The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. October 14, 2019, 06:09:07 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: UK national ID card cloned in 12 minutes  (Read 2691 times)
rcjordan
Lifer
*****
Offline Offline

Posts: 882


View Profile
« on: August 06, 2009, 11:48:46 AM »

...rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

http://www.computerweekly.com/Articles/2009/08/06/237215/uk-national-id-card-cloned-in-12-minutes.htm

-----

I am continually amazed that government believes that they can somehow secure RFID chips for the long term.  I'm beginning to suspect, though, that they are purposely remaining ignorant "for official convenience."
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: August 06, 2009, 05:22:54 PM »

Really dark black hats are just ITCHING for things like this to become the societal norm.
And that everyone will trust that they are safe.

Imagine, some bonehead politician thinking that his little piece of tech (developed years and years ago) is actually safe from anyone *today*. I know what I was doing 20 years ago, and with a little time back in the game what I could do now. That's what scares me the most: I know I'm not even a pimple on a gnat's ass of a real blackhat these days... and if EYE can pull shit off, just think of what THEY can do. ::shiver::
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #2 on: August 06, 2009, 07:21:44 PM »

things like this though wont affect you and me. We at least pay attention, and try to be aware.
As a result, my shit will be in cage-wallets.
Right now I dont care because the only thing they could skim is my CC, which i am protected anyway, so meh.
my passport is old, so no rfid there either.
so is my DL.

but next ID thing I get, new wallet time....
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
rcjordan
Lifer
*****
Offline Offline

Posts: 882


View Profile
« Reply #3 on: August 07, 2009, 10:20:43 AM »

>Right now I dont care because the only thing they could skim is my CC, which i am protected anyway, so meh.
my passport is old, so no rfid there either.

Same here.  Wallet shields are definitely on the will-do-sometime list.

BTW, I locked all my credit with a freeze back in November. I was the guinea pig to see what happened with a total credit reporting shutdown ....even the bank couldn't tell me what kind of false positives this move might trigger over the long term. No adverse effects like credit cards not working or not being renewed if I told the bank I'd lost one (which I do every 18 months or so to force a new number).  I just locked Louise's credit this week.
Logged
isthisthingon
Global Moderator
Lifer
*****
Offline Offline

Posts: 2879



View Profile
« Reply #4 on: August 07, 2009, 10:50:59 AM »

Quote
I am continually amazed that government believes that they can somehow secure RFID chips for the long term.  I'm beginning to suspect, though, that they are purposely remaining ignorant "for official convenience."

I spent a few years in the RFID industry and it amazes me as well.  The real issue IMO is that they continue to press the passive RFID approach when the only truly secure form with today's technology is an active RFID.  The reason is the passive chip can do nothing but sit dormant as a coil that gets "excited" with a powerful enough reader just long enough to spit out whatever information it happens to be carrying.  With an active chip (requiring a very small amount of power, solar would do with a micro rechargeable battery), the device could perform security handshakes and various other forms of double checking before being:

  • Openly readable
  • Openly re-flashable

Burning new information onto a passive RFID chip is cake - which completely circumvents any reasonable concept of security.  The company I worked for even came up with the lamest approach to RFID - human implantable (Verichip).  Just ask The Chipsons how well that went: http://www.time.com/time/magazine/article/0,9171,214099,00.html

And: http://www.worldproutassembly.org/archives/2008/03/meet_the_chipso.html

It's nearly impossible to prevent re-flashing an RFID whether passive or active (assuming it's not shielded and usable/readable).  However, if it's active it can essentially "self destruct".  In other words, it can render the information useless by revealing that it's been tampered with, like a PC case that's been opened, since a non-flashable matching key exists as well for pairing the writable data.  Then at least the card, etc. wouldn't allow someone into a secure area.
Logged

I would love to change the world, but they won't give me the source code.
rcjordan
Lifer
*****
Offline Offline

Posts: 882


View Profile
« Reply #5 on: August 07, 2009, 11:28:10 AM »

ID card cannot be hacked, UK Government claims

http://www.computerweekly.com/Articles/2009/08/07/237247/id-card-cannot-be-hacked-uk-government-claims-encryption-secrets.htm
Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #6 on: August 07, 2009, 11:32:56 AM »

Im wondering when these people in charge, and supposed experts will realize that there is nothing that is "un".
un-pickable locks. LOL
un-hackable computer. lol
un-stealable ID card. lol

1 thing I have been trying to figure out is why for ID cards and payment cards and such, they insist on using contact-less systems like RFID or near field.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
isthisthingon
Global Moderator
Lifer
*****
Offline Offline

Posts: 2879



View Profile
« Reply #7 on: August 07, 2009, 11:42:52 AM »

Quote
He said the Home Office wanted the central database to record citizens' personal details in one place for official convenience.

"It is that database which will deliver unprecedented power over our lives to Whitehall and make the Home Office king in Whitehall. The card is an excuse to build the database. If the card is cancelled it already intends to use passports as a secondary excuse," he said.

 ROFLMAO ROFLMAO

Clearly a conflict of interest.  I just think 12 minutes is hilarious  Grin  If it gets provably hacked enough they'll fallback to using passports to track the data anyway; hence the conflict of interest.  Unhackable  Roll Eyes
Logged

I would love to change the world, but they won't give me the source code.
rcjordan
Lifer
*****
Offline Offline

Posts: 882


View Profile
« Reply #8 on: August 20, 2009, 11:37:17 AM »

ID card cloner offers a demonstration.  UK gov says "Ummm, maybe later, we're really busy right now. But we're sure he's wrong."

http://www.computerweekly.com/Articles/2009/08/19/237378/home-office-unlikely-to-accept-id-card-cloners-offer-of.htm
Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #9 on: August 20, 2009, 12:13:24 PM »

i wonder if there is a sinister reason for wanting these cards to be cloneable, and not doing anything about it?
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #10 on: August 20, 2009, 12:14:28 PM »

...only truly secure form with today's technology is an active RFID.  The reason is the passive chip can do nothing but sit dormant as a coil that gets "excited" with a powerful enough reader just long enough to spit out whatever information it happens to be carrying.  With an active chip (requiring a very small amount of power, solar would do with a micro rechargeable battery), the device could perform security handshakes and various other forms of double checking before being:

Almost, but at the Last Hope in NYC, we proved that even active RFID is pretty trivial to hack. We (all the early signups) were given active RFID badges when we got to the conference. The idea was that we'd be tracked all throughout the hotel for the conference, and we were encouraged to hack, spoof, etc. our RFID cards and everyone else's. Plenty of people were able to do some really neat (and very scary, in a real-world scenario) stuff.
Logged

hai
rcjordan
Lifer
*****
Offline Offline

Posts: 882


View Profile
« Reply #11 on: August 20, 2009, 12:56:38 PM »

>sinister

I suspect it's more a case of "Not On My Watch" syndrome.  At first, they fall for the blue-sky sales pitch about the project, whatever that project might be. They promote the plan and become more and more vested in it. As it develops, their personal careers become more & more entwined with the outcome.  If the project goes well, great. But if it starts to spoil, the game quickly turns to one of denial and cover-your-ass.  The goal switches to obfuscation, detachment, and postponing the bad news so that it won't tarnish the resume'.
Logged
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!