#DEFCON: Hacking RFID Attendance Systems with a Time Turner

  • If a computer science student has a scheduling conflict and wants to attend two different classes that occur at the same time, what should that student do?

    In a session at the DEF CON 29 conference on August 7, Ph.D. student Vivek Nair outlined a scenario where a hack of the attendance system could, in fact, enable him, or anyone else, to be in two places at the same time. Nair explained that many schools use an RFID-based attendance system known as an iClicker to track whether or not a student is present. The system includes a base station for each classroom or lecture hall, and then each student is required to carry a device, which can also be used to answer multiple-choice questions.

    Nair noted that in the popular Harry Potter fiction series there is a magical device known as a Time Turner, which is used to help enable a student to be in two classes at the same time, via time travel.

    “Without the luxury of magic, what is the next best thing?” Nair asked. “It is, of course, hacking.”

    Building a Time Turner to Exploit a Modern University

    In his talk, Nair outlined how the RFID-based system was reverse engineered so he could learn how it works. With that knowledge, he realized that there was no encryption on the device transmissions and it could be possible to mimic a real device.

    “It is hard to overstate how vulnerable the system is, and it’s even more shocking that this exact model is currently used at over 1,100 universities, and in nearly 100,000 classrooms,” Nair said.

    Nair said that a clone device could be built using a low-cost Arduino electronics platform. He noted that the Arduino is a low-power technology that could be powered with a small battery.

    By placing the custom Arduino-based Time Turner in a classroom, it could potentially mimic the actions of a legitimate device. That means it could enable a student to claim to be physically in a class that they aren’t actually in.

    Going a step further, Nair demonstrated how the custom Time Turner could also respond to polling quiz questions that a teacher might ask. The system is aware of all the other answers coming into the main base station in the classroom and can be set to automatically select the most common answer to submit, on behalf of the absent student.

    “If I were more nefarious, what I could do is try to change the votes of my classmates,” Nair said. “A vulnerability that allows me to change someone else’s answer on the polling system is a major oversight.”

    Going a step further, he noted that if he were even more nefarious still, the Time Turner could be used to launch a denial of service attack, flooding the classroom’s base station with hundreds of votes per second. That would quickly overwhelm the host device, eventually causing it to crash and making it impossible for legitimate students to submit answers.

    Lack of Authentication

    The big problem with the attendance system has to do with authentication.

    Nair explained that the way the attendance system works is the student’s device is just broadcasting its presence over a radio signal without any real authentication. He emphasized that the system lacked confidentially, integrity, and availability.

    “With regards to confidentiality, there was none to speak of, as I demonstrated when we were able to listen to other students’ answers,” Nair said.

    Nair suggested that vendors should implement the use of encryption in transit to help provide some confidentiality. He also recommends the use of a Physically Unclonable Function (PUF) for the student device, which would restrict the ability of an attacker to build their own device with an Arduino.