Sunday, August 10, 2008

Security Issues in Cambridge

Harvard is getting new ID cards next year, thanks to an ambitious student who apparently figured out how to forge IDs (including a duplicate ID for University President Drew Faust). Because, really, how could using unencrypted ID numbers on the card, and giving access to undergraduate computer user assistants access to all ID numbers, ever lead to a problem? (The student also apparently made fake state driver licenses as well. Who says Harvard students don't learn useful real-world talents?)

Of course, Harvard isn't the only institution in Cambridge where students can obtain skills in the security area. Some MIT students, working under the famous Ron Rivest (the R of RSA!), figured out several flaws with the new ticket system for the Boston subway system, including ways to rewrite tickets so that they have lots of money available on them. So, naturally, the subway system sued to keep them from talking about the flaws at a security conference.

In both cases, the systems seem easily breakable (well, at the least the Harvard IDs were easy, not sure about the subway) with a card writer that can be obtained for a couple hundred bucks.

Of course, I'm not surprised, based on previous experience.

I wonder when organizations that want secure cards will realize that perhaps they ought to ask the students to try to break the system before they deploy it, rather than wait for them to break it after.

1 comment:

Shaneal Manek said...

I'm not sure if you've seen the actual exploit yet. The Tech published it online.

The security on the mag stripe cards is just embarrassing. One field just holds the cards value. Simply changing that one field increases the value.

The rfid cards were considerably better. They basically use a mutual challenge-response auth scheme with weak encryption. The students were able to sniff a whole bunch of handshakes and then used customized hardware (on an FPGA) to brute force the key.

And of course, there was the warcart. Take a look at the video of when they bring it to harvard square; it was quite entertaining. I don't know why they had to make it so loud and obnoxious though ...