The year is 2014 and I was deep into the research into shortcomings of Chilean (and other Latam countries) privacy protection (you can see my talk here). I discovered that the data inside the PDF417 barcode on the old Chilean ID card was stored in cleartext and therefore vulnerable to tampering. Additionally, some of the services provided by the state (e.g. tax authorities) were vulnerable to impersonation attacks.
I was curious about how other countries in the continent had implemented the security on the old technology that they were all using, which was mainly barcodes like PDF417. So I started googling for samples of IDs from several countries in Latam, but they were all using cleartext info inside the barcodes (and where's the fun in that?). I then stumbled into an example from Costa Rica. I proceeded to scan the barcode but to my surprise, instead of getting the usual personal details of the person in question I just got some garbled data. This was a sign that the data had been encrypted or encoded somehow.
I needed more samples of ID cards in order to perform a better analysis, so I kept looking and found a newspaper article that talked about an old lady that had just turned 100 years. The journalist described the old lady's secrets for longevity and published some pictures of her birthday party (yes, mariachis were involved) as well as a close up picture of her national ID card, to prove her age apparently.
Here is where it gets interesting - the common data fields on these cards are: name, date of birth, national ID number and fingerprint minutiae. Every citizen that wants to obtain a national ID card, needs to show up in a civil registry office and provide their biometric data (fingerprints) so that they can be added to the encoded barcode. However, some exemptions can be made for people missing their limbs, or people with mobility difficulties, like a 100-year young people.
Analysing the data inside the barcode of this specific sample I was able to easily detect a repeating pattern. Finding a repeating pattern in what seemed like garbled bytes was a good sign. It became clear then that because the fingerprint was missing, that field was filled with null bytes.
In a simple XOR cipher, a string of text is encrypted by applying a XOR operator to every character using a given key. This means that if you apply the XOR operation to zeroes (like the empty fingerprint minutiae field), the result is the key itself! With the knowledge of the key it was then trivial to decrypt the data of any Costa Rican ID card.
So... Thanks Doña Placida, my oldest hacking partner - wherever you might be.
