Your organization is only as secure as people wish it to be

RIT’s public safety department got a bit upset with me today for making a copy of my university ID card. Seeing as I was locked out of my dorm and all labs, food and whatnot for four days while the folks at the registrar’s office broke everything after I had lost a card, I figured it’d be best to keep an extra key around, to avoid dealing with that mess again. As it turns out, that’s not allowed, though no one told me.

Still, I found a huge problem with RIT’s Lenel security system; none of this data is encrypted. At all.

Literally, I could take a picture of anyone’s ID card, find their UID and issue number, make another card and go into any of their labs. Once a new card is issued, I could just increment the 11th digit and do it again. By exploiting a few more holes I’ve been asked to withheld, I could get all of their personal information; SSN and Financial info included.

That’s bad. That’s *very* bad.

Let’s see if I can get Lenel to fix this.
Update (after break):

Lenel doesn’t seem to care. In fact, they seem to take me for an idiot.

… Unfortunately, magnetic technology does not support these security features.  Please raise your concerns with RIT Public Safety in Building 25 (by Gracie’s)…

Yes, because it’s completely impossible to copy a hashed char string to a magstripe card. I plan to look at other Lenel installations now, to see if this same flaw exists elsewhere. For both their sake and their customer’s safety, it better not.

One thought on “Your organization is only as secure as people wish it to be

  1. Actually, it’s been discovered that the digits after the issue ID are used to pad the end and make different than just reading the barcode; which does not have these digits. I’ve always thought that it determined which buildings you can enter, but this is not true.

    There is not much you can do with a UID though… probably for this reason!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>