Current version:
The most current version of this FAQ will always be available here.
Summary:
The system in question is the Blackboard Transaction System (henceforth BTS), known variously as CampusWide, BuzzCard, and OneCard. This system is installed in various capacities on a large number of college campuses around the country. Recently two university students, Billy Hoffman and Virgil Griffith, have researched flaws in this system and published their results. Blackboard, Inc. filed a civil complaint and obtained a temporary restraining order to prevent Hoffman and Griffith from further discussing their results.
Purpose:
The purpose of this FAQ is to supplement Blackboard's public relations spin with information on the nature and severity of the BTS' security flaws. This information should be of interest to anyone who deals with the BTS, whether as a student or as a university administrator.
Trademarks:
Blackboard and Blackboard Transaction Systems are trademarks of Blackboard, Inc. The author of this FAQ, John R. Hall, is not affiliated with Blackboard in any way. BuzzCard is a trademark of the Georgia Institute of Technology. Any other trademarks mentioned in this FAQ are the property of their respective owners.
Disclaimer:
All of the information in this FAQ is true to the best of my knowledge. The author does not speak for Georgia Tech. I have never personally compromised BTS security, and I do not encourage others to do so. Neither Billy Hoffman nor Virgil Griffith were involved in the production of this FAQ.
Contact:
You can reach the author of this FAQ at overcode at overcode dot net. I would also be happy to discuss these issues over the phone; email me for my number.
Credit:
All of the credit for this security research goes to Billy Hoffman and Virgil Griffith. I am only posting this FAQ because they are forbidden to speak about Blackboard's security issues due to a restraining order.
BTS is a complete, drop-in campus access card solution. For more information on BTS' capabilities, please see Blackboard's product site.
Georgia Tech, for instance, uses BTS for laundry room payment, snack machines, building access, and library checkout. Students can deposit money on their access cards through a web site or by visiting the campus BuzzCard office.
I have been unable to obtain a complete list of BTS installations, but known customers are Georgia Tech, Tulane University, San Francisco State University, University of Southern California, University of Waterloo, Duke University, University of North Carolina, University of Maine, Virginia Tech, and Harvard University. According to a Blackboard representative, at least 275 academic institutions use the BTS.
BTS units generally carry AT&T, Harco, or Blackboard logos (the product line has changed hands several times). As a matter of trivia, I found out that a reader suitable for a snack machine costs about $800.
Access cards contain ID numbers, and nothing else. All account information is maintained on a SQL database backend. I don't know how much the backend configuration varies between installations, but that's how it works at Georgia Tech.
Many BTS cards have barcodes on the front. According to my CueCat scanner, this is just the card ID number, which is probably identical to the number stored on the mag stripe. Perhaps someone with a mag stripe reader can verify this.
In particular, cards do not contain account balances. It is not possible to increase your balance just by rewriting the mag stripe. (This was possible at some point in the past.)
BTS relies mainly on physical security; that is, it makes very little effort to protect its data electronically. Transactions between card terminals and the backend server are not encrypted, and are vulnerable to replay attacks. If a potential attacker can gain access to the system's data lines, the system is incredibly simple to manipulate. The physical security of the data lines is critical.
Trouble is, this physical security is often incredibly weak.
Maybe so, but most people still insist on locking their doors at night. If security were not an issue, why use a card system at all? Why not just place honor system donation buckets next to snack machines and leave them unlocked?
The problem is not that BTS can be cracked (almost any security system can be), but rather that it can be cracked with comparatively little effort and almost no chance of detection.
This seems to be Blackboard PR's favorite analogy.
ATMs are rather difficult to break into. Breaking into an ATM requires heavy tools and a fair amount of time. Furthermore, most ATMs are located in conspicuous areas, such that it would be difficult to break into one without being noticed.
BTS devices, on the other hand, are usually secured with flat head screws. Metal conduits protecting the data lines are often incomplete and easy to circumvent. Sometimes the wires are simply exposed or plugged into wall terminals with convenient jacks. If physical security is so important to the system's integrity (which, as a computer scientist, I will argue is a bad idea), then why is there none?
Secondly, ATMs protect their sensitive data with encryption. Account numbers, balances, and so forth are encrypted before they are sent to the bank, so that even if someone were to compromise the connection between an ATM and a bank, it would be very difficult to extract or forge transaction data. BTS does not use encryption; any computer engineering student could easily pretend to be a BTS terminal and deposit funds, gain access to buildings, or get free laundry usage. The only equipment required is a laptop and an RS-485 interface.
For legal reasons, I will not provide instructions on how to do this, but there is plenty of information on the Internet.
BTS accounts contain money and authorize building access, lab equipment access, library usage, meals at campus dining halls, and so forth. These are valuable.
RS-485 is a standard for serial data communication. It specifies a method for multiple devices (card readers, for instance) to share a set of wiring. RS-485 is excellent for this sort of environment, because it is highly resistant to electrical noise.
I certainly don't criticize Blackboard's use of RS-485; it is well suited to its task. However, it is not secure. RS-485 equipment is readily available, and it is easy to sniff traffic from RS-485 data lines. Some sort of cryptographic handshaking or data encryption is necessary for the system to be secure, but according to Hoffman, there is none.
Many electronic crimes are never caught. How do you know that nobody has exploited Blackboard's security?
Billy Hoffman is a computer engineering student at Georgia Tech. He was hired as a consultant for Nuvision Networks after his investigation of Blackboard's security flaws. He did not study the system on Nuvision's behalf; it was a project of personal curiosity.
I don't think so. He's a student at the University of Alabama, motivated by personal curiosity and concern for campus security.
Pay $5000+ tuition to the school each year and then rip off a few bucks of laundry service? I doubt it. And if that were their motivation, why on earth would they give a presentation about it to hundreds of people at a technology conference?
Furthermore, Hoffman and Griffith tried to advise Blackboard of their technology's flaws early on, but he was ignored. They received a similar response from Georgia Tech, except less politely.
Billy Hoffman has spoken on Blackboard's security in the past. His talks have generally been very informative, factual, and colorful (Hoffman happens to be a member of Georgia Tech's drama club). Obviously Georgia Tech and Blackboard were not happy about these talks, but no legal action was taken prior to April 2003.
Apparently Blackboard thinks the two students created a Blackboard-compatible hardware device of some type. They intended to speak about the device at the Interz0ne technology conference. Blackboard filed a criminal complaint, alleging that they had violated all sorts of wiretapping and corporate espionage laws. A copy of the complaint is available at Interz0ne's site.
Hoffman and Griffith complied with the restraining order. Instead of their scheduled talk, a convention organizer read the complete cease and desist order before an auditorium of conference attendees. Approximately 150 people were present for this.
No. See their press release. They maintain that their system's security is sufficient, claim that the researchers' activities were illegal, and state that their sole intention was to provide instructions for compromising security to a select group of hackers. Blackboard claims that this research put its customers at risk.
Hoffman contacted both Blackboard and Georgia Tech with his findings before he presented them to the general public. He only disclosed his findings to the general public after Blackboard failed to address the problem. This is in accordance with the usual convention for disclosing security advisories.
Furthermore, I will suggest that Blackboard itself is responsible for putting the institutions at risk. Even though Blackboard was alerted of these problems half a year ago (at least), they have not implemented a fix for existing customers, and have actively denied that a problem exists.
One reader noted a logical contradiction in their statement: if their security is in fact sufficient, then how are their customers now at risk?
No. Interz0ne is a widely publicized annual technology conference. It is open to the public. Anyone can come to Interz0ne and hear the talks. Although most attendees consider themselves hackers to some extent, this year's Interz0ne also welcomed several reporters and other people who were just curious. Blackboard's press release (see link above) portrayed Interz0ne as a closed gathering of illegal hackers. This is completely false. I don't think such individuals would hold something like that at an open hotel in the middle of downtown Atlanta, much less offer free admission and t-shirts to reporters.
If Blackboard's security is really OK, why did they apply for a temporary restraining order against the speakers? Why didn't they simply send representatives to the conference to ask critical questions and foster productive discussion?
Because as a student at a BTS-equipped university, my money and reputation are at stake. What if someone took advantage of BTS' flaws to gain access to a building, and I happened to be the last person to enter before the break-in? Or what if someone decided to debit my BuzzCard account without my permission?
Wouldn't you be concerned if your bank tried to cover up a glaring security flaw, or your house's door lock could be easily opened by anyone? Wouldn't you want someone to come out and tell you about these problems so that you could demand a solution to the problem? The BTS is no different.
Several web sites and university newspapers have run stories on this fiasco:
There are others. I will post links as I find them.
None of the coverage so far has been entirely accurate, though of the reports we have seen so far, the Slashdot article is the most accurate. And due to the restraining order, it is illegal for Hoffman and Griffith to correct mistakes in these articles! For instance, several of the articles compare their security compromises to breaking into an ATM. This is a poor analogy, but to explain otherwise would be a direct violation of the court order.
This situation has been incredibly frustrating for everyone involved.
No, but SE2600 has been kind enough to host a mirror. You may be interested in Hoffman's own list of Frequently Asked Questions. Please note that Hoffman stopped distributing this material in compliance with the court order. It is being independently provided by the SE2600 organization.
Yes, but it doesn't contain any information about Blackboard.
Their email addresses are acidus at yak dot net and virgil at yak dot net, respectively. Please do not ask them technical questions about the Blackboard system. They are not allowed to answer such inquiries due to the restraining order. Also, on advice from their legal counsel, they cannot answer questions regarding the legal proceedings.
You can reach Hoffman's attorney at pete at wellbornlaw dot com. Legal and monetary help are appreciated.
Spamming Blackboard probably won't help, but telling all your friends about this situation certainly will. If you are a student on a campus that uses BTS, be sure to mention this situation to your campus' administration. We need to make it clear that covering up security flaws through cease and desist orders is not acceptable and will not work. Feel free to post and redistribute verbatim copies of this FAQ.
By all means, tell me. My email address is at the top of this document.
I will take this page down as soon as Blackboard implements an honest security fix and stops making false statements about Hoffman and Griffith.