LOL! Much vaunted "secure" ID cards...hacked.
What a joke. The bloody muppets that run the country and meddle in our
lives can't even organise a piss up in a brewery after throwing all
that money at it. Even third world countries can sort out their own ID
cards without one fiasco after another...we're the laughing stock of
the world.
No wonder the country is in such a state; they ought to be in special
needs classes instead of bossing us around!
N5
Home Office shrugs off ID card hack demo
* Tags:
* ID Cards
Tom Espiner ZDNet.co.uk
Published: 07 Aug 2009 17:33 BST
A researcher who claims to have cloned a UK identity card has had his
offers to demonstrate the security breach turned down by the Home
Office.
Adam Laurie said he had made repeated approaches to the government
department since December to show how he had managed to clone and
modify the chip on an ID card belonging to a foreign student. However,
those approaches were rebuffed, Laurie and Steve Boggan, the
investigative journalist working with the researcher, told ZDNet UK.
"There has been no invitation or request from the Home Office to
demonstrate the flaws in this technology," said Boggan. "We have
suggested a demonstration [to the Home Office]."
However, the Home Office said it had asked Laurie to provide the
cloned card to it a "couple of weeks ago", but as he had not done so,
the hacking claim was unsubstantiated.
Laurie claimed the ID card was cloned and the personal details on the
chip changed, in an article by Boggan in the Daily Mail on Wednesday.
"This story is rubbish," the Home Office said in a statement. "We are
satisfied the personal data on the chip cannot be changed or modified
and there is no evidence this has happened."
However, Laurie said on Friday he had not been approached by the Home
Office and that it was "bizarre" the government department would claim
to have requested to see evidence from him. "The Home Office has never
been in direct contact with me," he said. "If they can produce
documentary evidence or a paper trail of an invitation, I'd be
interested to see it."
The researcher added that he would be more than happy to demonstrate
the cloning and modification technology to UK government officials.
"The way I work is through responsible disclosure," said Laurie. "The
only reason we went public is that the Home Office had refused
repeated approaches from us and we want to make sure they make the
cards secure."
Security experts have long questioned the viability of the prospective
UK ID cards and David Blunkett, the architect of the scheme, admitted
in April there had been a "massive drop" in public confidence in ID
cards.
The chip that was modified uses the technology that will be used in
cards for UK citizens, according to Laurie. Criminals could forge or
obtain physical plastic cards and then insert modified chips on them,
he warned.
To clone the chip, Laurie said he used a generally available USB radio
frequency identification reader, the Omnikey 5321 Reader, in
combination with his own RFIDIOt code. These were used to read the
chip on the foreign student's card and to then transfer the personal
information onto a PC.
A hacker could use a suitably equipped mobile phone, such as the Nokia
6131, to read the information, the researcher said. However, it is
easier to use a modified RFIDIOt tool to download data from the card
onto a PC, he added.
Laurie said he successfully managed to download all of the data from
the chip, except for the fingerprint information. He later created
replacement fingerprint data from scratch using a biometric file
standard called CBEFF.
"We weren't able to produce a direct clone of the card, but it didn't
matter, as we were later able to add fingerprint details," Laurie
said.
Personal data is stored on the card using the ICAO9303 passport
standard, Laurie said. The data is segregated into files called 'data
groups'. While there are 16 potential data group fields, not all of
them are used, Laurie said.
Four of the fields important to the breach are Data Group 1 (DG1),
which contains information in the machine readable zone (MRZ) on a
passport; DG2, which contains the facial image; DG3, which contains
the fingerprint image; and DG14, which contains the digital
certificate used for active authentication.
DG14 contains active authentication cryptographic safeguards, which
are meant, in part, to ensure that the card has not been tampered
with.
However, when a card is presented to a reader, the card itself tells
the reader whether it should check for a digital certificate. This
makes the safeguards ineffectual, as removing the data group removes
the check, said Laurie.
"If the file is not present on the card, the reader doesn't ask for
it," said Laurie "The card dictates to the reader what security checks
to do, and since I control the card, I can tell it to do no security
checks."
The digital certificate also guarantees the authenticity of the other
data groups on the card. Each file has a cryptographic signature or
checksum that is checked against the digital certificate. The idea is
that if any of the files are tampered with, the cryptographic
signature will no longer be valid.
However, Laurie said he had circumvented this measure by simply
replacing the digital certificate and checksums with his own. This
works because the ICAO public key directory used by the government,
which is supposed to authenticate the digital certificates centrally,
has had no government input yet, he said.
Laurie uploaded the modified files onto an NXP JCOP card, which is a
programmable contactless smartcard. He then tested whether it would
work using a Golden Reader tool validated by ICAO.
Laurie said it had taken him 12 minutes to read the original card, but
that he and fellow security researchers Jeroen van Beek and Peter
Guttman had then done additional work.
"This demonstrates the technology is not a universal panacea," said
Laurie.
date: Fri, 7 Aug 2009 16:59:21 -0700 (PDT)
author: November 5
|
