Blackboard Campus IDs: Security Thru Cease & Desist

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

Thanks for the LINKS Jamie!

[Real+World+Stuff]

1.3- About this FAQ
This FAQ was originally written as a supplement my 2600 article "CampusWide Wide
Open." This Article was published in the Spring 2002 issue. Back issues are
available from www.2600.com, or download the article from:
www.yak.net/acidus

The Article caused a lot of stir, which I'll discuss later. This stir allowed me
to talk with some of the CampusWide admins at my school and they told me of
some things that were either incorrect in my article. In addition, they were
several things left out of my article, little bits of tech info. Some theories I
have, new info, etc. Hence the need for the FAQ to make sure this stuff stays
update. But instead of merely having it as a supplement, I figured having all
the information in 1 place would be much more helpful.

1.4- What will I get from this FAQ?
Updated info. I researched the article in the summer of 2001, and finally wrote
it in the spring of 2002. It was as accurate as I could make it. However even
then there was info I had to leave out for length reasons, and others mentioned
in the last section. This FAQ will make sure the info about the system stays
current. You will not find in the article or this FAQ how to cheat/steal. I will
not tell you any info someone could be directly applied to steal from the
system.

2.0 ABOUT THE SYSTEM
2.1- So what is CampusWide?
CampusWide is the mostly widely used card access system in America today. It
sadly is the least secure. CampusWide is ID Card solution originally created by
AT&T, and now owned by Blackboard. It is an ID card that can be used to purchase
things from vending /laundry machines, or the college book store just like a
debt card. Its used to check out books from libraries, open computer labs and
buildings at night, gain access to parking decks, and even get you into sporting
events. The CampusWide system gives everyone a card that lets them access both
unattended and attended card readers and Points of Sale. All these actions and
transactions are sent to a central server which stores all the information in a
database. A confirm or deny signal is sent back to the card reader, and the
transaction goes through or is denied. It is fast becoming the way of life on
college campus around the world. You need it to eat, to get into your dorm, to
get into college events, everything.

2.2- CampusWide? I thought it was called X
The CampusWide system has been called lots and lots of names. AT&T first
developed it and called it the AT&T CampusWide Optim9000 System. It was
generally called CampusWide. When Blackboard bought AT&T's system, in 2000, they
also bought another system called Envision from a company named Icollege.
Blackboard then had 2 products, the Blackboard Optim9000 system, and The
Blackboard Envision System. Blackboard is only selling one system, called
Blackboard: Transaction System. However this new system comes in 2 versions, the
Windows Version and the Unix Version. Since AT&T marketed this thing as
CampusWide for short, and did it for a number of years, and since Blackboard has
been doing it for so few, I call the collective whole system CampusWide. When I
refer specifically to the Unix version, I will say Optim9000, and when I referto
the windows version, I will say Envision.

2.3- Wait. there are 2 systems?
You need to understand that the front end of CampusWide, the card readers and
data lines for both Envision and Optim9000 are the exact same The difference
between Envision and Optim9000 are their operating systems and their databases.
The card readers can't tell the difference. The faults in my article apply to
both systems (though the technical data is for the Optim9000 system).These
faults are for both systems since they both use RS-485 lines.

2.4- What does it look like?
2.4.1- Readers
The CampusWide system is easy to spot. The readers are black metal or plas

Re:No, it doesn't.

[gamgee5273]

Doesn't make the law right though, does it Trollboy?

Re:No, it doesn't.

[belroth]

Also, in a police state, it wouldn't be thugs, it would be the police.

In a police state the thugs would be the police...