Wednesday, May 10, 2006

Our Paper

We (Daniel Ramsbrock, Stepan Moskovchenko, and myself) have completed our paper on the swipe card system. This paper contains technical explanations of vulernabilities in the system as well as our recommendations for improving security.

This paper provides a comprehensive security analysis of the Lenel magnetic swipe card system used at the University of Maryland at College Park. We first explore the cards and hardware components which comprise the system, and then present several plausible points and methods of attack on the system. We chose several of these attacks and demonstrated them using a $240 commercial card reader/writer and a customized unit powered by a microcontroller, which cost about $20 in parts. We developed the capability to read cards, write arbitrary data to cards, simulate card swipes through a reader using a flux reversal pattern generator, and "sniff" data from up to 16 live swipes using a single microcontroller which can be easily hidden in the reader's housing. We tested and successfully demonstrated these capabilities on the live Lenel system under the supervision of the university's Department of Public Safety. Based on our findings, we recommend that the university use neither social security nor university ID numbers on the cards, that it use magnetic card access only in low-security areas, and that it use a more sophisticated and secure system such as proximity smart cards for access to high-security areas. While the analysis and recommendations presented in this paper are aimed at the University of Maryland, building security professionals everywhere can use the material presented here to enhance the security of their own swipe card systems.

You can download the full paper as a PDF here (GLUE@UMD Mirror).

Note: This paper has been redacted as of Sunday May 28, 2pm at the request of the University of Maryland Office of the Registrar and Department of Public Safety. We have voluntarily agreed to redact our paper while the University takes steps to improve security.

Thursday, April 27, 2006

Switch to UIDs

The system has thankfully been changed, and all students are being issued new cards which use the UID instead of the SSN on the magstripe. While this is a step forward for the security against identity theft, it only exacerbates other weaknesses in the system: half of the hardware required to attack the swipe card system is now out of the equation. You no longer need a skimmer to obtain access to someone's swipe card and all the priveleges and money that grants you.

The Diamondback was kind enough to interview us and publish an article (albeit over a year late and after we could have had the opportunity to avoid a mistake like using the UID on the magstripe). Minor corrections for the article:
1) Daniel Ramsbrock is not currently a graduate student. He is completing his undergraduate degrees in Computer Science and Criminology in May 2006. He will be a graduate Master's student at UMD in the fall of 2006 in the area of Computer Security.
2) The article mentions finding someone's swipe history but does not accuratley describe how to do this. It is assuredly possible, but not via the methods described in the article.
3) The article mentions a "challenged response" protocol for proximity cards. This refers to the challenge-response method of authentication where the reader issues a random 'challenge' string and the proximity smart card responds with an encrypted version of that string. This avoids transmitting the secret number stored on the card.

They also published a staff editorial, which we believe summarizes the important issues in a more accurate fashion than the article.

A better change to the system would have used random ids to link students' cards to the database because then an attacker would need to use skimming hardware, and a successful attack will only yield access to the card--not an SSN or other, more harmful, information.

I must also clarify one point, in my original "Swiping Away Security" article, I did say that it would be just as easy to use the UID instead of the SSN. This was meant merely to illustrate that any arbitrary number could be used to uniquely identify a student and not as a specific recommendation. I used the UID as an example because everyone knows what it is, but we could just as easily generate a random string of numbers each time a card is issued. I have no reason to believe this off the cuff remark was actually used by the administration, but it needs to be addressed given the nature of the new system.

Stay tuned here for updates on these issues. We hope to have a hardware demo with the administration sometime soon in addition to finishing up our paper. Please leave any comments/questions/concerns about the news articles in the comments section on this post.

Wednesday, November 02, 2005

DBK Publishes Something

Well, the Diamondback has finally deemed it appropriate to publish at least one aspect of this story. Click the link to read it, and you should also read my feedback to it if you haven't already.

I've been contacted by another news outlet, and apparently there is some interest for doing a bit more in depth reporting on the story. So, that's exciting. I may also try to write a letter to the editor now that they have published part of it. Perhaps it will be more likely to get printed given that it will be criticizing an already published story rather than one that hasn't been at all.

Saturday, April 02, 2005

Swiping Away Security

Extra extra, hear all about it! The following is an article that The Diamondback, ostensibly a voice for the student body at Maryland, has refused to publish. Initially, they expressed great interest in publishing my story, and at least one high level editor remarked that it was going to be one of the "hottest" stories of the semester. However, due to the entrenched bureaucracy at the paper, the editors decided instead of letting an independent journalist contribute, it would be better to hand the story off to someone in-house.

The Diamondback has been stonewalling this story since February 7th. When a reporter finally came to meet with me, he did not even know that I was trying to get the story published for the rest of the student body to see. I successfully negotiated a byline with the reporter and his editor (actually, a double byline agreement where we would co-author a new version for the paper), but apparently the editor in chief of the paper did not want to give the impression "that just any student can come in and contribute." Heaven forbid!

I would have published this long ago on my own had I known the way the Diamondback would treat a concerned student trying to get his story published. Nevertheless, I am publishing it before they can claim breaking the story. We've had quite a bit of talk here about how blogging is different, and how it can affect change. Well, one of the greatest things about it is it is a truly independent publishing medium, and it is not hindered by the walls put up by established institutions. In this case, the only major student paper on campus is refusing to release critical information to the student body in order to further its own staff's resumes.

The Diamondback should be ashamed of itself.

While this piece is certainly specific to the University of Maryland, perhaps this will make other students research similar systems at their schools. Also, I defiantly press the "Publish Post" button to demonstrate that, at least on my campus, real, substantive journalism does take place outside of the Diamondback.

Swiping Away Security
By Christopher Conroy

Imagine this: as you head back to your dorm later today, you swipe your ID into one of those ubiquitous card readers that adorn practically every entryway on campus. The little light magically turns green, the door clicks, and you move on with your day, but in the time between your swipe and the green light, you just sent your Social Security number across an insecure network to a central database which the university uses to track student movement, purchases, and behaviors. Even worse, the university does not have any policy to determine who can access this Orwellian database nor does it have any kind of security policy or privacy policy in order to protect this sensitive student information. Sadly, this isn’t make-believe; this happens every single time you swipe your card.

As part of a class assignment for HONR239R (Privacy vs. In Your Face Big Government taught by Professor Jim Purtilo), I worked with Karen Scuderi to submit a series of Maryland Public Information Act requests to the university regarding records pertaining to the swipe card system. The responses we received were extremely surprising, and the student body should take careful note of the information we learned.

The first request submitted by Karen Scuderi inquired about the records kept when cards are swiped, any privacy policy relating to such records, and any records of third party purchase or knowledge of the records. David Robb, University Registrar, answered the request with a brief explanation of the inner workings of the card swipe system. According to Robb, “The ID card system neither collects nor stores any data about [card swipe] transactions.” However, we had very good reasons to believe the card system does actually store data about each swipe because another member of the class was subject to a university investigation into a theft because he had swiped into a building on the night of a theft.

I submitted the second request shortly after the first, but with a more detailed focus. I told the university why I had good reason to believe they keep such records, and I made eight specific requests for information regarding the system. Denise Andrews, University Counsel, responded to my inquiry. There exists no policy or set of guidelines that outline who is permitted to access the database with the swipe card data, and the university lacks any records of any methods used to protect the data. There is also no policy for how long the records are allowed to be kept, and therefore this data is most likely stored indefinitely by the university. According to the University Registrar, no data is stored when we swipe our cards. However, I also asked for and received a copy of my swipe access data for a two-month period last semester. Indeed, a central database keeps track of every single card swipe. When a card is swiped for building access, the exact time, date, location, and access granted or denied is recorded. Entering the Campus Recreation Facility causes a separate entry to be made in a database with the date and time. The card swipe is not only an access card but also a purchase card, and the university also tracks and stores time, location, and purchase information for every transaction at the dining facilities.

The vast amount of information that is stored for every imaginable type of use of the swipe card creates a lot of privacy concerns for our student body. Since the university has neither documented methods for protecting the data nor any list of authorized personnel who have access to the database, we have no way of knowing exactly who is looking at our personal swipe card data. An unscrupulous employee who can access this database could severely abuse this privilege, and there is absolutely no guarantee that this information has not leaked into the hands of a third party. Insurance companies would be particularly interested in the spending habits of students at the dining halls and their CRC attendance records. A determined stalker would dream of having the building access records of their target because after running the data through some simplistic statistical modeling, established patterns of movement embedded in the person’s daily routine would become clearly obvious. Or, a jealous person scared at the prospect of infidelity could keep tabs on their significant other and watch for inconsistencies of where he or she claims to be. Potential thieves could also use the building access data to easily determine when the majority of a hallway in a large residence hall is absent and thus the optimal time to execute a large scale theft. This is by no means an exhaustive list of the abusive possibilities of this data, but it’s extremely illustrative because every single one of these possibilities is not just some unlikely hypothetical. Rather, these are all very real examples that have strong motivations and would be easy to execute.

David Robb, the University Registrar, claims that no information is stored, but I have pages upon pages of my own swipe access data. Robb not only made false claims about the existence of the database, but also he neglected to fully enumerate all of the identifying information found on a student ID card. An acquaintance of mine was able to hook a standard card reader into a computer in order to read the data held on the magnetic strip. The magnetic data is stored in a standardized format, and he was able to write a small program to output this data. Every ID card actually contains the student’s Social Security number in a format that can be easily decoded by any magnetic card reader. This sequence of bits residing in the magnetic strip of our cards is perhaps the scariest part of the swipe card system. The Social Security number is sent—unencrypted— to the central database as a means of unique identification. Therefore, anyone with some basic engineering skills could rather easily set up an intercept on campus card readers. By linking stored Social Security numbers with visual identification or other cues, someone could easily amass a large set of students’ Social Security numbers. A quick Facebook search for many students reveals such information as their birthday and address. Thus, a moderately skilled and determined person could successfully defraud countless students, steal their identities, make purchases in their names, ruin their credit ratings, and even change their class registrations.

There is no excuse for having such a sensitive piece of data as our Social Security numbers residing on our ID cards. Identity theft is a growing problem, and its effects can be severely detrimental and lasting. The key piece of information needed to steal someone’s identity is his or her Social Security number, and the university’s swipe card system is practically begging identity thieves to defraud our campus. The university could just as easily use our university ID as a unique identifier on the magnetic strip in order to protect students. Even if someone doesn’t have the expertise to set up an intercept on the card reader, students frequently misplace or lose ID cards, and whoever finds a lost ID card has access to that student’s Social Security number.

This database is also certainly not being used in the interest of serving students. I misplaced my ID card early last semester, and I had to deactivate it before I had time to conduct a thorough search for it because I was worried someone would spend the money linked to my card. However, it would only take slight modifications to the system to allow a card to be flagged as lost and inform a cashier to retain the card for return to the proper owner if anyone attempts to use it fraudulently. Unfortunately, no such system is in place even though it would not require storing swipe transaction data. The university charges $20 to replace these small plastic cards, and I also inquired about the cost of doing this in my request. Apparently, the university has no records indicating what it costs to produce each additional card. The university needs to justify charging the exorbitant rate of $20 because without documentation of the cost of production, this simply appears to be price-gouging those unfortunate students who happen to lose their cards. Since we have no choice about using our ID Cards, the university has a moral responsibility to provide them to students at cost. I also asked about the initial investment made on the card production system, and the university also has no records indicating what they paid for it.

Ostensibly, the ID card system is an important security mechanism. However, the fact that the ID card presents such a vast array of privacy concerns with the Social Security number embedded in the magnetic strip and a central database tracking and storing detailed information about every swipe, the system is potentially serving to undermine student security concerns. The potential benefits of storing swipe data seem to outweigh the many negative possibilities of abuse of the system. Moreover, the access levels granted to cards in the system are known to contain some errors. For example, an alumnus who requested to not be named informed me that his card still grants him 24 hour access to a building on campus that houses thousands of dollars worth of expensive equipment.

The swipe card system has many severe flaws that raise a great deal of privacy concerns for the student body, and the university was not very forthcoming with this pertinent information. As any student who has been awakened in the morning by a telemarketer on a dorm phone knows, the university does not do enough to protect student privacy. However, the end result of abuse of this information doesn’t just mean that your slumber might be disturbed: Your identity could be stolen, you could be targeted by thieves or stalkers, and some third party like an insurance company might obtain your swipe data and use it against you in any number of ways. Certainly, our campus needs to be aware of these issues, and the administration needs to consider reform before one of these scary possibilities becomes a harsh reality.