Universities which use the popular and inexpensive Onity (nee TESA) lock systems, despite their overall problems, gain a bit of security from this problem in that the track used by the locks is written at a nonstandard high bitrate that throws off inexpensive reader/writers. This actually helps prevent duplication, although it's only a measure against people without the resources to obtain the Onity equipment.
Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control. So you need to train people to maintain physical custody of the credential and make it as difficult as possible to guess at a valid credential.
When cards are used for security identification purposes, the easiest thing to do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential, random card value that is related to the identity of the person only by some database you control. That is, write your 9-digit student ID number to the card for convenience, but when checking identity read out a 16-byte random value that you put on the card just for this purpose. This at least requires that an imposter gain access to the card at some point (to skim it).
Ultimately, the best thing you can do in the context of identification cards is to verify the user photograph online. This is done actively by some police departments and guards in high-security installations by looking up the ID in an online system to retrieve the details and photograph of the cardholder for verification. This is also done passively in some high-security installations, for example by placing a monitor above an entry door that displays the photograph of each person unlocking the door, for casual verification by anyone nearby (particularly any guard nearby).
Physical access control is my favorite research area.
Actually, verifying user photos is pretty common, not just in high-security areas. The residence halls at the university I went to had this setup as far back as the late 90s. --You had a proximity card that was read at the door, and your photo popped up on the computer.
The gym I go to now does the same. --It's an easy way to prevent multiple people from trying to share a card.
> Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control.
This type of control is the point of smart cards. The card contains a private key which can't be extracted (or at least is difficult to extract and may involve destroying the card) and a processor that can do signing operations which prove to the kiosk/register/whatever that the card is physically present.
I went to a University in Virginia and ours, and other surrounding VA universities were equally insecure.
We each had a 9 digit code that looked like 10XXXXXXX. These numbers were incremented from one student or faculty to the next.
The only track that mattered was track 2. It had your 9 digit code, followed by a the school code (3 digits), followed by a "lost card digit" that was incremented each time a card was lost (obviously mod 10 here).
So if my ID was 100000001, I went to school 002, had lost my card two times, my current card's Track 2 would say: 1000000010022
Needless to say there are tons of things that can be done here. From getting access to rooms does not, to getting free lunches.
Pretty interesting things. I told my school and they didn't really care at all (as expected). The potential loss from this is so low that it they didn't bother since abusing these issues would get you arrested and expelled pretty quick.
In reality, it is probably pretty serious. This student id is used somewhat as a School social security number. You can take tests as other students or impersonate other students in a lot of different situations.
Back in 2005, I was at Rochester Institute of Technology, and our ID cards encoded our student ID... which was also our social security number. The Student Government made you take attendence by student ID number for certain functions, so at one point as officer of one of the campus's major clubs I was sitting with a spreadsheet of the names and socials of >1000 students.
They were also low-cap magstripes, and the checksums were predictable. Inventive students had a database of a few all-access keycards that were used to sneak into the tunnels under the academic buildings at all hours of the night...
if the school lets you take tests without a more secure way of authorizing yourself that speaks for itself
i personally teach a course at a university of applied science and it makes me always wonder how bad the whole online-systems are - and that starts with identification of the student
identity is the base of trust but it is by heart not dependent on technology (which we all think so much about)
a modern digital signature cannot be forged easily, a "normal" signature can be done easily - but still we believe the analogue medium is more secure because it is a norm of our society
one of the best examples for use of non-secure technology is usage of two-channel communication for authorization using TEXT Messages via SS7 protocol, one of the most unsecure protocols but considered okay in combination with the first channel running via TLS
Nice writeup. I did something much like this in 2002 or 2003. The main difference was that I was malicious, trying to steal money from other students.
I went to Rochester Institute of Tech. The number shown on your card and encoded on the mag stripe were your ID number.
I had plastic card printers and an encoder so making a fake was no problem. The design was simple so it didn't take me long to make one that looked exactly like the real thing.
How did I get numbers to encode? At that time they distributed grades to students in folders outside each department's office. These grade sheets had your full ID number on them. All I had to do was dig through the folders and take grade sheets from people who hadn't bothered picking theirs up.
I think I only used one or two numbers to buy some stuff from The Corner Store. I was mainly doing it to see if I could, credit card fraud was far more profitable.
One of the worst parts about it was that the student IDs were your social security number. Had I wanted to I could have easily used the data and fake IDs for identity theft.
I'm kind of curious - since this was for a class it was kind of allowed but was there any fine lines that you weren't allowed to cross when doing research for the exploit? I assume as long as you didn't hurt the university's reputation (such as getting bad press) or caused massive amounts of monetary damage you would probably not get into trouble.
In your judgement how common do you feel this exploit would be across other university IDs in the country, or just IDs in general? Did your research uncover any data in that regard one way or the other?
I'm just remembering my ID card...and my sister's...and my brother's. We used those for literally everything.
Very interesting. I attended OSU. I bet most of universities have the similar kind of security holes. They probably use the fact that not too many people can exploit those technical security flaws as the single line of defense.
It was well written and had simple to follow examples. Plus it was interesting to see such a blatant security hole... Any follow up from the university on it?
Sorry if that wasn't clear in the post, I'll revisit it. The university took down that URL when I presented the vulnerability to them. So that site has been down for roughly a year.
Did the same thing at my university years ago. I was able to duplicate and switch IDs on the fly with just one device (part of a senior electrical engineering project that is way too public). Things like COIN are appearing on the market, making duplication far too easy. Having physical access to student ID cards means you can clone them, you need something that does bidirectional authorization if you want to be secure but that costs too much and takes time to upgrade. Easier to lock down the important stuff with ID + something (fingerprint or PIN) if you really want to solve this problem.
This isn't just a problem with just universities. I have a card reader as well, and any site that issues swipe-able ID cards is more than likely susceptible. You would be surprised how many use an incrementing ID that you can easily impersonate another user.
The equipment needed to create fake cards (not just blanks) that look good is trivial to purchase.
I would be curious if OSU built or bought this system to issue cards. If they built it, shame of them. If they bought it, shame on them as well. Any security audit would have caught this clearly. Cards like any interface require good design for use and security.
I think you hit the nail on the head here - this isn't a super sophisticated reverse engineer. Total equipment cost is $300 (for one that prints a full color front!) and you could theoretically impersonate anyone on a wide array of systems.
In your node.js script, once you find the first ID number couldn't you just starting testing ID's less than and greater than the found ID since it's more than likely an incremented ID?
[+] [-] jcrawfordor|11 years ago|reply
Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control. So you need to train people to maintain physical custody of the credential and make it as difficult as possible to guess at a valid credential.
When cards are used for security identification purposes, the easiest thing to do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential, random card value that is related to the identity of the person only by some database you control. That is, write your 9-digit student ID number to the card for convenience, but when checking identity read out a 16-byte random value that you put on the card just for this purpose. This at least requires that an imposter gain access to the card at some point (to skim it).
Ultimately, the best thing you can do in the context of identification cards is to verify the user photograph online. This is done actively by some police departments and guards in high-security installations by looking up the ID in an online system to retrieve the details and photograph of the cardholder for verification. This is also done passively in some high-security installations, for example by placing a monitor above an entry door that displays the photograph of each person unlocking the door, for casual verification by anyone nearby (particularly any guard nearby).
Physical access control is my favorite research area.
[+] [-] tallanvor|11 years ago|reply
The gym I go to now does the same. --It's an easy way to prevent multiple people from trying to share a card.
[+] [-] hamburglar|11 years ago|reply
This type of control is the point of smart cards. The card contains a private key which can't be extracted (or at least is difficult to extract and may involve destroying the card) and a processor that can do signing operations which prove to the kiosk/register/whatever that the card is physically present.
[+] [-] steakejjs|11 years ago|reply
We each had a 9 digit code that looked like 10XXXXXXX. These numbers were incremented from one student or faculty to the next.
The only track that mattered was track 2. It had your 9 digit code, followed by a the school code (3 digits), followed by a "lost card digit" that was incremented each time a card was lost (obviously mod 10 here).
So if my ID was 100000001, I went to school 002, had lost my card two times, my current card's Track 2 would say: 1000000010022
Needless to say there are tons of things that can be done here. From getting access to rooms does not, to getting free lunches.
Pretty interesting things. I told my school and they didn't really care at all (as expected). The potential loss from this is so low that it they didn't bother since abusing these issues would get you arrested and expelled pretty quick.
In reality, it is probably pretty serious. This student id is used somewhat as a School social security number. You can take tests as other students or impersonate other students in a lot of different situations.
[+] [-] GauntletWizard|11 years ago|reply
They were also low-cap magstripes, and the checksums were predictable. Inventive students had a database of a few all-access keycards that were used to sneak into the tunnels under the academic buildings at all hours of the night...
[+] [-] gombotzd|11 years ago|reply
i personally teach a course at a university of applied science and it makes me always wonder how bad the whole online-systems are - and that starts with identification of the student
identity is the base of trust but it is by heart not dependent on technology (which we all think so much about) a modern digital signature cannot be forged easily, a "normal" signature can be done easily - but still we believe the analogue medium is more secure because it is a norm of our society
one of the best examples for use of non-secure technology is usage of two-channel communication for authorization using TEXT Messages via SS7 protocol, one of the most unsecure protocols but considered okay in combination with the first channel running via TLS
[+] [-] scuba7183|11 years ago|reply
[+] [-] driverdan|11 years ago|reply
I went to Rochester Institute of Tech. The number shown on your card and encoded on the mag stripe were your ID number.
I had plastic card printers and an encoder so making a fake was no problem. The design was simple so it didn't take me long to make one that looked exactly like the real thing.
How did I get numbers to encode? At that time they distributed grades to students in folders outside each department's office. These grade sheets had your full ID number on them. All I had to do was dig through the folders and take grade sheets from people who hadn't bothered picking theirs up.
I think I only used one or two numbers to buy some stuff from The Corner Store. I was mainly doing it to see if I could, credit card fraud was far more profitable.
One of the worst parts about it was that the student IDs were your social security number. Had I wanted to I could have easily used the data and fake IDs for identity theft.
[+] [-] samsnelling|11 years ago|reply
[+] [-] nadams|11 years ago|reply
[+] [-] remarkEon|11 years ago|reply
I'm just remembering my ID card...and my sister's...and my brother's. We used those for literally everything.
[+] [-] dferlemann|11 years ago|reply
[+] [-] pyrox420|11 years ago|reply
[+] [-] feelslikefelt|11 years ago|reply
[+] [-] joshtgreenwood|11 years ago|reply
[+] [-] samsnelling|11 years ago|reply
[+] [-] stealthflyer|11 years ago|reply
[+] [-] omgitstom|11 years ago|reply
The equipment needed to create fake cards (not just blanks) that look good is trivial to purchase.
I would be curious if OSU built or bought this system to issue cards. If they built it, shame of them. If they bought it, shame on them as well. Any security audit would have caught this clearly. Cards like any interface require good design for use and security.
[+] [-] samsnelling|11 years ago|reply
[+] [-] jtsan|11 years ago|reply
[+] [-] mralvar|11 years ago|reply
[+] [-] samsnelling|11 years ago|reply
[+] [-] noblethrasher|11 years ago|reply
[+] [-] samsnelling|11 years ago|reply
[+] [-] mralvar|11 years ago|reply
[+] [-] pauldcox|11 years ago|reply
[+] [-] sfall|11 years ago|reply
[+] [-] smcquaid|11 years ago|reply
[+] [-] samsnelling|11 years ago|reply