CampusWide Wide Open
by Acidus
CampusWide is the mostly widely used card access system in America today. It sadly is the least secure. CampusWide is an ID card solution originally created by AT&T and is now owned by Blackboard.
It is an ID card that can be used to purchase things from vending/laundry machines or the college book store just like a debt card. It's used to check out books from libraries, open computer labs and buildings at night, gain access to parking decks, and even get you into sporting events. The CampusWide system gives everyone a card that lets them access both unattended and attended card readers and Points of Sale (PoS). All these actions and transactions are sent to a central server which stores all the information in a database. A confirm or deny signal is sent back to the card reader.
Back in the day (last ten years), there were two major card systems available to colleges: AT&T's CampusWide system (Also known as Optim9000) and Icollege's Envision.
Envision was one of the first card systems ever made. The seeds of the current Envision system go all the way back to 1984 with a company called Special Teams. The original engineers from Special Teams went through several companies, each one being bought by another company ever year for several years, before coming to Icollege. AT&T saw the market for card systems and jumped into the mix as well, stealing some of the ideas behind the system by hiring developers of Envision away from Icollege. They released a system known as CampusWide. It is commonly called Optim9000 or OneCard, however I will continue to call it by its most well known name: CampusWide. So why do you need to know all this history? Because the core of all modern card systems is based entirely on 1984 technology!
The original engineers from Special Team, and people trained in their ideas, have been the only people in the country designing and building these things. That means that the weaknesses in the reader/server infrastructure that I point out here are found in every card system made in the United States in the last 15 years! By the mid-to-late 90s, CampusWide held the largest market share. Then in November 2000, a newly formed company called Blackboard purchased both Envision and CampusWide. It sells both systems under the names Envision and Optim9000. Blackboard's first order of business was to upgrade the two systems to use newer technology, only to learn that they couldn't! Too many colleges and even businesses have the older equipment, and Blackboard can't afford to drop compatibility! They have tried to merge older and newer technology in an attempt to improve security (with the addition of IP converters), but in truth, they have weakened an already frail system.
The CampusWide system is the most prevalent, and easy to spot. The readers are black metal or plastic, almost all have a LCD screen, and they will have no writing on the except the AT&T logo with the word "AT&T" under it. The newer Blackboard ones work exactly the same as the AT&T ones, only they have Blackboard written on them.
Information on the CampusWide system was very hard to find. I started looking right after AT&T sold it when they were clearing out their old web pages and Blackboard was still creating there webpages. Needless to say, AT&T had much better documentation of the specs of the system than Blackboard did. Sadly, all of it is off AT&T's page now, and you'll have to hurry to still find it cached on Google. Luckily I saved everything, and should post it up soon.
The Server
The CampusWide system is recommended to run on Hewlett-Packard HP9000 machines, though any RISC processor will do. It only runs on HP-UX (Blackboard currently installs ver 11.x). The AT&T system had a list of specs that the end users must have to support the software. These included the above, but also a 4 GB capacity Digital Audio Tape (DAT) and a Uninterruptible Power Supply (UPS) that can keep the system up for 20 minutes (Blackboard's newer specs suggest a Best Technologies FERRUPS 1.8 KVA battery that can go for 45 minutes). More interestingly, the CampusWide system is required to have a 9600 bps modem for remote diagnostics. The system itself consists of two parts: the Application Processor (AP) and the Network Processor (NP).
The Applications Processor is the back-end of CampusWide, the part the users never see. It manages the database where all the information is stored and provides an interface for human operators to look at logs and run reports, as well as change configuration/privileges and transactions/account maintenance.
The NP is the gateway from the infrastructure to the AP. It takes in the requests from readers around campus, converts the mode of communications into commands the AP can understand, and then passes it along. AT&T CampusWide could support up 60 communication lines and 1,000 card readers. The new Blackboard system allows up to 3,072 readers.
The Database
All the information about a student or employee isn't stored on the card for security reasons. It's stored in the database (the card simply has an account number which is used to organize the data in the database). The database used by the current Blackboard system is dbVista. The database for the AT&T version was never advertised by AT&T, but was believed to be Informix. However, based on the modular design of CampusWide, I believe any SQL queried relational database should work. The database is most likely not encrypted or protected in any way other than by isolation. The only way to get to it is either at the console of the AP or by the commands sent from card readers that have already passed through the NP. Blackboard's assumptions that these two ways of reaching the AP are secure are the one of the systems downfalls. The database can store up to 9,999 different accounts, each account having many different fields. The balance the person has and the doors they can open are included in the system. The balance will be a floating point number, and the doors the person can open will most like be a string of characters, with the bits being used to tell which doors they can or can't open.
The doors are most likely grouped into zones, so that the five doors into a building have one bit instead of five separate bits saying if the person can open those doors or not. This idea is upheld by the fact that Blackboard says the users are given plans and that can be updated regarding their access to buildings. These plans grant different levels of security access to a building. Lower levels can get into the building through all the exits, the next level can access labs on a certain floor, etc. Without direct inspection of the database, only educated guesses can be made about its structure. (I have totally left out any provisions for checking put books, and other things the card can do.)
The Workstations
The AP was interfaced originally by the AT&T system only at the server console, or through dumb terminals connected to 19.2 kbps serial lines. Toward the end of the AT&T days, and now with Blackboard, changes to someone's security privileges can be made from any workstation on campus. I watched this process several times. A certain software package was used to connect through TCP/IP to the AP. (I saw the name once, briefly, and for some reason I thought it was "Osiris." Checking on this name has turned up no results. Perhaps this is a proprietary piece of software specific to my college, or simple a closely guarded software package from Blackboard.) A GUI has used to select my name from a list of students. A summary of my security privileges then came up, and the ability to add and removes these was there as well. This GUI has incredibly user friendly, as the man using it had nil computer knowledge. I only got to watch a few people having new security privileges activated, and never got to use it myself, so I have no way of knowing if the debt balance can be accessed/changed from this GUI.
The Card
The ID cards that are used are your standard ANSI CR-80 magstripe cards. They are made of PVC and are 2.125 by 3.375 inches. They are made on-site at the college's "card station," and normally have a photo ID on them. A 300 DPI photo printer is used and the company recommended by Blackboard to use is Polaroid (just like the printers at the DMV). The magnetic stripe on the card is a standard American Bankers Association (ABA) Track 2.
Any card reader/capture tool can read these cards. The cards are encoded on high-coercivity stripes (known as HiCo), which are very resistance to wear and tear. These cards only use Track 2 of the card, which is read-only. It is interesting that they don't use Track 3 which is read/write.
Track 2's information breakdown is as follows:
Start Sentinel = 1 character Primary Account Number = Up to 19 characters Separator = 1 character Country Code = 3 character Expiration Date or Separator = 1 or 4 characters Junk data = Fills the card up to 40 characters Longitudinal Redundancy Check (LRC) = 1 characterAs you can see, most of this applies to banks. However, the account number I have stamped on my CampusWide card is 16 characters long, so the Primary Account number field is known to be used. CampusWide also allows for lost cards. If a card is lost, an entry is made in that person's table in the database. The last digit of their account number is increased by one (this is called the check digit - so of the 16-digit account number I have, the first 15-digits are my number; the 16th digit is the check digit). The old card that uses the old check digit is deactivated and a new card is printed.
The Infrastructure
The infrastructure is a "security through obscurity" ploy of the system. Originally, the system was designed to run over a several RS-485 drop lines. (These are the 60 communication lines mentioned before.) RS-485 is a very robust means to transmit data. (The whole CampusWide system is designed to take a beating.) Unlike RS-232, which has a protocol build in to the standard which says how devices must talk to each other (stop bits, baud, handshaking, etc.), RS-485 has none of that. It is a way for a master device that sits at the end of a communication line to talk to slave devices that are daisy chained on the line.
The CampusWide system uses the full-duplex version of RS-485 where slaves can speak to the master before the master polls them for data. (CampusWide needs this to have the sub-seconds times they advertise. However, the NP still polls all the readers on a regular basis and can be interrupted by a reader when a transaction comes in.)
The data lines are very robust against noise and interference. RS-485 has two lines in each direction, called A and B. Data is sent by having a difference in the voltage of A and B of more than 5 volts. This mean that if you have a signal being sent, and A is at 10 volts, and B is at 15, and a power spike comes along, the spike will boost both voltages by the power of the spike. However, the difference between the higher power A and B will still be 5 volts and the data is not corrupted.
Over short distances, speeds of 10 Mbit can be achieved. However, the longer the cable is, the lower the speed. All CampusWide card readers operate at 9600 bps, thus making the maximum distance of the RS-485 drop around 4,000 ft. This can be extended through the uses of repeaters and boosters on the line. RS-485 is very common in industry, but "secure" at a college since it is unlikely anyone would have a means to interface to it.
Commercial RS-485-to-RS-232 converters are available and prices range from $50 to a few hundred. VHDL designs of these converts can be found on the Internet, and thus an FPGA could be configured to decode RS-485 signals. While researching, I came across a post from someone claiming to be a field tech for some company. He said that you could make a RS-485-to-RS-2432 converter very easily by wiring:
No one posted after him to say he was wrong. I don't know if it would work, since the second wire of the pair of RS-485 data lines isn't even mentioned, and it's the difference between these two lines that sends the data. Also, the possibility of high voltage on a RS-485 line could easily damage a serial port on a computer, if not fry the motherboard. Also, this assumes the data scheme used to transmit data on the RS-485 line is identical to RS-232. This doesn't have to be true, since the way data is represented (in packets, streams, stop bits, parity, etc.) is not defined by RS-485. If you could get to the data streams, you have no idea the scheme used to represent it is, and thus how to decode it. This last problem however, is moot, as you will read in the Exploits section.
AT&T would recommend that these lines be used (indeed, all the readers can only transmit their data in RS-485 mode), however the data can travel over any facility from telephone lines to radio waves, provided that full-duplex 9600 bps asynchronous communication can occur on them. The NP is the part of the system that would sort all this out. AT&T did however specifically say that using an existing Ethernet or computer network was not a good idea, as it sent the data out into the wild, and would slow down both the CampusWide system and the existing computer network.
However, Blackboard now offers an IP converter. This device is a simple computer (it has a Pentium-class processor and a standard off-the-shelf NIC card) the takes in 16 different RS-485 devices, converts all their communications into TCP/IP packets, and encrypts them to send over the network. The NP then has a converter at its end that converts the packets back to RS-485 format. The IP converter is assigned an IP address which is most likely a static address. The IP converter also most likely has a daemon on it you can Telnet into to look at the status, and perhaps change configuration info. Blackboards says the data from these boxes is encrypted and the box certainly has the power to crunch some numbers. However, I have found that if encryption is good, then companies will brag that about the key length, etc. The only data Blackboard gives about the encryption is that the keys can be changed automatically on any interval from the AP.
For the longest time at my college, if an off-campus food joint wanted to have the student be able to use their school cards to pay for food, they had to pay for an expensive leased-line that connected them to the school. It's my guess that this was the RS-485 line, or something similar. Recently (in the last six months) my college offered cheap (<$300) boxes to nearby pizza joints that would allow for payment with a school card. These boxes were simply card readers with modems installed, much like a credit card validater. These modems are dialing the NP directly! Major security risk!
The infrastructure ends up like this. All the devices in a building send their lines into one place in the building. This is where multiplexers exist which split the main RS-485 drop line up into slices for each reader. These multiplexers also can boost the power of the main drop line, letting it travel longer distances. These multiplexers can be stored in a locked networking closet or in these big metal cabinets on the wall of a room. AT&T called these MW/MHWMENC - Wall-Mount Enclosures. This metal box has a handle and a lock, but the front of the handle and lock assemble has four flat-head screws. I used a cheap metal knife and opened this locked box. Inside I found the Laundry Center Multiplexes (LCM) that controlled the laundry room I was in. Everything had "AT&T CampusWide Access Solution" written on it, as well as lots of Motorola chips. Sadly, this was early in my investigation, and I haven't gone back to look again.
The drop lines coming to the building can be traced back all the way to the building the houses the NP. There the NP interfaces with the AP to approve or deny transactions.
The Readers
Every reader imaginable is available to a college from Blackboard. Laundry readers, vending machine readers, point of sale terminals in the campus bookstore, door readers, elevators, copiers, football game attendance, everything! All of the readers communicate using RS-485 lines, and if any other medium is used between the reader and the NP (such as a TCP/IP networking by way of the IP converter), it must be converted back to RS-485 at the NP, since all CampusWide uses that standard. Everything is backwards compatible. The majority of my college campus has AT&T readers on them, though a few new blackboard readers are showing up.
Readers can be broken into three categories: security, self-vending, and POS.
Security readers are made of high-density plastic and consist of a vertical swipe slot and two LEDs. They are green when they are not locked and red when they are. When you swipe a card to open a door you are cleared for, the light will change to green for around 10 seconds. If the door has not been opened in that time, it locks again. To allow for handicap people who may not be able to get to the door in time, a proximity sensor is available to receive signals from a key fob or similar key source to open the door. Information about what frequencies are used in control of the door are obviously not published by either AT&T or Blackboard. There is also a model of door reader with both a swipe and a 0-9 keypad for codes. I have encountered no such model, and have no idea how it works. Advanced forms of these three security readers are available which have the ability to have a local database of 4,000 (expandable to 16,000) account numbers stored in NV-RAM. This way, if for some reason the card reader can't reach the NP to confirm someone's identity, then the reader can check its local records. The tricky bastards also built the readers so there is no visual difference between a reader that can't reach the NP and one that can.
The self-vending machines are the most colorful group. They are the best to hack because they are unattended and work 24/7. They vary in size and shape, but all have several fundamental features. They all have a LCD screen of some kind, the most common being 2x16 characters. Most are mounted to walls and the power/data lines are protected by metal conduit. Coke readers are mounted on a Coke machine where the dollar bill acceptor would go. Of this group, one stands out: the Value Transfer station! Unlike the GUI at the workstations, this reader can directly query about the account balance of the a cardholder and add money to it as well (by feeding in dollar bills like a change machine). In addition, it dispenses temporary PVC cards that can be credited, so people can do laundry, etc. if they forgot their card. This means that this station can tell the AP to create a new account and give it "x" number of dollars!
Finally there are the POS devices. A student would never get to use these. They are used in cafeterias and bookstores. They allow for payment by the student ID card and several other options.
All these readers have inherent similarities. Most are made from high-impact plastic or metal. If it is wall-mounted, the will be metal conduit running out of the top which holds the power and data lines. All have their program code on ROM/NV-RAM chips. I once managed to power down a card reader for a copier. When I turned it back on, it ran through several self-tests in the span of a few seconds. I saw messages on the LCD that said things like "ROM ver" and "CRC check complete." AT&T and now Blackboard say all the readers, including POS, will power up to full operating status with out any user input in a maximum of 20 seconds. All of these readers can store swipes of cards and transactions in their local NV-RAM until it can reach the NP, and through it, the AP to confirm the transaction. While disconnected from the NP, the readers show no warning lights or anything like that. Some readers, such as the security readers, can be wired to an UPS to keep areas secure even when the power goes out.
A Simple Transaction
Let's run through a simple transaction. I am at a laundry reader. I tell the reader with a keypad which washer I want to use. Let's say I choose C4. I then swipe my card. The reader sends a signal that contains the account number (and the amount of my purchase, and most likely nothing more) to the NP through some medium (most likely it's a straight RS-485 line, but an IP converter could be installed by the university). The NP decodes the data out of the RS-485 line and parses it into commands the AP can understand. The AP uses the account number to pull up my account and checks the balance against the amount requested. It then either deducts the money from my account and tells the NP to send an O.K. signal, or to send a deny signal along with the new balance of my account. The NP forwards the reply back to the reader, and the reader (if it got an O.K. signal) will send an electronic pulse to the coin tester inside the washer C4 and tell it that $.50 was received. The washer is retarded - for all it knows I put $.50 in it with coins, and it gives me a load.
The Exploits
Did you see the problem with the above solution? There are several ways to cheat the system. If I can record the "it's O.K. to sell it to him" signal from the NP to the reader and play it to the reader again, I will get another load of wash. Also, if I could get to the wires that go from the Coke reader to inside the Coke machine that send the coin pulses. I can make the Coke machine think money has been paid. I have looked at Coke machines with these Coke readers. Out the back of them, they have a RJ-11 jack (though it will have RS-485 signals on it). All I need is a converter and a laptop and I can trap the signals back-and-forth between the reader and the NP. You don't even need to know what the data scheme used on the RS-485 line is, just send to the reader what you intercepted from the NP, and it will work. It is even easier if the traffic takes place over a TCP/IP network. If I learn the IP address of the IP converter, I can simply send packets to it from anywhere in the world (provided I can Telnet into the college's TCP/IP network) that contains the RS-485 code to spit out a Coke! You can fool door readers as well, if you could get to the wires that go from the reader and go to the magnet holding the door shut. Just send the correct pulses. This system is horribly insecure because you can completely bypass the CampusWide interface! The Value Transfer Stations are even worst. They have the ability make the AP create a new account and set a starting balance to any amount. Just gain access to the RS-485 lines, record the traffic to and from the NP while you are getting a temporary card, and you have the system to create and alter debt accounts.
With a system like this, you would think that the RS-485 lines would be protected with massive security. They aren't. Metal conduit protecting the lines commonly stops at the hanging ceiling. Value Transfer Stations routinely have their backs accessible from janitor or utility closets, which are rarely locked. The RS-485 line literally comes out of the back of a Coke machine unprotected. The flexible piping that carry the coin wires from the laundry reader to the washer are secured to the back of the washer with flat-head screws. It is pathetically unprotected. The phone numbers the modems dial from off campus eateries are easily socially engineered out of the minimum wage workers there, and let you dial directly to the NP. Or you could simply find the range of telephone numbers of the building that the card system is housed in, and wardial it.
The AP is required by Blackboard to have a modem for diagnostics. You could steal a copy of the GUI of a computer and then edit people's privileges to your hearts content. And even worst, the Envision system is exactly the same as CampusWide, except it uses a Windows NT/2000 machine using Oracle as its database. Every flaw I mentioned will work against Envision as well. Hell, both systems even use the same readers! And there is no fear of having any of your actions logged. Once you trap the RS-485 signals from the NP to the reader, just play it back to the reader whenever. The AP never knows you are doing anything and thus doesn't log it, and the reader assumes that any data it gets must be secure. Now tell me this... The next time you swipe a CampusWide card to get in a football game, how do you know someone isn't trapping the data and creating a copy of your account onto a card from a hacked Value Transfer Station? Hopefully this article will force Blackboard to change to a more secure system.
Sources: Thanks to Jim Resing at Blackboard for all the technical info, and various websites like rs485.com, google.com's cached webpages, and howstuffworks.com.