

Hacking Oklahoma State University's Student ID - samsnelling
http://snelling.io/hacking-oklahoma-state-university-student-id

======
jcrawfordor
Universities which use the popular and inexpensive Onity (nee TESA) lock
systems, despite their overall problems, gain a bit of security from this
problem in that the track used by the locks is written at a nonstandard high
bitrate that throws off inexpensive reader/writers. This actually helps
prevent duplication, although it's only a measure against people without the
resources to obtain the Onity equipment.

Outside of physical tricks like this (and various physical anti-deduplication
tricks that are surprisingly limited), duplication is really not something you
can ever control. So you need to train people to maintain physical custody of
the credential and make it as difficult as possible to guess at a valid
credential.

When cards are used for security identification purposes, the easiest thing to
do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential,
random card value that is related to the identity of the person only by some
database you control. That is, write your 9-digit student ID number to the
card for convenience, but when checking identity read out a 16-byte random
value that you put on the card just for this purpose. This at least requires
that an imposter gain access to the card at some point (to skim it).

Ultimately, the best thing you can do in the context of identification cards
is to verify the user photograph online. This is done actively by some police
departments and guards in high-security installations by looking up the ID in
an online system to retrieve the details and photograph of the cardholder for
verification. This is also done passively in some high-security installations,
for example by placing a monitor above an entry door that displays the
photograph of each person unlocking the door, for casual verification by
anyone nearby (particularly any guard nearby).

Physical access control is my favorite research area.

~~~
hamburglar
> Outside of physical tricks like this (and various physical anti-
> deduplication tricks that are surprisingly limited), duplication is really
> not something you can ever control.

This type of control is the point of smart cards. The card contains a private
key which can't be extracted (or at least is difficult to extract and may
involve destroying the card) and a processor that can do signing operations
which prove to the kiosk/register/whatever that the card is physically
present.

~~~
jcrawfordor
Smart cards are super cool! The number of real applications is pretty limited,
though, with computer authentication being almost all of them (payment cards,
yes, but the fallback to 'conventional' processing negates a lot of the
advantage). I think that challenge-response NFC authentication will make this
kind of technique more practical for physical access control applications.

~~~
hamburglar
My view is that the scenarios described in the paper basically amount to
"computer authentication", and smartcards would be completely warranted (and
not at all unreasonable to implement) here.

------
steakejjs
I went to a University in Virginia and ours, and other surrounding VA
universities were equally insecure.

We each had a 9 digit code that looked like 10XXXXXXX. These numbers were
incremented from one student or faculty to the next.

The only track that mattered was track 2. It had your 9 digit code, followed
by a the school code (3 digits), followed by a "lost card digit" that was
incremented each time a card was lost (obviously mod 10 here).

So if my ID was 100000001, I went to school 002, had lost my card two times,
my current card's Track 2 would say: 1000000010022

Needless to say there are tons of things that can be done here. From getting
access to rooms does not, to getting free lunches.

Pretty interesting things. I told my school and they didn't really care at all
(as expected). The potential loss from this is so low that it they didn't
bother since abusing these issues would get you arrested and expelled pretty
quick.

In reality, it is probably pretty serious. This student id is used somewhat as
a School social security number. You can take tests as other students or
impersonate other students in a lot of different situations.

~~~
scuba7183
What do you mean by "school code"? Wouldn't they all be the same for everyone
at your university?

~~~
gresrun
There are many schools in a university. School of Engineering, School of
Music, etc.

In most U.S. universities there is a hierarchy: university contains colleges
which contain schools.

~~~
davb
And for comparison, my experience of Scottish (and possibly other UK country)
universities has been:

University -> Faculty (e.g. Faculty of Technology) -> School (e.g. School of
Engineering) -> Department.

But this does vary from institution to institution.

~~~
smcl
Not sure about the rest of the unis down south, but I definitely remember
Cambridge and Oxford have some sort of "college" system which had no real
relation to your subject (i.e. you could read Philosophy at _Foo_ College,
Oxford, or _Bar_ College, Oxford). Maybe someone oxbridge-y can clarify.

------
driverdan
Nice writeup. I did something much like this in 2002 or 2003. The main
difference was that I was malicious, trying to steal money from other
students.

I went to Rochester Institute of Tech. The number shown on your card and
encoded on the mag stripe were your ID number.

I had plastic card printers and an encoder so making a fake was no problem.
The design was simple so it didn't take me long to make one that looked
exactly like the real thing.

How did I get numbers to encode? At that time they distributed grades to
students in folders outside each department's office. These grade sheets had
your full ID number on them. All I had to do was dig through the folders and
take grade sheets from people who hadn't bothered picking theirs up.

I think I only used one or two numbers to buy some stuff from The Corner
Store. I was mainly doing it to see if I could, credit card fraud was far more
profitable.

One of the worst parts about it was that the student IDs were your social
security number. Had I wanted to I could have easily used the data and fake
IDs for identity theft.

------
samsnelling
Well I'll be honest, didn't expect this post to make it up HN. Happy to answer
questions or field comments.

~~~
nadams
I'm kind of curious - since this was for a class it was kind of allowed but
was there any fine lines that you weren't allowed to cross when doing research
for the exploit? I assume as long as you didn't hurt the university's
reputation (such as getting bad press) or caused massive amounts of monetary
damage you would probably not get into trouble.

~~~
samsnelling
We had pretty strict guidelines to follow to be apart of the InfoSec class. We
basically signed a waiver at the beginning saying that if we did exploit
something, we would be subject to expulsion. It was a "theory" based class and
all actual research had to be done within a certain IP range in a particular
computer lab.

With that said, this was the final report that I made in the Winter of 2013. I
presented it Spring 2014 to the University staff. And now, graduated, with
over a full 12 months behind it, I felt comfortable to post it.

~~~
grecy
They were not upset you made a "blank" ID card and tried to borrow a Surface
Pro with it then use it at a cafe?

I personally think you might have crossed the line on actually using it.

~~~
colinbartlett
These folks found a gaping security hole that can be exploited to gain
physical access to secured areas as well as charge fraudulent financial
transactions. I can't imagine the university getting upset with checking out a
library book.

~~~
rwallace
You would be astonished at how crazy people can get. Honestly, the author of
this study took a huge risk and got lucky. If you're thinking of doing
anything like this in similar circumstances, DON'T carry out similar actions
without first obtaining written permission for _each specific_ action.

------
joshtgreenwood
Looks like
[https://app.it.okstate.edu/idcard/](https://app.it.okstate.edu/idcard/) is
down.

~~~
samsnelling
Sorry if that wasn't clear in the post, I'll revisit it. The university took
down that URL when I presented the vulnerability to them. So that site has
been down for roughly a year.

~~~
joshtgreenwood
That's great. A "one year later" update would be fun to read. I'm curious what
changes(if any) came about from this.

------
stealthflyer
Did the same thing at my university years ago. I was able to duplicate and
switch IDs on the fly with just one device (part of a senior electrical
engineering project that is way too public). Things like COIN are appearing on
the market, making duplication far too easy. Having physical access to student
ID cards means you can clone them, you need something that does bidirectional
authorization if you want to be secure but that costs too much and takes time
to upgrade. Easier to lock down the important stuff with ID + something
(fingerprint or PIN) if you really want to solve this problem.

------
omgitstom
This isn't just a problem with just universities. I have a card reader as
well, and any site that issues swipe-able ID cards is more than likely
susceptible. You would be surprised how many use an incrementing ID that you
can easily impersonate another user.

The equipment needed to create fake cards (not just blanks) that look good is
trivial to purchase.

I would be curious if OSU built or bought this system to issue cards. If they
built it, shame of them. If they bought it, shame on them as well. Any
security audit would have caught this clearly. Cards like any interface
require good design for use and security.

~~~
samsnelling
I think you hit the nail on the head here - this isn't a super sophisticated
reverse engineer. Total equipment cost is $300 (for one that prints a full
color front!) and you could theoretically impersonate anyone on a wide array
of systems.

------
jtsan
In your node.js script, once you find the first ID number couldn't you just
starting testing ID's less than and greater than the found ID since it's more
than likely an incremented ID?

------
mralvar
Hey fellow poke! I'm an MSIS undergrad. I actually had this exact idea over
coffee, great work.

~~~
samsnelling
Go pokes :)

------
noblethrasher
Nice write up. Just curious, how many of us are still in or near Stillwater
(even in OK)?

~~~
samsnelling
Can't speak for anyone else, but I'm currently in OKC.

~~~
infosecpoke
I ended up in Iowa.... After a 6 year run on the East Coast straight out of
college. Good article. Go Pokes.

------
smcquaid
I am going to take a guess that you failed to publish the contents of
encrypted track 3 due to INTEGRAl security concerns from your university?

~~~
samsnelling
Oklahoma State Student ID's did not use Track 3. We only encoded track 1 & 2
on the blank card.

