Daniel Ramsbrock, Steve Moskovchenko and Chris Conroy (left to right) figured out a way to hack information off university ID cards.
Your identity, your meal plan account, the entire history of every one of your movements on the campus: all items readily available through your new university ID card to any hacker with about $20 and basic computer know-how.
Though the university has recently switched over to a new campus ID card system to reduce the risk of identity theft, a team of a computer science professor and students have discovered there are still significant flaws in the system that would allow hackers to steal vital parts of a student’s campus identity, and they plan on presenting them to university administration by this summer.
The new cards protect students from having their Social Security numbers accessible to hackers by replacing the number with the university ID number on the card’s black magnetic stripe. However, the cards don’t protect students from hackers stealing their university ID numbers and accessing all the information available through them.
Graduate student Daniel Ramsbrock has spent the past few years studying the university’s swipe card system in his spare time and looking for weak points – all with the permission of the Department of Public Safety, he said.
“The university IDs are public identifiers,” Ramsbrock said. “Students write it on their tests, professors post them with grades. They’re very easy to get a hold of.”
A person could steal someone’s would be just to read it off a person’s card, the top of a student Testudo schedule, or off a list of UIDs any professor or teaching assistant has access to and may have lying around.
The other way to steal UIDs would be for someone to install a chip into card readers around the campus that retains up to 16 university ID numbers from the last 16 people that swipe. The hacker can come back later to retrieve the data through an infrared eye device that costs about $20 to make. Though risky, the cover of night would protect the hacker, electrical engineering major Steve Moskovchenko said.
With UID information, a hacker could easily make his own card based on the identity of the person whose UID he stole. He would have the same access to the campus buildings, meal plans, Terrapin Express, the Campus Recreation Center and libraries.
The easy access to UIDs could also lead to dire situations, such as a student swiping into a chemistry lab one afternoon, and his identity being stolen later. With a replicated card, a thief could enter the lab and steal important information or expensive equipment. Upon investigation, police would find that the student was the last person to enter the building and could charge him with the crime.
To make a new card with a person’s UID, one can buy a device on the Internet for about $200 and through logic figure out the numerical formula that makes the swipe cards work, Ramsbrock said.
Moskovchenko said he fashioned a similar device with just $20 worth of Radio Shack parts. He showed The Diamondback he could input the code he had figured out and his UID number to unlock a blinking red card reader.
“It’s not hard stuff,” Moskovchenko said. “Any student with basic electrical engineering knowledge can figure it out.”
Computer science assistant professor John Katz, who teaches a university course in network security and has offered Ramsbrock guidance, said the main concern was not that ID cards could be replicated, but that the UID was so readily accessible.
“Using the UID numbers on a card is not a good idea,” he said. “The UID is very easy to find. It would be a lot safer to use some sort of private, random number for each student so it would not be as easy to forge a card.”
The university has addressed such safety issues in the past and ID cards have evolved since their inception, when they used to feature a person’s Social Security number on the front.
When university President Dan Mote refused to have his SSN printed on a card when he came to the university in 1998, officials decided to print the UID number instead, but kept the SSN in the information on the card’s black swipe. This week, the university began issuing cards that no longer have the SSN on the swipe but still contain the UID number, which is still unsafe according to the group of students.
University Registrar David Robb said the recent change protects students and faculty from having their SSN stolen – but does not necessarily protect their important campus information.
“The change reduces the danger of identity theft seriously. What we’ve done is removed identifiers that make it possible for someone to get into something like, say, a bank account. If someone gets into someones Terp Express, it’s far less dangerous than getting into someone’s bank account,” he said.
“It’s a theoretical possibility,” he added, of campus identity theft.
Sophomore computer science major Chris Conroy, who is working with Moskovchenko and Ramsbrock, said the group looked into the issue because they were interested in helping make security on the university better, and have made sure their actions have been visible to university officials at all times.
Earlier in the semester, the trio made a presentation to Department of Public Safety coordinator Mark McGuigan, who they consulted throughout their research. Ramsbrock and the group showed McGuigan how they could gain access to the system using the hardware and software they created.
McGuigan did not return calls and messages yesterday.
The three students have made several recommendations in a paper Ramsbrock is writing as a part of his graduate courses. They are going to present the paper to the department of public safety and other officials involved in the fabrication of ID cards.
Among the recommendations was to replace UID access numbers with private, randomly generated numbers that could not be accessed by the general public.
Another was to assess what areas on the campus had higher security concerns – such as limited-access labs and libraries – and install locks with additional layers of security, such as the ability to read secret codes, called challenged response chips, to prevent entrance by hackers. Ramsbrock said the Department of Public Safety uses a proximity card that is much harder to replicate, but does not have challenged response chips.
A proximity card is the type of card that is pushed against a reader on a door.
“The current card readers are okay for most situations because they’re cheap,” Ramsbrock said. “It wouldn’t be worth looking into putting [proximity cards] into residence halls because it’s so easy to tailgate into one of them anyway. But if someone is going to stroll into a graduate lab behind someone, [they] clearly don’t belong there. So, a [proximity] card with a challenged response would be more effective in those places.
Robb said he is interested in hearing the suggestions the group may have for the university and said he is always looking for new ways to make the university safer. The new ID cards are just another step in that direction, he said.
In the meantime, however, Moskovchenko has heard some may already be taking advantage of the vulnerabilities.
“I heard there’s some sort of hacker gang over in Denton doing it,” he said.
Above all, Ramsbrock said he understands the university has security limitations.
“We realize this is a university, not Fort Knox,” he said. “Students shouldn’t have to go through a retina scan … to get into their dorm. The environment of a university by definition is somewhat unsecure. But we have certain assets that need to be protected.”
Contact reporter Sam Hedenberg at hedenbergdbk@gmail.com.
