • Agreed...

    It's all quite scary when you think about it, question is what are we as a nation going to do about it? fight back is my answer.

    Besides where about 200 years overdue for a revolution any way. :D
  • Security by Ignorance

    It's good to see that the Home Office are forging ahead into new territory in security practice. The old Security by Obscurity is completely old hat nowadays. They are pioneering a brand new methodology: Security by La La La I can't hear you !!
    Andrew Meredith
  • Go 4 IT!

    Sure CA. You seem to have a lot to say so why don't YOU start the revolution?

  • :D you nether know

    Maybe one day i will ;)