Hacking Oklahoma State University’s Student ID Cards

[Sam] took an information security class at Oklahoma State University back in 2013. For his final project, he and a team of other students had to find a security vulnerability and then devise a theoretical plan to exploit it. [Sam’s] team decided to focus on the school’s ID cards. OSU’s ID cards are very similar to credit cards. They are the same size and shape, they have data encoded on a magnetic strip, and they have a 16 digit identification number. These cards were used for several different purposes. Examples include photo ID, physical access to some areas on campus, charges to an online account, and more.

[Sam] and his team analyzed over 100 different cards in order to get a good sample. They found that all cards started with same eight digits. This is similar to the issuer identification number found in the first six digits of a credit card number. Th analysis also showed that there were only three combinations used for the next two digits. Those were either 05, 06, or 11. With that in mind, the total possible number of combinations for card numbers was mathematically calculated to be three million.

OSU also had a URL printed on the back of each card. This website had a simple form with a single field. The user can enter in a 16 digit card number and the system would tell the user if that card was valid. The page would also tell you if the card holder was an employee, a student, or if there were any other special flags on the card. We’re not sure why every student would need access to this website, but the fact is that the URL was printed right on the back of the card. The website also had no limit to how many times a query could be made. The only hint that the university was aware of possible security implications was the disclaimer on the site. The disclaimer mentioned that usage of the tool was “logged and tracked”.

The next step was to purchase a magnetic card reader and writer. The team decoded all of the cards and analyzed the data. They found that each card held an expiration date, but the expiration date was identical for every single card.  The team used the reader/writer to copy the data from [Sam’s] card and modify the name. They then wrote the data back onto a new, blank magnetic card. This card had no printing or markings on it. [Sam] took the card and was able to use it to purchase items from a store on campus. He noticed that the register reached back to a server somewhere to verify his real name. It didn’t do any checks against the name written onto the magstripe. Even still, the cashier still accepted a card with no official markings.

The final step was to write a node.js script to scrape the number verification website. With just 15 lines of code, the script will run through all possible combinations of numbers in a random sequence and log the result. The website can handle between three and five requests per second, which means that brute forcing all possible combinations can be completed in roughly two days. These harvested numbers can then be written onto blank cards and potentially used to purchase goods on another student’s account.

[Sam’s] team offers several recommendations to improve the security of this system. One idea is to include a second form of authorization, such as a PIN. The PIN wouldn’t be stored on the card, and therefore can’t be copied in this manner. The primary recommendation was to take down the verification website. So far OSU has responded by taking the website offline, but no other changes have been made.

Ask Hackaday: Help NASA With Their High Altitude Problem

image of hackaday logo on box at high altitude

Unless you’ve been living under a high voltage transformer, you’ve probably heard that NASA has grounded the Space Shuttle fleet. This makes getting stuff to and from the International Space Station slightly more difficult. With the growing need to get small experiments back to the surface quickly and safely, NASA is researching an idea they call Small Payload Quick Return, or SPQR (pdf warning). Basically, they toss the experiment out of the window, use drag to slow it down, and then use a High Altitude High Opening (HAHO) self guiding parafoil to steer the thing down to a predefined location on the surface.

Now, what we’re interested in is the self guided parafoil part, as it takes place in known hacker territory – around 100,000 feet. This is the altitude where most high altitude balloon experiments take place. NASA is throwing a bunch of money and brainpower to research this part of the system, but they’re having problems. Lots of problems.

Stick around after the break and see if you can help, and maybe pick up some ideas on how to steer your next High Altitude Balloon project back to the launch pad.

Continue reading “Ask Hackaday: Help NASA With Their High Altitude Problem”

Get your uni, school or college involved in The Hackaday Prize

The Hackaday Prize

We’ve been busy contacting design tech and electrical engineering education departments to tell them about The Hackaday Prize, but there are only so many of us and we could do with your help to get the word out.

Are you excited about The Hackaday Prize? Do you think more people at your school should know about it so they can take part? Either way, please help us help them by emailing prize@hackaday.com to let us know what program coordinators, student group, or other people we should contact. If appropriate, we have a bunch of promotional materials we would like to send out to some of these awesome hackers.

You can also help us by telling your hacker designer friends, posting about The Hackaday Prize on college social media (#TheHackadayPrize), or letting the student newspaper know. We want to get as many universities, colleges and high schools involved as possible. Many senior year project ideas would make great starting points for THP entries, and we want to make sure students take up this opportunity to show off what they can do (and hopefully win some stuff in the process). This makes a great summer project, and looks great when applying for colleges or jobs in the future.

Remember you have until August to get your entry in, but the sooner you post it on Hackaday Projects, the sooner you can potentially start winning rewards. We have hundreds of tshirts, stickers, patches, posters and other swag up for grabs on the way to winning The Hackaday Prize.

 

Cornell final project list

Looking for an interesting project to do using an Atmel Mega644? Students at Cornell University have got you covered. They were required to choose, design, and build a project using the microcontroller; and this year is quite promising with video object tracking, the always popular theremins, helicopters, Potentiostats, even Pavlovian conditioned mosquitoes, and more.

Of course all the previous years are included as well, making over 350 projects total.

[Thanks Bruce Land]