We've always had twin interests in both security systems and low-level bit coding, so we went looking for some old hardware to hack on early Friday night. We found an old magnetic card reader-writer, and given that UMD continues to insist on using magnetic stripes instead of a more secure system like NFC, we figured there would be potential to exploit the system and gain unauthorized access. Along the way, we hoped to learn more about how magnetic data is stored on credit cards.
What it does
For the purposes of investigation, we implemented some simple C code that lets us access the reader and read and write pertinent information to one of the card's the tracks. We also added functionality to quickly copy cards for further research. We then attempted to find a way to manipulate the bits found on a standard student ID (copied onto a hotel room keycard) so that it would gain us access to unauthorized areas on campus.
How we built it
Once we had a basic way of changing bits, we needed a plan of action for exploiting the system. An auditing paper had previously been written prior to a major change in the system by UMD police, showing that a combination of social security numbers and student ID numbers were stored on the card with very little verification.
Based on our research, the cards seem to be working off a serial number system, but there appears to be a simple salting process. By changing 4 bits, we think we've managed to gain an unauthorized card access to an unspecified campus building. ;)
A large portion of the research was pencil-and-paper, although we used a few small machine learning classifiers to help us out when the amount of data got too huge to parse all on its own.
Challenges we ran into
Existing code for interfacing with USB devices was completely unusable, which meant we had to do a lot of the dev from scratch. The numbers on the card were also very difficult to understand.
Accomplishments that we're proud of
I aways enjoy getting low-level C working well, and rehabilitating the magnetic stripe reader could be useful in future projects (until they fully phase out the magnetic stripe because it's unsecure, anyway). The crypto part was fun as well, but there's no real pride in manipulating a salt, so we hope there's something more to it.
What we learned
In addition to one member learning a lot about C, we also learned a lot about both important crypto algorithms and the importance of total OpSec.
What's next for us
We need to fully understand what algorithm was being used, if not just to satiate our own curiosity, then to write up an audit report to UMD police.