Adam Laurie Hacks UK ID Card in 12 Minutes

Share: Email Story Twitter Facebook Stumbleupon Add to Any
by Jordan Yerman | August 7, 2009 at 09:35 am
370 views | 13 Recommendations | 1 comment

Hacker Adam Laurie has hacked the new UK national ID Card in 12 minutes, cloning its stored data for use on a forged card.

51,000 of these cards are in the hands of foreign nationals who are living and working in Britain, and the UK government keeps saying that the cards are unforgeable. Of course, nothing is unforgeable. The Daily Mail article below jumps straight on the terrorism scare train, but the more likely scenario is a glut of fake IDs that anyone reading will presume to be real, because the scanner never lies. Which is true. It's the card that's lying.

Again, nothing is unbreakable.

Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

Source: computerweekly.com

With a few more keystrokes on his computer, Laurie changes the cloned card so that whereas the original card holder was not entitled to benefits, the cloned chip now reads 'Entitled to benefits'.

Source: dailymail.co.uk

The Home Office denies the hack claim, repeating once again that the ID cards are unhackable, even as Adam Laurie requests meetings with the Home Office that keep getting canceled. Just saying "Laurie is lying" while refusing to actually meet with him does not inspire confidence.

The Home Office has dismissed the report. "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson.

Source: kable.co.uk

Whom would you believe: the hacker who claims to have broken an ID card, or the government body that's trying to sell you an ID card? Who do you think knows more about this stuff?

Share: email story | add to any | | facebook | stumbleupon

Most RecentMost Recommended Comments (1)

recommend This comment thread is now closed
1
Pythiian1
Pythiian1

at 10:20 on August 7th, 2009

According to zdnet.co.uk:

Personal data is stored on the card using the ICAO9303 passport standard, Laurie said. The data is segregated into files called 'data groups'. While there are 16 potential data group fields, not all of them are used, Laurie said.

Four of the fields important to the breach are Data Group 1 (DG1), which contains information in the machine readable zone (MRZ) on a passport; DG2, which contains the facial image; DG3, which contains the fingerprint image; and DG14, which contains the digital certificate used for active authentication.

DG14 contains active authentication cryptographic safeguards, which are meant, in part, to ensure that the card has not been tampered with.

However, when a card is presented to a reader, the card itself tells the reader whether it should check for a digital certificate. This makes the safeguards ineffectual, as removing the data group removes the check, said Laurie.

Source: news.zdnet.co.uk

This story was created over 3 months ago, the comment thread is now closed.

in , , , , , ,

What is NowPublic?

NowPublic lets people work together to cover news events around the world.

Find out more

Crowd Power

Pythiian1
First Flagged at 10:20 AM, Aug 7, 2009 by Pythiian1

Most Recommended Stories in Tech & Biz

Recommendations (13)

Most recently recommended by:
  • jazzyzazzy

    jazzyzazzy
    Glasgow, Scotland, United Kingdom

  • Pythiian1

    Pythiian1
    New York, New York, United States

  • Anonymous

    Anonymous user

Track this Story

 

closeSign in to NowPublic

Not a member?

JoinIt's free!

is reporting from
Member
NP Rank: