RIT’s public safety department got a bit upset with me today for making a copy of my university ID card. Seeing as I was locked out of my dorm and all labs, food and whatnot for four days while the folks at the registrar’s office broke everything after I had lost a card, I figured it’d be best to keep an extra key around, to avoid dealing with that mess again. As it turns out, that’s not allowed, though no one told me.
Still, I found a huge problem with RIT’s Lenel security system; none of this data is encrypted. At all.
Literally, I could take a picture of anyone’s ID card, find their UID and issue number, make another card and go into any of their labs. Once a new card is issued, I could just increment the 11th digit and do it again. By exploiting a few more holes I’ve been asked to withheld, I could get all of their personal information; SSN and Financial info included.
That’s bad. That’s *very* bad.
Let’s see if I can get Lenel to fix this.
Update (after break):
Lenel doesn’t seem to care. In fact, they seem to take me for an idiot.
… Unfortunately, magnetic technology does not support these security features. Please raise your concerns with RIT Public Safety in Building 25 (by Gracie’s)…
Yes, because it’s completely impossible to copy a hashed char string to a magstripe card. I plan to look at other Lenel installations now, to see if this same flaw exists elsewhere. For both their sake and their customer’s safety, it better not.