Home Office shrugs off ID card hack demo

A researcher who claims to have cloned a UK identity card has had his offers to demonstrate the security breach turned down by the Home Office.

Adam Laurie said he had made repeated approaches to the government department since December to show how he had managed to clone and modify the chip on an ID card belonging to a foreign student. However, those approaches were rebuffed, Laurie and Steve Boggan, the investigative journalist working with the researcher, told ZDNet UK.

“There has been no invitation or request from the Home Office to demonstrate the flaws in this technology,” said Boggan. “We have suggested a demonstration [to the Home Office].”

However, the Home Office said it had asked Laurie to provide the cloned card to it a “couple of weeks ago”, but as he had not done so, the hacking claim was unsubstantiated.

Laurie claimed the ID card was cloned and the personal details on the chip changed, in an article by Boggan in the Daily Mail on Wednesday.

“This story is rubbish,” the Home Office said in a statement. “We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened.”

However, Laurie said on Friday he had not been approached by the Home Office and that it was “bizarre” the government department would claim to have requested to see evidence from him. “The Home Office has never been in direct contact with me,” he said. “If they can produce documentary evidence or a paper trail of an invitation, I’d be interested to see it.”

The researcher added that he would be more than happy to demonstrate the cloning and modification technology to UK government officials.

“The way I work is through responsible disclosure,” said Laurie. “The only reason we went public is that the Home Office had refused repeated approaches from us and we want to make sure they make the cards secure.”

Security experts have long questioned the viability of the prospective UK ID cards and David Blunkett, the architect of the scheme, admitted in April there had been a “massive drop” in public confidence in ID cards.

The chip that was modified uses the technology that will be used in cards for UK citizens, according to Laurie. Criminals could forge or obtain physical plastic cards and then insert modified chips on them, he warned.

To clone the chip, Laurie said he used a generally available USB radio frequency identification reader, the Omnikey 5321 Reader, in combination with his own RFIDIOt code. These were used to read the chip on the foreign student’s card and to then transfer the personal information onto a PC.

A hacker could use a suitably equipped mobile phone, such as the Nokia 6131, to read the information, the researcher said. However, it is easier to use a modified RFIDIOt tool to download data from the card onto a PC, he added.

Laurie said he successfully managed to download all of the data from the chip, except for the fingerprint information. He later created replacement fingerprint data from scratch using a biometric file standard called CBEFF.

“We weren’t able to produce a direct clone of the card, but it didn’t matter, as we were later able to add fingerprint details,” Laurie said.

Personal data is stored on the card using the ICAO9303 passport standard, Laurie said. The data is segregated into files called ‘data groups’. While there are 16 potential data group fields, not all of them are used, Laurie said.

Four of the fields important to the breach are Data Group 1 (DG1), which contains information in the machine readable zone (MRZ) on a passport; DG2, which contains the facial image; DG3, which contains the fingerprint image; and DG14, which contains the digital certificate used for active authentication.

DG14 contains active authentication cryptographic safeguards, which are meant, in part, to ensure that the card has not been tampered with.

However, when a card is presented to a reader, the card itself tells the reader whether it should check for a digital certificate. This makes the safeguards ineffectual, as removing the data group removes the check, said Laurie.

“If the file is not present on the card, the reader doesn’t ask for it,” said Laurie “The card dictates to the reader what security checks to do, and since I control the card, I can tell it to do no security checks.”

The digital certificate also guarantees the authenticity of the other data groups on the card. Each file has a cryptographic signature or checksum that is checked against the digital certificate. The idea is that if any of the files are tampered with, the cryptographic signature will no longer be valid.

However, Laurie said he had circumvented this measure by simply replacing the digital certificate and checksums with his own. This works because the ICAO public key directory used by the government, which is supposed to authenticate the digital certificates centrally, has had no government input yet, he said.

Laurie uploaded the modified files onto an NXP JCOP card, which is a programmable contactless smartcard. He then tested whether it would work using a Golden Reader tool validated by ICAO.

Laurie said it had taken him 12 minutes to read the original card, but that he and fellow security researchers Jeroen van Beek and Peter Guttman had then done additional work.

“This demonstrates the technology is not a universal panacea,” said Laurie.

Tom Espiner ZDNet.co.uk