Universities which use the popular and inexpensive Onity (nee TESA) lock systems, despite their overall problems, gain a bit of security from this problem in that the track used by the locks is written at a nonstandard high bitrate that throws off inexpensive reader/writers. This actually helps prevent duplication, although it's only a measure against people without the resources to obtain the Onity equipment.
Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control. So you need to train people to maintain physical custody of the credential and make it as difficult as possible to guess at a valid credential.
When cards are used for security identification purposes, the easiest thing to do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential, random card value that is related to the identity of the person only by some database you control. That is, write your 9-digit student ID number to the card for convenience, but when checking identity read out a 16-byte random value that you put on the card just for this purpose. This at least requires that an imposter gain access to the card at some point (to skim it).
Ultimately, the best thing you can do in the context of identification cards is to verify the user photograph online. This is done actively by some police departments and guards in high-security installations by looking up the ID in an online system to retrieve the details and photograph of the cardholder for verification. This is also done passively in some high-security installations, for example by placing a monitor above an entry door that displays the photograph of each person unlocking the door, for casual verification by anyone nearby (particularly any guard nearby).
Physical access control is my favorite research area.
Actually, verifying user photos is pretty common, not just in high-security areas. The residence halls at the university I went to had this setup as far back as the late 90s. --You had a proximity card that was read at the door, and your photo popped up on the computer.
The gym I go to now does the same. --It's an easy way to prevent multiple people from trying to share a card.
> Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control.
This type of control is the point of smart cards. The card contains a private key which can't be extracted (or at least is difficult to extract and may involve destroying the card) and a processor that can do signing operations which prove to the kiosk/register/whatever that the card is physically present.
Smart cards are super cool! The number of real applications is pretty limited, though, with computer authentication being almost all of them (payment cards, yes, but the fallback to 'conventional' processing negates a lot of the advantage). I think that challenge-response NFC authentication will make this kind of technique more practical for physical access control applications.
My view is that the scenarios described in the paper basically amount to "computer authentication", and smartcards would be completely warranted (and not at all unreasonable to implement) here.
I went to a University in Virginia and ours, and other surrounding VA universities were equally insecure.
We each had a 9 digit code that looked like 10XXXXXXX. These numbers were incremented from one student or faculty to the next.
The only track that mattered was track 2. It had your 9 digit code, followed by a the school code (3 digits), followed by a "lost card digit" that was incremented each time a card was lost (obviously mod 10 here).
So if my ID was 100000001, I went to school 002, had lost my card two times, my current card's Track 2 would say: 1000000010022
Needless to say there are tons of things that can be done here. From getting access to rooms does not, to getting free lunches.
Pretty interesting things. I told my school and they didn't really care at all (as expected). The potential loss from this is so low that it they didn't bother since abusing these issues would get you arrested and expelled pretty quick.
In reality, it is probably pretty serious. This student id is used somewhat as a School social security number. You can take tests as other students or impersonate other students in a lot of different situations.
Back in 2005, I was at Rochester Institute of Technology, and our ID cards encoded our student ID... which was also our social security number. The Student Government made you take attendence by student ID number for certain functions, so at one point as officer of one of the campus's major clubs I was sitting with a spreadsheet of the names and socials of >1000 students.
They were also low-cap magstripes, and the checksums were predictable. Inventive students had a database of a few all-access keycards that were used to sneak into the tunnels under the academic buildings at all hours of the night...
When I was in college, 91-95, your SS# was your identifier. It was the unique code that everyone used when they needed a way to identify people.
I gotta dig it out, but I think my SS# was printed right on my school ID (and the state issued card allowing me to buy alcohol with my out of state driver's license -- Vermont).
My university (UT Dallas) once hosted a talk about privacy and security, during which they emphasized that it was important to keep your social security number as secret as possible.
Then they passed out sign-in sheets and asked us to sign in with our student IDs - which were our social security numbers.
The sign-in sheet made it through approximately half the room before someone pointed out what was happening. The organizers looked completely baffled.
if the school lets you take tests without a more secure way of authorizing yourself that speaks for itself
i personally teach a course at a university of applied science and it makes me always wonder how bad the whole online-systems are - and that starts with identification of the student
identity is the base of trust but it is by heart not dependent on technology (which we all think so much about)
a modern digital signature cannot be forged easily, a "normal" signature can be done easily - but still we believe the analogue medium is more secure because it is a norm of our society
one of the best examples for use of non-secure technology is usage of two-channel communication for authorization using TEXT Messages via SS7 protocol, one of the most unsecure protocols but considered okay in combination with the first channel running via TLS
Yes the school code was the same for everyone at the University. It differs from college to college, since this is a "solution" that the university purchases from a company.
Not sure about the rest of the unis down south, but I definitely remember Cambridge and Oxford have some sort of "college" system which had no real relation to your subject (i.e. you could read Philosophy at Foo College, Oxford, or Bar College, Oxford). Maybe someone oxbridge-y can clarify.
Nice writeup. I did something much like this in 2002 or 2003. The main difference was that I was malicious, trying to steal money from other students.
I went to Rochester Institute of Tech. The number shown on your card and encoded on the mag stripe were your ID number.
I had plastic card printers and an encoder so making a fake was no problem. The design was simple so it didn't take me long to make one that looked exactly like the real thing.
How did I get numbers to encode? At that time they distributed grades to students in folders outside each department's office. These grade sheets had your full ID number on them. All I had to do was dig through the folders and take grade sheets from people who hadn't bothered picking theirs up.
I think I only used one or two numbers to buy some stuff from The Corner Store. I was mainly doing it to see if I could, credit card fraud was far more profitable.
One of the worst parts about it was that the student IDs were your social security number. Had I wanted to I could have easily used the data and fake IDs for identity theft.
I'm kind of curious - since this was for a class it was kind of allowed but was there any fine lines that you weren't allowed to cross when doing research for the exploit? I assume as long as you didn't hurt the university's reputation (such as getting bad press) or caused massive amounts of monetary damage you would probably not get into trouble.
We had pretty strict guidelines to follow to be apart of the InfoSec class. We basically signed a waiver at the beginning saying that if we did exploit something, we would be subject to expulsion. It was a "theory" based class and all actual research had to be done within a certain IP range in a particular computer lab.
With that said, this was the final report that I made in the Winter of 2013. I presented it Spring 2014 to the University staff. And now, graduated, with over a full 12 months behind it, I felt comfortable to post it.
Even though I made a blank card, it was still encoded with my student ID number. That was the only reason it was allowed. The point of trying it was to prove that the name or discretionary data did not affect the card working.
While I definitely toed the line, I tried to be careful not to break any of the rules of the class.
These folks found a gaping security hole that can be exploited to gain physical access to secured areas as well as charge fraudulent financial transactions. I can't imagine the university getting upset with checking out a library book.
You would be astonished at how crazy people can get. Honestly, the author of this study took a huge risk and got lucky. If you're thinking of doing anything like this in similar circumstances, DON'T carry out similar actions without first obtaining written permission for each specific action.
In your judgement how common do you feel this exploit would be across other university IDs in the country, or just IDs in general? Did your research uncover any data in that regard one way or the other?
I'm just remembering my ID card...and my sister's...and my brother's. We used those for literally everything.
While my research was specific to OSU, I do know that this is a larger issue than just my alma mater. I collected student IDs from other colleges, but did not publish them as I didn't want to get into hot water.
The thing is though, a lot of these magstripe systems have problems. We brought up in the presentation that Walmart at the time was having a large problem with people encoding stolen credit card data onto gift cards. Cashiers at the time did not check driver licenses when paying with a gift card.
Very interesting. I attended OSU. I bet most of universities have the similar kind of security holes. They probably use the fact that not too many people can exploit those technical security flaws as the single line of defense.
Glad to see another Poke! I agree, you have to be fairly clever to get this far. With that said, the barrier of entry is decreasing every day with things like Coin & loop pay.
I wonder if FERPA, PCI-DSS apply here. We know they are vulnerable about student information, with extra functionality as a payment card, it is getting kinda scary.
It was well written and had simple to follow examples. Plus it was interesting to see such a blatant security hole... Any follow up from the university on it?
I appreciate it. The University definitely took it seriously at the time (the project became a neat recruiting story for the InfoSec class), however outside of taking down the website to check for ID validity, I do not believe there was any other recourse. There was such a high overhead to change systems and reissue the ID's (some professors have decade old ID's), that I think it was viewed as "not worth fixing."
Sorry if that wasn't clear in the post, I'll revisit it. The university took down that URL when I presented the vulnerability to them. So that site has been down for roughly a year.
Did the same thing at my university years ago. I was able to duplicate and switch IDs on the fly with just one device (part of a senior electrical engineering project that is way too public). Things like COIN are appearing on the market, making duplication far too easy. Having physical access to student ID cards means you can clone them, you need something that does bidirectional authorization if you want to be secure but that costs too much and takes time to upgrade. Easier to lock down the important stuff with ID + something (fingerprint or PIN) if you really want to solve this problem.
This isn't just a problem with just universities. I have a card reader as well, and any site that issues swipe-able ID cards is more than likely susceptible. You would be surprised how many use an incrementing ID that you can easily impersonate another user.
The equipment needed to create fake cards (not just blanks) that look good is trivial to purchase.
I would be curious if OSU built or bought this system to issue cards. If they built it, shame of them. If they bought it, shame on them as well. Any security audit would have caught this clearly. Cards like any interface require good design for use and security.
I think you hit the nail on the head here - this isn't a super sophisticated reverse engineer. Total equipment cost is $300 (for one that prints a full color front!) and you could theoretically impersonate anyone on a wide array of systems.
In your node.js script, once you find the first ID number couldn't you just starting testing ID's less than and greater than the found ID since it's more than likely an incremented ID?
Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control. So you need to train people to maintain physical custody of the credential and make it as difficult as possible to guess at a valid credential.
When cards are used for security identification purposes, the easiest thing to do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential, random card value that is related to the identity of the person only by some database you control. That is, write your 9-digit student ID number to the card for convenience, but when checking identity read out a 16-byte random value that you put on the card just for this purpose. This at least requires that an imposter gain access to the card at some point (to skim it).
Ultimately, the best thing you can do in the context of identification cards is to verify the user photograph online. This is done actively by some police departments and guards in high-security installations by looking up the ID in an online system to retrieve the details and photograph of the cardholder for verification. This is also done passively in some high-security installations, for example by placing a monitor above an entry door that displays the photograph of each person unlocking the door, for casual verification by anyone nearby (particularly any guard nearby).
Physical access control is my favorite research area.