Who can you believe?

I was disturbed to read about Adam Laurie’s claim that he successfully cloned and changed the data on a UK Identity Card. I was also concerned to read the Home Office response that “This story is rubbish”.

It’s sad that neither side can articulate a respectable account of the claimed weakness and why or not this might present a problem. Publishing a sensational account in a national newspaper is certainly not a professional way of managing a potential security weakness. But neither is a simple four-word denial from the Home Office.

All technologies, standards and implementations have weaknesses. The science of security management trick is to apply defence-in-depth controls to mitigate the associated risks. Without an insight into these controls, it’s impossible to tell if a system is adequately secure. Personally, I would be astounded if the system was as wide open as Adam Laurie suggests, given the considerable expertise available to the Home Office.  

One trend this story does reflect is the inevitable growth in FUD, spin and disinformation that is an intrinsic feature of an information society. It’s just unfortunate to see this happening within the information security profession.  

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

http://news.zdnet.co.uk/security/0,1000000189,39709652,00.htm?user_rating=1 and http://www.richardskingdom.net/could-cracked-id-cards-provide-privacy-protection put together suggest that Adam Laurie's modifications to the data are detectable, but only if a chargeable online check against the National Identity Register is made, which is unlikely for less valuable transactions.
Your comments are unfair on Adam who has being trying to address this issue with the Government for quite some time (over a year). He isn't "doing a kaminsky" here, he is genuinely trying to help out while being blanked by the powers that be. The true story here is that the government are uable or unwilling to listen to a highly skilled and well meaning security community in the UK.
Hmm.. If you're trying to make a serious point with such a demonstration, it should be done in front of a group of qualified observers, rather than a journalist. The involvement of the Daily Mail suggests a publicity stunt. I don't doubt that Adam has discovered some vulnerabilities. However in the absence of any evidence, they remain at best theoretical. It's a shame that Adam chose to approach the Home Office through a Daily Mail reporter, rather than publishing an academic paper, which would have been harder for the Home Office to ignore.
It looks like the usual ePassport cloning trick that we've seen a couple of times now. How often do they intend to repeat this old hat? And as for: "However, Laurie said he had circumvented this measure by simply replacing the digital certificate and checksums with his own. This works because the ICAO public key directory used by the government, which is supposed to authenticate the digital certificates centrally, has had no government input yet, he said." Of course, if you don't verify the certificate chain there is no security. Sign it yourself or let Elvis sign it, it doesn't matter. But where is the proof that nobody will check the certificate in real-world (border) control systems (that do not yet exist)? After all, it is mandatory in all PKI systems...