Following Up: Hacking Oklahoma State University’s Student ID


I published a pretty lengthy report “Hacking Oklahoma State University’s Student ID” on Sunday that I originally wrote in 2013. You can see the original post here:

In two days, it was posted to Hacker News, Reddit /r/Netsec, and other sites that generated over 17,000 page views with hundreds of shares on Twitter and Facebook. Hindsight 20/20, I should have titled the report something differently to keep my Alma mater out of the headlines. With that said, the response from the community has been overwhelmingly positive, with several other University’s now auditing their own systems.

Edit: An awesome writeup in hackaday - read it here

There are two main sections to this follow up:

Current OSU students will be interested in the first section, everyone else will be interested in the second.

Public response to the O’Colly

The Daily O'Collegian, respectfully, reached out to me today saying they are going to be publishing an article on Friday, regardless of my response.

Let me be very, very clear: The purpose of posting the original report was never to “go viral” or damage the University’s reputation. The purpose was to open up a broader discussion about security in general. Broken systems are all around us, and they will never be fixed unless we promote a culture ethical security research.

When I asked what the purpose of the O’Colly article was, and I received the following:

Assuming the ID cards aren't secure (which I'm no IT major but after reading your write-up it makes sense to me) we want to find out if OSU knows their insecure, and if they knowingly just let it slide. That said, if you did the presentation and they only did the bandaid fix of taking down the ID query URL, then that doesn't reflect well on the university at all. We want to explain to the student body if their bursar and personal information is safe or not.

Hm. Feels like stirring the pot. I’m declining their interview because the last thing I want to do is spread fear, uncertainty, and doubt. I will answer the questions (modified by me) they asked publicly:

Are Student ID cards still vulnerable?

I do not believe there has been a major change to the way systems on campus validate the magnetic stripe on Student ID’s. I do believe there have been policy changes on how to treat Student ID’s on campus during purchases (example: photo identification required).

One thing to mention here is that there is no “silver bullet” solution to fix all the problems. Yes, Oklahoma State should audit their systems, and reissue more secure Student ID’s. But the newest technologies are not without problems (specifically: RFID, NFC, and Chip & Pin).

Remember, You really should treat your Student ID like a credit card. Even if you allow someone to see the front of your Student ID (and see the card number in the bottom right), someone could theoretically clone your card with very little work.

What is the feasibility of accessing a random Student ID?

Accessing a random ID would require you to either:

I’ll repeat: You really should treat your Student ID like a credit card. Even if you allow someone to see the front of your Student ID (and see the card number in the bottom right), someone could theoritically clone your card with very little work.

Have I been reached out to by the university as of this post?

No. But I will update this answer accordingly.

So who read the report at Oklahoma State?

I mentioned at the beginning that over 17,000 unique visitors read the article. Neat! How were these visits tracked?

Google Analytics gives a really good view of the statistical demographic of people who read the original report:

But, I was only interested in seeing if anyone at Oklahoma State read it.

Clicky allows us to dig a little deeper and actually export JSON data from our our analytical report!

So now we have a list of IP addresses. Okay, but what do a bunch of little numbers tell us about who is reading the report? Now comes in the fun nslookup command. It allows us to query a DNS server and see if we can get a hostname for the IP.

Hah, turns out that all of the external OSU IP’s have a hostname. Perfect.

Let’s write a little piece of code to iterate over the Clicky JSON export.

// Load JSON
$visitors = file_get_contents("visitors.json");

// Decode it
$json = json_decode($visitors, true);

// Parse the tree, we just want items
$items = $json[0]['dates'][0]['items'];

foreach($items as $item){
	$ip = $item['ip_address'];
	$host = gethostbyaddr($ip);

	// Filter out suddenlink and others, we only want OkState
	if(strpos($host, 'okstate') != false)
		echo $host ."\n";

What this effectively does is dumps all the okstate hostnames from the Clicky JSON export, and allows us to see exactly who was on the site. I then removed the duplicates (some people were tracked separately per browser.

So what does it all mean?

.it. is the IT department, as is .itlabs.

.wh. is Whitehurst - home of the IT department

.su. is the Student Union

.nat. is most likely a dorm

There are others, but it follows the pattern of computer name . computer location. For example: could very well be Ron King in the IT department. Remember though - an IP cannot legally correlate with a person! Maybe we should revisit how we name our computers though.

Thanks for reading OkState IT department!