Home Office unlikely to accept ID card cloner's offer of demonstration

The Home Office is unlikely to respond to an invitation to see how a UK identity card was cracked and cloned.

The Home Office is unlikely to respond to an invitation to see how a UK identity card was cracked and cloned.

A Home Office spokesman confirmed it had received an offer from Adam Laurie, an expert in radio frequency identification (RFID) technology, to demonstrate how he cloned a government-issued ID card with little more than a mobile phone and a laptop.

The spokesman said the Home Office was developing an industry-wide approach to implementation and security issues associated with the card and could not respond to individual matters. He could not give details of how or when such an approach would be made.

Security features

"The identity card includes design and security features that are extremely difficult to replicate," the Home Office said in a statement. Earlier it described the widely reported story of Laurie's hack as "rubbish".

Laurie told Computer Weekly that he was waiting for the Home Office to respond to his offer to disclose how he did it. He said it was normal among security researchers to give suppliers a chance to fix security breaches in their systems before taking the matter further.

Laurie said he had been interested in security weaknesses with respect to the RFID technology used in the UK's e-Passports. He had wondered if there were similar weaknesses in the ID card, which is now being issued to foreign nationals. "It turns out there are," he said.

Fake ID card

Laurie corrected one aspect of earlier reports that he had changed and added information to the original card. "What I did was use the information on the card as a template for a new card that I wrote my own data to," he said.

That data included a digitised picture of himself, his digitised fingerprints, and a message that read, "I am a terrorist - shoot me on sight."

"That data was read and accepted by the Golden Reader tool, which is the same reader used at border control to read the passports, and presumably by the readers that the Home Office has still to issue," said Laurie.

The Golden Reader tool was developed by secunet Security Networks AG for the German Federal Office for Information Security (BSI). It is a piece of software designed to read passports securely. It supports extensive cryptographic methods and has been used widely to test the interoperability of ID systems.

A German researcher, Lukas Grunwald, demonstrated at the 2006 Black Hat security conference how he used Golden Reader to clone an ICAO (International Civil Aviation Organisation) e-Passport of the type issued in Britain.

The Home Office spokesman said, "The card readers we will deploy will undertake chip authentication checks that the card [Laurie] claims to have produced will not pass."

Read more on IT risk management