BuzzCard maker silences student
At a computer security conference last weekend, Billy Hoffman, a fourth year CS major, planned to present his research on CampusWide, the network the BuzzCard system uses.
Hoffman began researching ways the system could be circumnavigated nearly two years ago. His research led to the discovery that it is possible to fool the system into thinking that a real BuzzCard was used when in fact, one was not. This flaw would, for example, allow someone to get free laundry service.
When the number of sexual assaults on campus increased, Hoffman started investigating how the system could be used to gain unauthorized access to dorms and other buildings.
Early Saturday morning, Blackboard Inc., the company that sells CampusWide to Tech, served Hoffman with a temporary restraining order that kept him from giving his presentation.
Hoffman planned to present information on the network protocol used by the BuzzCard readers and demonstrate his version of a reader that could be used as any other normal reader connected to the BuzzCard network.
Along with Virgil Griffith, an Alabama University at New College student, Hoffman explored the protocol used by the BuzzCard readers to see how it worked and what information was being transmitted. The readers send all data to the central server via a communications standard known as RS-485; in other words, the data is sent across the campus local area network via a special computer interface.
Under Sega v. Accolade, the Ninth Circuit Court of Appeals ruled that reverse-engineering of a device to learn how it works is generally fair use and does not violate copyright law that would otherwise protect the source code and firmware of the device. The court filings allege that Hoffman opened up secured access panels to monitor the inner workings of the CampusWide network, an activity that would not be considered part of normal reverse-engineering.
Hoffman and Griffith published the results of their research in the Spring 2002 issue of 2600, Hacker Quarterly. Their investigation led to the discovery that information transmitted contained the BuzzCard number and possibly other personal data.
The attack, known as a "man in the middle attack," would allow someone to monitor data going back and forth, collect otherwise private information, or even send false information to the BuzzCard readers or to the BuzzCard database.
Institute Communications and Public Affairs (ICPA) Executive Director Bob Harty, speaking for the BuzzCard Center, said that Hoffman contacted them last year after his article was published concerning the security issues he found with the BuzzCard. However, an independent audit of Tech's information security was performed as a result of the recent break-in to the Ferst Center's credit card server. The report looked favorably upon Tech's overall security.
Harty commented that the BuzzCard Center is "continually looking to keep the system secure" and that "they take information security really seriously." Harty said that there is only so much the BuzzCard Center can do, however.
"If you pry open the cover of an ATM or take a hammer to it, you can get money from it." He also said that the BuzzCard Center "has been proactive, regardless of what [Hoffman] has or has not discovered."
John Hall, a fourth year CS major who attended the same computer security conference that Hoffman did, said "the BuzzCard network has many vulnerabilities that are demonstrably exploitable. Rather than fix the problem, Blackboard has chosen to sweep this issue under the rug."
Michael Stanton, Director of Corporate Communications for Blackboard, said that Hoffman made a physical, not software, attack. "It's absolutely not an issue [to Blackboard]. It's an issue of getting into hardware."
Blackboard's restraining order came about because Hoffman obtained "illegal access [to the hardware] and then created a how-to on how to take apart the system," said Stanton. Blackboard sought the restraining order "to stop him on presenting information that defrauds Georgia Tech and harms the intellectual property of Blackboard." He added that the boxes should be more tightly secured.
In addition, when DramaTech sought a reader for patrons to pay for admission with the BuzzCard during the recent performance of Guys and Dolls, they were unable to obtain one. Many within DramaTech feel that since Hoffman is president of DramaTech and will continue to serve as production manager next year, the BuzzCard Center was hesitant to deliver a reader to DramaTech. Patrons could only pay with cash or check at the performances.
"People were turned away because they couldn't pay with a BuzzCard," said Marketing Director Adam Johnson.
Hoffman, under terms of his gag order, could not comment.