Thursday, October 15, 2009

Worrying signs of Wear

UK’s “unhackable” national ID card hacked in 12 minutes
by Devin Coldewey on August 6, 2009

hacked
Remember the national ID cards the UK spent billions on, then forgot to distribute readers for? Well, there’s another bump on that particular road, namely that the security around your private information is about on the level of “cookie jar.” A hacker with a phone and laptop, hired by a UK newspaper, cloned the card within a few minutes, then wrote new content onto it:
“I am a terrorist — shoot on sight.” Imagine if that showed up on the checkpoint scanner while you were going through customs. Guess it’s lucky they don’t have the scanners yet!

This is only the latest misstep in the unpopular and poorly-managed national ID program over there. It’s really simple, guys. No critical information should be able to be skimmed from the ID. If you must put it digitally on the card, there’s enough space in a 128KB memory chip to fit a picture, all relevant information, and have it all encoded with 128-bit encryption only decodable by proprietary hardware with line of sight.

And, of course, those fragile chips are so vulnerable to damage. Who could blame someone if the memory component was rendered unreadable… accidentally, of course?


Source: http://www.crunchgear.com/2009/08/06/uks-unhackable-national-id-card-hacked-in-12-minutes/

1 comment:

  1. I feel tantalized by this entry, but not satisfied with the details. It breezily mentions things like “forgot to distribute readers” with no detail (I’m sure it wasn’t simple forgetting – probably something to do with economics, bureaucratic structure or technical delays). Similarly, the “It’s really simple, guys” is flip and dismissive. They have smart technologists who are fully aware of cryptography, etc. I would be more interested in knowing what tradeoffs and assumptions they made and why, and what their actual reasoning (yes, they do reason) was. Things like cryptography are nice in principle, but there are a lot of issues about who gets what keys when, etc., which aren’t so simple. I guess I resist the “You guys are so dumb” kinds of critique.

    I’m not sure what your last paragraph implies. Is it a call to sabotage? It seems that if it has to do with fragility, only people holding the card would have the power to do it, and they wouldn’t be motivated to. Maybe you’re thinking of something else.

    ReplyDelete