back to article Government rubbishes ID card hack report

The Home Office has dismissed an apparently successful attempt to clone and edit the data on a British identity card's microchip. Adam Laurie, who has previously found similar weaknesses in the microchips on passports, rewrote data taken from a UK Border Agency identity card issued to a foreign student, according to a report …


This topic is closed for new posts.
  1. Anonymous Coward

    Simple solution...

    To shut up the government propaganda, just publish a full document detailing exactly how to do it on wikileaks. Maybe email a few newspapers and such (especially ones that don't like labour) about it too so they can publicly rubbish it too.

    Seriously, if they won't admit to the fault, and aren't going to fix it, then I say full disclosure. They've been given a chance to fix it without major consequences. If they ignore that, any fallout from someone showing the world how it's done is on their own back.

  2. Anonymous Coward

    No particular title

    It's funny that they rubbish the report, because obviously they are leading authorities in matters of security right? Oh wait...

    So how do we stop this charade? Do we vote for Conservatives? They said they will scrap this scheme. I hope they are not lying, as politicians usually do!!!

  3. Iain Malcolm

    if in doubt, stick your head up your bum

    Apparently the spokesperson is A.N. Ostrich - strange name, but there you go!

  4. matthew1471


    "design and security features that are extremely difficult to replicate." < But not impossible.

    "the most secure of its kind, fully meeting rigorous international standards." < Meeting standards does not automatically make the card secure.


  5. Lionel Baden

    agree with AC

    it would be a pity to see that amount of money wasted but its not like its been very well spent anyway

  6. Ted Treen
    Big Brother

    Gov't reaction?

    Fingers in ears and sing "La La La - I can't hear you".

    Anyway, even the HO should know that absence of evidence is not evidence of absence.


  7. Chris 267

    I'm torn on this one...

    While I have some sympathy with the Home Office's opinion that the story is 'rubbish' - this is the Daily Mail we're talking about - it still comes across as unbelievably arrogant.

    There is no evidence because they have not made any effort to look for any evidence, which you'd think would be the first thing they would do on hearing of such a serious allegation about such an important government project.

  8. Sabine Miehlbradt


    The Home Office has dismissed the report. "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson.

    Plain English: La La La La La. I can't hear you. [Puts fingers in ears and hides under blanket]

    Icon: We're missing a "gross stupidity" icon here.

  9. Tom Chiverton 1

    lah lah lah

    So the government's response is essentially 'we can't hear you' ? The details of the hack would be good to know, but at the end of the day "anything made by man can be remade by man".

    I assume these magic machines (the ones the government doesn't have any of yet) will follow the official advice and listen to the noise the card makes when flicked ?

  10. Anonymous Coward
    Thumb Up

    @Simple solution...

    Agreed. I believe this approach fulfils the ethical requirement iof being for the general good.

  11. Anonymous Coward

    Not Listening

    La la la la la la la la la. Can't hear you!

    Bless our government.

  12. Macka

    Logo change

    Maybe the NO2ID campaign should change its logo to better reflect the Home Office position on this. One where an Ostrich has its head buried in the sand would seem to be appropriate.

  13. kyndair

    The Home Office has dismissed the report.

    By putting their fingers in their collective ears (maybe other objects in other orifices, we've yet to find out just how dumb they can collectively be) and shouting "La la la, we can't hear you. It's fine here, move along subject."

    Do these clowns seriously expect anyone to treat there utterances with any belief when they constantly loose, mail out and otherwise give away our data. They have repeatedly shown they have no idea how to secure data in any format, let alone a format that is deliberately designed to be sent out all & sundry and read in every shop, pub and school.

    Here's a glass to a once great country that understood about personal freedoms and responsibility.

  14. Anonymous Coward
    Big Brother

    @Simple solution...

    Seconded. After all it the hack is, as they claim, "absoulte rubbish" then they have nothing to hide, and therefore, nothing to fear

  15. Anonymous Coward

    uk government...

    ..resorts to finger in the ears security

  16. Anonymous Coward
    Anonymous Coward

    The perfect fake

    The electronic version of the data stored in the card is *EASIER* to fake than the physical card itself.

    So the photo on the card is difficult to print, and laminate convincingly. But the electronic version of the photo in the chip is trivial to fake. The computer can tell the difference between 0101101 and 0101101, you can make a *PERFECT* clone and a *PERFECT* fake.

    And all the specs for this data are defined in the internation standard they refer to making it a lot easier.

    All this electronic, biometric clap trap, they would be better to make a secure PRINTED physical photo card with security screen printing on it and a telephone hotline to report suspect cards.

  17. Anonymous Coward
    Anonymous Coward

    They can't both be right, so which is it?

    Can the chip data be modified, or can't it?

  18. william 10

    Yes agree

    Yes agree - and as there is no problem there cannot be any consequences, the government cannot complain.

  19. Anonymous Coward
    Thumb Up

    Age verification

    Well, they always said ID cards will be of great interest to those who need to prove their age (for drinking etc), now it will be of great interest to those who aren't old enough but can get a hacked id card to prove they are!

    I wonder which government pleb bought the story re security on the card head line and sinker therefore can't accept it could have been compromised already!

  20. Ray0x6


    "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened"

    Uh huh. Just the kind of responsible attitude I've come to expect from government. When they do find the inevitable bugs they will be supressed, denied and eventually legislated against. We-know-best-lets-put-our-heads-in-the-sand bullcrap.

  21. northern monkey

    Any word...

    ..from Thales on this? After all they're the ones who should know. Although perhaps they do know and are well aware that the system is far from perfect and are contracted to keep schtum about it. Perhaps the Government will admit it too, but I'm more confident that our porcine friends will fly during a rare lunar event where the face of the moon appears blue.

    Bloody government, bloody ID cards.

  22. Dave Bell

    Multiple standards?

    The UK-issued card may be compatible with the ICAO standard, but have some added checks.

    But if this security depends on keeping the whole thing secret, it's useless.

    Maybe somebody at GCHQ would qualify for a Fields Medal if they were allowed to publish. Has somebody cracked the basic math of RSA?

    Or are the politicians incompetent?

    What would Blaise Pascal bet on?

  23. Eponymous Cowherd
    Big Brother

    I'm amazed.....

    ....that anyone could hear the Home Office spokesperson. I mean he must of sounded very muffled with his head so firmly suck in that bucket of sand.

    Joking aside, this highlights one of the biggest dangers of the ID card system. The refusal of officialdom to accept that they could, in any way, be fallible.

    If you find yourself a victim of identity theft or fraud where a UKID card was used as proof of ID then you won't see your money ever again or, worse, if you find yourself *accused* of fraud because your ID card implicated you, then expect to be a guest of Her Majesty for a few years because nobody will believe it wasn't you.

  24. seanj

    Home office Spokesperson?

    Was his previous job decription "Iraqi Information Minister" by any chance?

  25. Anonymous Coward
    Anonymous Coward

    Nothing to see here, move along

    Of course, anything else would be an admission of failure, this parameter does not exist within New Labour.

    Move along, nothing to see here.

  26. Charlie Barnes

    Sack the lot of them

    "This story is rubbish"

    Because that's a qualified reply from an expert government official.

  27. Flocke Kroes Silver badge

    I'm Spartacus - my ID card proves it

    If the data on ID cards is ever used for anything, than changing it will be as easy as getting you mobile phone unlocked. Who wants to be Gordon Brown?

  28. Cameron Colley
    Black Helicopters

    RE: Simple Solution

    That would be ideal yes and, of course, as has been pointed out it shouldn't cause any legal problems because the information is supposed to be rubbish.

    I mean, nothing bad ever happened to anyone who embarassed the government did it?

    On an unrelated note -- that David Kelly was a nice bloke, eh?

  29. Anonymous Coward
    Anonymous Coward

    They are both right (kind of)

    The data on the card can be copied, but it is digitally signed so any modifications are detectable. However, last I heard governments hadn't agreed on a key distribution mechanism, so current generation card readers don't check the signature. Hence a faked card can appear to be valid.

    Once the readers are fixed modified cards will be obvious. The Home Office is right: there is nothing wrong with the cards.

  30. Jonathan 17

    @AC 11:20

    Thankfully, digital security is a bit more advanced than that. It relies on factorising extremely large numbers using prime numbers, which themselves are impossible to guess (well, without a really really long time). Digital security can and has been done well, the point is that this is not one of those cases. That Laurie as able to access and edit the data shows its insecure.

    But yeah, this ID card thing isnt as much about protecting identity as it is about turning us into well behaved little sheep with a number stamped on our ears, sorry I meant ID card. Really, if ID theft is a problem, then make less information available! Not more. Its database this and ID card that, but nobody at UK.Gov is willing to take responsibility when things go wrong (see the recent high court ruling on that here at El Reg) or if powers are abused (see Phorm and in cahoots).

  31. Anonymous Coward
    Anonymous Coward

    In Finlands elReg is a criminal

    I suspect the wording of the Finnish anti circumvention law (the one that makes it a crime to discuss circumvention of media security measures) would make it a crime to discuss the flaw here.

    This card is a media carrier after all and we are discussing circumventing it's security on an organised forum.

    But would suppression of the DISCUSSION flaws make the card any more secure? Just a side note.

  32. Ed Blackshaw Silver badge

    @Iain Malcolm

    The guy's name is actually A.N. Other, but due to a squashed bug falling into a teletype machine and subsequent rekeying error, his name is now Ostrich.

  33. Anonymous Coward
    Anonymous Coward

    Can Be Done

    "The identity card includes a number of design and security features that are extremely difficult to replicate"

    By their own admission - difficult != impossible

  34. Dr. Mouse Silver badge

    @Simple solution...

    I will add my support to this line of reasoning. It is the same with all security flaws found: Make the organisation aware of the problem, announce that there IS a problem, give organisation a reasonable time to acknowledge, then fix, the problem, then full disclosure.

    If the govt are obviously going to do nothing, publish the details in full (and preferably with an 'idiots guide, or a GUI tool). If they ignore evidence of the problem, it is their own stupid fault, and full disclosure is the ONLY way they will listen (i.e. when cloned/faked cards start popping up all over the place and their ID card system is shown to be a total sham).

    I personally would not object to them disclosing the details immediately even if the govt had not, as so many people have pointed out, used the 'La la la, I can't hear you' approach to security. While this would be morally questionable, so are the govts plans.

    FAIL, for obvious reasons

  35. Anonymous Coward
    Anonymous Coward

    chip passed a software check

    supplied by the International Civil Aviation Organisation"

    The ICAO don't check keys yet, which is why they want a ICAO Public Key Directory (PKD). The hack is more likely just writing to a blank card.

    They do allow for failure of biometric while granting access and point out it's an overall security plan that matters because the ID card shows nothing about intention or risk.

  36. Lyndon Hills 1
    Thumb Up

    Excellent news!

    In the event these things come in we clone one card* and post the data on wiki leaks. Then we all hack our cards to conatin the same data.

    * In honour of the anti-Scientology campaign I vote we make the name Annonymous

  37. Anonymous Coward
    Anonymous Coward

    Been here before with the Land Registry

    It a variation of Gandhi's well known saying

    First you deny it, then you rubbish it, next you say only in rare circumstances, after that you do something about it

    August 2007

    The Land Registry has attempted to dampen accusations that its online register leaves home owners open to ID fraud.

    It has denied claims by the NO2ID group that it has not paid sufficient attention to security in making mortgage deeds and leases available online, and that they could reveal information which could be used to steal an individual's identity.


    "There is no evidence that fraud has resulted from the availability of this information from Land Registry. If we receive evidence of a security risk, Land Registry in conjunction with the Ministry of Justice and the Home Office will of course investigate."

    Moving on to February 2008

    The Land Registry says there is a growing number of cases of fraudsters transferring property ownership into their names.


    Some £12m of compensation was paid out in the two financial years from 2005 to 2007.

  38. Anonymous Coward

    Typical government response...

    Typically the government response is to stick their fingers in their ears and go "NA NA NA NA NA"

    I'd certainly loke to see the exploits published and proven, however the response of "this is rubbish" leaves me dismayed that this government are in the driving seat.

  39. Mike Smith

    So the story is true then...

    "We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson."

    That's all the confirmation we need.

    Never believe anything until it's been officially denied.

    Bismarck, IIRC.

  40. AchimR
    Big Brother

    @Simple Solutions

    Aye, I agree. Full disclosure on wikileaks and elsewhere would be great!

    Show the NuLab Twats how dumb they are.

  41. Anonymous Coward

    @They can't both be right, so which is it?

    I don't think you can modify the data directly on the card (yet).

    I think what he did was:

    1. Made a copy of the card (supposed to be difficult but isn't)

    2. Changed the data on the copy (the easy part)

    3. Made the copied card appear to be valid (supposed to be impossible)

    This is significant because you can make a useful fake card that only looks vaguely like the real thing but validates correctly in an electronic reader. And because it's being electronically validated, no one notices that the card is fake.

    If you're a crim or a terrorist, this is handy because when there's an arrest warrant out for you need to get through some sort of electronic "Ihre Papiere, bitte!" checkpoint, you can pop in your fake Jesus H. Christ id card and freely continue on your nefarious way...

    Just look at Chip & Pin: when is the last time anyone took a look at your credit card? I bet there are loads of cards in use that don't even have a signature on them, 'cos no-one ever checks!

  42. The BigYin
    Thumb Down

    Two cards?

    Have two cards. One fake, so you can get what you want at automated readers. One real for when the State Technocracy Appointed Security Inspectors want to see it.

    We don't need cards, we don't need the database, we don't need Labour and their corruption and openly fascist policies.

  43. Ben 56

    Stupidity icon

    @Sabine Miehlbradt

    I vote for a picture of Blunkett or Jackie Smith for the stupidity icon.

  44. Anonymous Coward

    Daily Fail

    In the same edition of said newspaper, there was a big full page rant about Jonathan Ross and Russell Brand.

    Have they not gotten bored of raking up non-stories? It's clap-trap like that which makes me skip past the 2-page "We hacked an ID card in 12 minutes" story.

    AC as ashamed of reading it - I hid it in a copy of Playboy to spare my blushes

  45. John G Imrie Silver badge
    Big Brother

    @ Anonymous Coward Posted Friday 7th August 2009 11:25 GMT

    Actually reading the article both could be right.

    It is possible that the data on the chip can't be altered, and apparently that was not done in this case.

    What happened was a clone of the card was made and the clone successfully altered.

    Rather like having a ROM chip and creating a clone in RAM.

    This will of cause show up when the card is used at any point where a connection to the central database is required, however the number of places where this is likely to happen is shrinking as we get closer to the launch date.

  46. Anonymous Coward
    Anonymous Coward

    Meanwhile on Radio 4 now (1.55pm)

    Professor Sheila Bird of Royal Statistical Society is rubbishing Home Office use of statistics relating to need to retain DNA of those arrested (but not charged)

  47. Andrew Yeomans

    "the data on the chip cannot be changed or modified"

    Quite so. But that's not what Adam did, he made a *copy* and changed the data in the *copy*.

    As John Lettice points out at the end of, the chip is intended to help detect tampering with the information printed on the card.

    If you can make good forgeries of the card, then Adam's cloning lets you make the chip data match. But the reported Home Office statement is still factually correct, just not what it appears at first reading.

  48. Anonymous Coward
    Anonymous Coward

    Meanwhile over at HMRC

    “Our IT and online systems remain safe and secure. Criminals however constantly target computer users with viruses and phishing attacks and have managed to get hold of a small number of users’ details and passwords and made fraudulent claims for tax repayments.”

  49. Anonymous Coward

    Government's right, Daily Fail gets it wrong again

    The Government's right on this one. Shocking, I know.

    The Daily Mail didn't verify their fake card with an actual Government ID card reader, but with software intended to verify RFID passports. Thing is, since there's no method of distributing public keys for RFID passports set up yet, the software will accept anything with a valid digital signature by default. That means any Bob, Dick, or Harriet can create their own RFID passport or ID card with whatever data they like, sign it with their own key, and it'll verify - which is a famous security issue with these passports

    The Government ID cards shouldn't have this problem - valid ones will only be signed with the Government key, and so any ID card readers *will* be able to verify that the data on the card is the official, unmodified version. Unless the Government or their contractors are even more spectacular idiots than usual, this hack won't be accepted by official ID card readers.

  50. dave 151

    @simple solution

    well said.

    "if you've nothing to hide" etc... If it's good enough for us it's good enough for them.

  51. spam 1

    Card is pointless said this for years

    I have said for years now there is no security in the card. If clones or forged cards are useful they will be made.

    The only place there can be security (not actually saying there will be) is in the database and verification of biometrics against the database. The card has no more real use than a key to the database and a number scribbled on a bit of paper would serve just as well.

    Carrying a card provides no secure identity verification but will allow a vast number of insecure and pointless identity checks to be made making day to day life a pain in the arse for the vast majority with no real impact on the minority you do want to detect or prevent.

  52. Paper
    Big Brother

    No, no and more no

    As soon as I am forced to get an ID card I plan to take a hammer to every inch of it - good bye RFID chip...

  53. Anonymous Coward
    Anonymous Coward

    Make cloning easier

    Well the easy to copy electronic version means that the fake card on the front is easier to make (clone the data, including the digital picture, and recreate the rest of the physical card from that data).

    It wouldn't surprise me if someone opens an online store, where you can send the chip contents and get a fake card made up.

    It's very nice of them (the Home Office) to package the data in a nice electronic form, as it was, to clone the physical card would have required a very special scanner and lots of work.

    No doubt they'll make it even easier, perhaps they'll start mailing the data to you at your hotmail address!!!


    As soon as the Home Office started believing their own bullshit and stopped listening to professionals, they went off the tracks. They can make all the phoney 'research' papers they like, but winning the argument with deception in Parliament, doesn't mean squat out in the real world.

  54. Roger Stenning

    sand, head, in, bury,...

    So, original language:

    "The Home Office has dismissed the report. "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson."

    Translated so the rest of us can understand it:

    "We do not believe that this can happen, and are therefore not going to test or even explore the possibility of this report being correct. It therefore has no merit, and the card will be as insecure now as it was then. Yah Boo sucks!"

  55. Adam Salisbury

    Full Disclosure

    If Gov't won't admit there's a problem then shove the evidence under their dense, impotent noses; what's worse, showing up the epic fails of a system that'll only aid ID theft and not combat it, or letting them inflict said system on an unwilling and defenceless populace?

    These tw@dangles shouldn't be trusted with shopping list with their track record for 'data leakage'

  56. Daniel Gould


    the easiest way around this is to ensure that the readers have access to the database these cards are generated from. Then it's as simple as comparing a checksum of the card data with that held on the database. Hardly rocket science, is it ??

    If the reader displays the digital picture on a display that they can view alongside the photo on the card, and the checksum works out, then th card is valid. Any difference, the card is void.

    Simples, as they say at comparethemeerkat :-)

  57. Anonymous Coward

    Stop the charade

    AC: "So how do we stop this charade? Do we vote for Conservatives? They said they will scrap this scheme. I hope they are not lying, as politicians usually do!!!"

    Of course they're lying. A quick examination of their recent track record will easily prove it (for example, just try getting a straight answer out of them about them giving us a referendum on Lisbon). They say one thing, but even BEFORE they're in power theu're already hedging their bets in preparation for their back-tracking U-turn.

    The only party that I have seen that is adamant and unequivocal about scrapping ID cards is UKIP.

    Not only have UKIP clearly stated their intentions in their manifesto (which in and of itself is not that big of a deal, as manifestos are not legally binding) but far more importantly UKIP have teamed up with NO2ID (and NO2ID have serious credibility in this particular area and wouldn't form an alliance with UKIP if UKIP were being half-hearted about the matter).

    One example:

    After coming in 2nd place in the last Euro elections, UKIP are now going to field candidates in ALL wards nationwide in the coming UK general election. Sure, they won't win an outright majority, but then again they don't need to in order to scupper plans for the ID card scheme. They just need a decent number of seats in the House of Commons to constantly put a spanner in the works.

  58. Anonymous Coward
    Anonymous Coward

    @ AC 16:04

    The Green Party have been against ID Cards since 2004:

    So if you favour progression over regression, you can vote for them.

  59. Anonymous Coward

    Alan Johnson

    Talking about ID cards reminds me of the picture of Alan Johnson holding up his ID card recently when it was announced that ID cards would be going ahead in Manchester. If you looked real closely at the ID card would see the words SAMPLE on it. So if Alan Johnson doesn't want a real ID card, then I don't think anyone else will either.

  60. Anonymous Coward

    The distinctive sound of a worried press officer

    "This story is rubbish."

    Yeah, right.

    Beer, cos we all owe Adam one (and it's nice)

  61. John Smith 19 Gold badge

    What ID card readers?


    "The Government ID cards shouldn't have this problem - valid ones will only be signed with the Government key, and so any ID card readers *will* be able to verify that the data on the card is the official, unmodified version. Unless the Government or their contractors are even more spectacular idiots than usual, this hack won't be accepted by official ID card readers."

    Nice to be hearing from the Ministry.

    Only trouble is no one seems to have included the reader costs in the budget. Or is the last report about "Flicking" the card for its distinctive sound still about right? Can those Borders Agency passport readers be upgraded in software?

    Now what about the cost of fitting them everywhere else this administration wishes to put them. Bneefit offices?Passport offices? Tescos (or whereever they plan to do the actual inputting now they have dumped the 70 new offices they were planning to get) Hospitals?

    I think the NHS will have something to say about a *very* large chunk of their cash being used in this way.

  62. Pete 8
    Thumb Down


    The alien machine-tards from Xenu that run the politician-tards cant just come out and tattoo us at birth with RFID chips, until they get people-tards completely used to being stopped and searched every hour, every where you go etc...

    Ubiquitoius Security by insecurity.

    Efficiency, govt style.

    Sack them all... EMP anyone?

  63. John Smith 19 Gold badge
    Thumb Down

    cloning + changed data = whatever you want on the card

    But It won't match what's on the NIR.

    Until someone accesses the actual NIR itself

    No doubt the HO will tell you that cannot happen either.

    Does anyone else think that a system that should (by design) be secure for someones lifetime be compromised within less than a year after its introduction.

  64. raving angry loony


    Ah yes. Looks like the Home Office has gone from "security through obscurity" straight to "security through denial".

  65. Phil 54

    @ AC 12:44

    Nobody even checked BEFORE chip & pin...

    me:going to the offie;

    flatmate: pick me up a pack of cigarettes, here's my card;

    clerk(after I pay with two different cards, signing two different names): Thank you, come again

  66. Guy Herbert
    Big Brother

    @ Andrew Yeomans

    "But the reported Home Office statement is still factually correct, just not what it appears at first reading."

    That is so often true (and almost invariably so with the IPS) that anyone reading any Home Office statement ought to consider it first: Assume it is designed to mislead, and ask yourself what is the most perverse, countercontextual, meaning that can be placed on the words. Practice this for a few months and you will be able to read Home Office fluentl. (But it is quite another matter to learn to write it. You'll have to be able to see dialogue as an instrument of policy, rather than an exchange of information.)

  67. Ascylto

    Tee! Hee!

    Even if this isn't entirely true, IT WILL HAPPEN.

    The dark side of me was hoping the Manchester Congestion Charge would come into operation just so that the system could be broken within a few weeks by some teenager.

    Lo! We voted against the Manchester Congestion Charge and we're getting the money for the increased services and Metro extension anyway! Quelle surprise!

  68. Anonymous Coward

    Who really will kill the ID card?

    There is one political party which is realistically in a good position to have enough MPs (60+ already) to be able to kill ID cards - AND which has been unequivocally opposed to them since the idea first surfaced - AND which is unequivocally opposed to the rest of the nanny society/surveillance state into which we are rapidly sliding. It is the Liberal Democrats. What's more, it has a good enough slate of policies plus enough experience across the board (running big councils requires a great deal more responsibility than that exercised by the average MP) to make a decent fist of running the country, unlike UKIP, the Greens and a variety of other extreme minorities.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019