Blackboard Campus IDs: Security Thru Cease & Desist

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

obviously not

[ih8apple]

To answer the question "is the DMCA a viable tool to ensure security?"

Here's an article from the BBC.

and here's a good presentation from toorcon.

and lastly, this is a good article from ITWorld.

Re:Another way to go about this?

This is a snippet from Acidus' old website. It relates the timeline of events. I hope you enjoy.

Sorry for posting AC but since this does come from Acidus' website ....

Spring 2001 - I got interested in the Buzzcard network on Campus. Based on the AT&T logo, I went to the Internet and soon found out about the system. Lots of Web research done, and fieldwork on the connection between the device and the reader. Locked Cabinet with Multiplexes was opened and photo was taken of insides. Determined which wires to cross to make doors open, laundry machines get credited, etc.

Summer 2001 - Continued exploring the system, called the company (now Blackboard), and interviewed Jim Resing.

Fall 2001 - With Publishing of my Fortres article, increased last minute field research, and finalized my notes. Called Blackboard again to tell them all the flaws I found, was blown off.

Spring 2002 - Wrote Article, and was published in Spring 2002 issue of 2600.

6/2002 - Blackboard learned of my article. The Blackboard Usergroup tried to track me down; finally figuring out I went to Tech, saw my web page and was very upset. Concerns about how accurate my article was are posted by schools around the country to the list-serve. GT tells the list-serve that they are looking into it and they would reply again soon.

GT Police asks to speak to me to determine if crime was committed. GT Police never file charges and indeed I am told there is no long an investigation. Buzzcard Office conducts internal audit of their systems. I go to Buzzcard office unsolicited to try and assist them in securing their system. They were not happy to see me. Office of Information Technology (OIT) on campus starts a test of the Buzzcard system to see if any of the attacks described in article are valid.

Buzzcard office asks that I remove picture of inside of the locked cabinet from my web page (since its hosted on GT machines), which I did. Buzzcard center asks me to remove AT&T cached pages, which I refuse to do. (Its not theirs, if AT&T wants it down, they can ask me).

Buzzcard office reluctant to talk with my about my article, since they don't want to confirm or deny how accurate I was. They do confirm the VTS could be hacked and money can be added to any accounts as I describe. However parts of my article (namely how to clone a card through the VTS), are, they claim incorrect. They ask if I would write a letter for the list-serve that explains what parts were incorrect. I agree as long as my letter will be unedited, and I get to also stress what parts are accurate to let colleges learn what they need to secure. Buzzcard office agrees but continues to cancel my meetings with them and not return phone calls. I am contacted by several colleges that are on the list-serve. They tell me that Tech has all along been posting that they have interviewed me, that my article is totally false. Tech uses such loaded statements as "As any experienced administrator should know, these security holes are not possible." These colleges are concerned Tech is not being truthful, and want to talk to me. I see that the Buzzcard center was stringing me along, and cease my attempts to contact them, or help them fix their pathetic security.

OIT concludes their investigation, and confirm that everything in my article is correct, except about how to clone a card. Tech does not post these results to the list-serv.

Dean of Students is involved, and is checking to see if, while no laws were broken, if I broke institute policy.

Re:What about this analogy

[Frobnicator]

or should the person go tell the bank so it can fix it?

They DID try to tell the company, and were "blown off".

But what if the bank ignores you? Should someone be allowed to convey information about a problem with a system if the system controllers refuse to fix it? I'd still think not - it'd be one thing to state that there is a vulnerability, and that in good conscience could not state what the vulnerability is, and quite another thing to go explaining the vulnerability to everyone else.

This is something compuer security has had to deal with for quite some time. The normal ethical guidelines are to first contact the vendor and attempt to work with them to find a solution, and release the information once the vulnerability is corrected. If they either ignore it or fail to correct the problem in a reasonable time frame, the consensus is to take the problem to the security experts and users of the security system generally. This is based on the theory that criminals may already have such knowledge, and therefore the users need to know in order to protect themselves.

Hope that helps with your question.

I have a OneCard

[Feztaa]

I'm a student at the University of Alberta, and I have one of these OneCards.

There are various machines around that let you deposit money onto your OneCard, but there is no "university-approved network" of stores that accept the OneCard as payment.

The OneCard is primarily used for borrowing books from the library, and for operating the photocopiers/printers on campus, and there is exactly one vending machine on campus that allows you to pay with your OneCard.

As for people living in residence who have meal plans (like me), there's a separate card for that, provided by Aramark. To get into our dorms, we have keys. Laundry is coin-operated. The OneCard has absolutely nothing to do with the on-campus residences.

For most finals and midterms, we're required to show our onecards and/or driver's licenses as photo ID, but the OneCards aren't swiped through a card reader or anything, it's just photo ID, nothing more.

There are restricted areas on campus that you can access by swiping your OneCard and punching in a secret code, but as a first year undergrad, I don't have access to any of those places so I can't say what it's like (though for most of the places that aren't top-secret nuclear research facilities, it's almost trivially easy to get in by walking in when somebody else walks out -- we're friendly here in Canada, generally we hold the door open for people we don't know).

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

Gee, I dunno. This is Canada, there is no DMCA here (as far as I know, anyway). Hopefully some Canadian security researcher will hear about this, and continue the research here...

Trade secrets and the Economic Espionage Act

[Animats]

The Economic Espionage Act of 1996 is worth reading. It's overly broad, and its definition of trade secrets is broader than that of the Uniform Trade Secrets Act.

Trade secrets used to be frowned upon by the law. Patents were legally preferable, so that when the patent expired, the knowledge went into the public domain. A trade secret could be lost easily; any publication by anybody erased trade secret status. All trade secret law really did was to put some teeth into confidentiality requirements for employees. It didn't affect outsiders.

All that has changed in the last decade. Between the Economic Espionage Act, the DMCA, and several court rulings, trade secrets now look more like property rights.

Re:I know a little about this...

[JahToasted]

The sentence "swiping really fast after the transaction" is a violation of the DMCA. Seriously.

Re:Duh...

[ngrier]

Actually, IIRC, the article doesn't quite state the facts clearly. The supreme court was split in that it supported one case and returned the other to the lower court. It ruled that the two men who got drunk and burned a cross on their [black] neighbor's lawn did so for the purposes of intimidation and that this was not a protected form a speech. (see for example their recent ruling on the illegality of the anti-abortion websites posting "wanted" ads of abortion doctors.).

They did, however, uphold the right of the KKK to burn the large 30' cross as a form of protected speech (i.e. political, without an immediate threat of harm or intimidation). It was for this reason that Thomas dissented - his comments indicated that the history of cross-burning is such that there is never a time when cross-burning is not meant to intimidate.

So to return to the question at hand, the Supreme Court has clearly, multiple times, made a distinction between types of speech and that some are protected and others aren't. Regardless of the first amendment, you can't make threats on the life of the president (no matter how much of a ditz he is). Similarly, you can't give away state secrets. No matter how inane or ludicrous the DMCA is, there is a long precedent for restricting certain types of speech. (So the question of its constitutionality is not one that is easily answered.)

Re:I say publish all the details overseas

[hondo_san]

The story of Serge is here