The Home Office is unlikely to respond to an invitation to
see how a UK identity card was cracked and cloned.
A Home Office spokesman confirmed it had received an offer from
Adam
Laurie, an expert in radio frequency identification (RFID)
technology, to demonstrate how he
cloned a government-issued ID card with little more than a
mobile phone and a laptop.
The spokesman said the Home Office was developing an
industry-wide approach to implementation and security issues
associated with the card and could not respond to individual
matters. He could not give details of how or when such an approach
would be made.
Security features
"The identity card includes design and security features that
are extremely difficult to replicate," the Home Office said in a
statement. Earlier it described the widely reported story of
Laurie's hack as
"
rubbish".
Laurie told Computer Weekly that he was waiting for the Home
Office to respond to his offer to disclose how he did it. He said
it was normal among security researchers to give suppliers a chance
to fix security breaches in their systems before taking the matter
further.
Laurie said he had been interested in security weaknesses with
respect to the RFID technology used in the UK's e-Passports. He had
wondered if there were similar weaknesses in the ID card, which is
now being issued to foreign nationals. "It turns out there are," he
said.
Fake ID card
Laurie corrected one aspect of earlier reports that he had
changed and added information to the original card. "What I did was
use the information on the card as a template for a new card that I
wrote my own data to," he said.
That data included a digitised picture of himself, his digitised
fingerprints, and a message that read, "I am a terrorist - shoot me
on sight."
"That data was read and accepted by the Golden Reader tool,
which is the same reader used at border control to read the
passports, and presumably by the readers that the Home Office has
still to issue," said Laurie.
The
Golden Reader tool was developed by secunet Security Networks
AG for the German Federal Office for Information Security (BSI). It
is a piece of software designed to read passports securely. It
supports extensive cryptographic methods and has been used widely
to test the interoperability of ID systems.
A German researcher, Lukas Grunwald,
demonstrated at the 2006 Black Hat security conference how he
used Golden Reader to clone an ICAO (International Civil Aviation
Organisation) e-Passport of the type issued in Britain.
The Home Office spokesman said, "The card readers we will deploy
will undertake chip authentication checks that the card [Laurie]
claims to have produced will not pass."