Thursday, 6 August 2009

12 minutes to clone UK identity card

A disturbing article in the Daily Mail reports that it took computer expert Adam Laurie just 12 minutes to clone and fake a UK identity card borrowed from a foreign student (foreign nationals living in the UK have to have ID cards). (More on Adam Laurie and biometric passports, Bluetooth.)

He just used a standard Nokia mobile phone and read the information on the RFID chip embedded in the borrowed ID card, and copied it to a blank plastic smart card (the Oyster card is an example of a smart card). Tada, clone!

That's right, details on an ID card can be stolen and duplicated. Bye bye privacy and security, hello identity theft.

Another expert, computer security consultant Jeroen van Beek, then led a team which, based on the work of computer scientist Peter Gutmann, changed and "relocked" the data on the datagroup files in the clone's chip so that it would be accepted as genuine. Tada, fake card!

The "look and feel" of an identity card can be duplicated to pass a visual inspection (or blank cards can be stolen). The fake card might not pass a check against the National Identity Register database, but at £2 a pop to check against it not everyone will bother (and no doubt organised crime / terrorists will be able to inject false details into that database in due course - too many people already have access to the National Identity Register's "precursor").

But it did pass a check using the Golden Reader Tool, software produced by the UN International Civil Aviation Organisation to read and validate electronic IDs and passports according to the standards they set. (The Mail had to download the software instead of trying the falsified card in a UK card reader, as no official electronic card readers are available yet in the UK except at borders.)

Security has got to be paramount with something like this, and the Daily Mail experiment proves that UK identity cards are far from secure; it's much too easy to fake or reprogram them, clearly. Indeed ID cards may even make life much easier for organised criminals and terrorists, as people may well believe government assurances on security and too readily accept faked cards as genuine.

Given that the final ID card for UK nationals (see UK ID card design recently unveiled) is likely to be similar to the one cloned and faked by the Mail's experts, and certainly said to use the same technology, all this is very worrying indeed.

It's even more worrying that UK Home Office officials' reaction to this seems to have been the equivalent of sticking their fingers in their ears and going "La la la".

See further the detailed Daily Mail article, which is a must read. (See also Why RFID chips (passports / ID cards) are stupid.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.