The UK National Identity Card can be cloned and altered by IT security experts.
Colour me unsurprised.
The consultants who carried out this work are from the same community of experts who have been warning [pdf] that the cards would be cracked since the Home Office first disclosed the mechanics of the scheme.
The alterations can be detected with a check against the National Identity Register (assuming this hasn’t also been compromised) however each such look-up will cost around £2. The Government expects the majority of transactions will be authorised through local checks rather than referring back to the central database.
Once someone automates the attack and publishes their code on the Internet, anyone with half a brain, the right mobile phone and access to the world-wide web will be able to change their Government-issued identity at will. As the cards use RFID chips this could be done in seconds while on the move. You wouldn’t even have to remove your card from your wallet.
Disturbingly, your card could also be changed without your knowledge by someone standing close to you, or from dozens of feet away with the right sort of radio antenna hooked up to a portable computer. The process leaves no trace, so when your card is subsequently checked against the database and is found to have been modified, it will be impossible to determine when the changes were made or by whom.
Possessing a falsified ID card could land you with a fine and up to two years in gaol. Owning the equipment or software needed to make the changes could be enough to win you a decade-long stay at Her Majesty’s pleasure. [Identity Cards Act 2006 s25 and s29].
If it weren’t for these stiff penalties, I’d be tempted to suggest the ability to change the details on your own ID card is an unintended benefit of the scheme, not for the Government but for those who value their privacy.
The National Identity Register will store fifty different classes of information about you in a collection of linked databases. The Transformational Government project (also known as the Database State initiative) plans to share all of this information with any official who cares to look. This is the antithesis of the “least privilege” security principal: that people should be given access to just enough sensitive information to do their job, but no more. For example you may wish to tell your doctor about your medical history but not about your bank balance or speeding fines. The ID card scheme wrests from you control over your personal information and gives it to the state: it will not be possible for individuals to choose which “registrable facts” about them are made available to whom.
It would be possible to regain some of this control, however, if we were able to change at will the details stored on our own ID cards. Facts that we are not willing to share could be either falsified, replaced with nonsense or erased. A mobile phone “identity management” application could be written to store multiple personality profiles for your ID card. Using this, you could switch between personae as the need arises, perhaps even employing your phone’s in-built GPS chip to make sure the “Mr. Smith” profile is on the card when you’re at the Doctor’s surgery and the “Mr. Jones” profile is active when visiting your bank. Being able to compartmentalise your relationships with third parties in this way would be a very strong personal privacy measure.
Yep, that’s right, I have just suggested committing fraud to regain some control over your identity in the event that you are made subject to the ID cards scheme. It’s a damning indictment of the relationship between UK citizens and the state that we should have cause to consider this at all. It’s a more damning indictment of the Government’s competence and character that it chose to pursue this illiberal scheme despite strident warnings and opposition from just about everyone who knows anything about security and technology. “We told them so” brings cold comfort after so much money and freedom has been wasted.
As each nail in the coffin of the ID cards scheme is hammered home the true motivation of the Home Office in persuing such an abysmal farce becomes ever more clear. If the Government understood security and respected individual privacy they would allow each of us to choose how much personal information we want to reveal to others. Instead they are trying to assume control over our identity, to nationalise it in a register that is not only a gross violation of the right to a private life, but will also lock those who conform into a system of fines and a lifetime of administrative strife. All in the pursuit of the ultimate bureaucratic convenience.
The confirmation that ID cards are totally insecure is a mortal wound. If the Government doesn’t now scrap this benighted scheme then we must scrap this Government at the General Election.
UPDATED 10/8/09 14:00 to add:
The Home Office has apparently turned down repeated offers to demonstrate this breach by the researchers who discovered it. A spokesperson said that the story was rubbish. The Home Office has published details of the encryption technologies used by ID cards scheme.
I’m disappointed, but not surprised, that the Home Office thinks security is a product which, if sprinkled liberally over a system in a manner similar to magic pixie dust, will somehow make it impervious to attack. It’s no good having “elliptic-curve cryptography” and “root certificates with RSA 4096-bit strength keys” if the system allows these things to be tampered with or circumvented.
Props to the Home Office spin department though: releasing the geeky details has distracted at least some of the press from holding them to account on the principles of the scheme.