Sunday, August 9, 2009

ID Card anyone?

White Hat Hacker Cracks UK ID Card In 12 Minutes

Bit off topic, but relevant to the UK economy if true, as false information on cards could be used by anyone for financial gain.

Posted by hotfoot @ 08:39 PM (1279 views)
Please complete the required fields.

6 thoughts on “ID Card anyone?

  • There are a lot more things out there from electronic passes to credit and oyster cards that use rfid technology, for this reason alone rest assured that there are many many people out there playing around with these devices and other than a basic laptop all you need is a couple of pieces of cheap hardware to get you going.

    I imagine that the good old oyster card will be one of the first to be cracked and used for personal gain – if it hasn’t already done!

    Please complete the required fields.

  • Did a little deeper and you realise that all Adam Laurie managed to do was to read the data off the card. He then said “look I could produce another card now” but he didn’t actually do it. This is akin to saying “Look! I’ve taken an imprint of your door key. So now I can open all the doors in the land!”

    Makes for exciting Daily Mail articles but it’s not very accurate news.

    Please complete the required fields.

  • Actually, this is the most technical overview of what he did. According to his own words:

    Laurie said he had circumvented this measure by simply replacing the digital certificate and checksums with his own. This works because the ICAO public key … is supposed to authenticate the digital certificates centrally, has had no government input yet, he said”

    This is like someone saying that they can unlock a door by pressing the door catch so they don’t need a key (the issue being that they can only press the catch when the door’s open).

    Please complete the required fields.

  • george monsoon says:

    Paul, I agree, the locally stored cert and key are currently “open”, so anyone could change it, but any link with the central database to validate the card would throw it out as fake… however…. I manage a lot of government systems, and I would not be surprised if many “valid” ID cards had problems. The real issue is that the security is very complex and the system that manages it will need to be absolutely resilient to anything. The software will probably need to be tweaked on an on-going basis to combat hackers and resolve “hidden features” and as we know.. software updates to correct a problem will generate 10 more problems that didnt exist before the upgrade. I hope the Tory’s get in next time, before this monster is unleashed on the public.

    Please complete the required fields.

  • @george

    There are two issues here. One is the acceptability of ID cards, another is the security of ID cards. Let’s separate views on the acceptability of ID cards from the security issue.

    When it comes to security I can say pretty categorically that after the ID card is secured, a simple hack like this won’t be possible. They’re probably using RSA encryption and hashing, which is a very simple mathematical hashing function. It relies on the principle that it is almost impossible to correctly guess two prime numbers from their sum. It is extremely secure not because it is complex but actually because it is very simple.

    To ‘guess’ the key you would need to work through more combinations than there are atoms in the visible universe. Think about that just for a second. There are more atoms in a glass of water than there are glasses of water in the world’s seas.

    The people in central government developing this technology are probably not stupid (although granted, their bosses might be) so their claim that it won’t be cloneable will almost certainly be true. Remember most of the most significant advances in technology were developed by government agencies.

    I don’t work for the government by the way.

    That security seal can’t be broken by any supercomputer today and not for another 20 years at least. No tweaking will be required there.

    Whether ID cards are a good idea is another matter.

    Please complete the required fields.

  • @enuii

    Oyster has been cracked about a year ago. It’s a fairly generic technology used over the world.
    TFL know about it and say that they have ways of telling who has a cracked card, but I’m sure that’s fairly easy to get around, by replacing the cards once in a while for instance.

    ID cards are going to be an expensive failure, and the government doesn’t care whether they succeed or fail. It’s the database that contains everything we say, do, buy and look at on the internet that they’re after. Who needs telescreens?

    Please complete the required fields.

Add a comment

  • Your email address is required so we can verify that the comment is genuine. It will not be posted anywhere on the site, will be stored confidentially by us and never given out to any third party.
  • Please note that any viewpoints published here as comments are user´s views and not the views of
  • Please adhere to the Guidelines

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>