Identification cards used by staff and students at the University of Sydney (USyd) are vulnerable to being cloned and exploited by identity thieves, Honi Soit can reveal.
The cards can be cloned using primitive and inexpensive hardware in less than 30 seconds, and can potentially be cloned at faster speeds with more advanced hardware, allowing hackers to clone a card merely by brushing against another person.
The cloned cards retain all of their digital functionality, including swipe access to any buildings that the original card has access to. This means that not only can a clone card access restricted buildings, but that the identity of the original card holder is recorded in University security logs.
The SydPay function, which effectively gives ID cards the functionality of a debit card for printing, copying and, at some student accommodations, laundry services, is also retained in cloned cards.
Two generations of ID cards are currently in use at USyd, one from pre-2017 and the other introduced from 2017 onwards. Both generations are vulnerable to cloning techniques.
At the time of the introduction of USyd’s 2017 generation of ID cards, the vulnerability in the new card had already been publicly identified two years earlier, in 2015. This means that USyd introduced a card that was compromised from its inception. The vulnerability in the pre-2017 cards was originally disclosed in 2008.
According to its website, USyd’s security provider continues to supply the compromised cards, though advises potential customers that the level of security offered is “low” and does not recommend their implementation in new sites.
The contactless card readers used by USyd are compatible with a range of contactless card types, including the most up-to-date and secure models of card, such as the one used by NSW Transport for Opal Cards, which are not vulnerable to cloning techniques. USyd could therefore issue new cards without the need to install new readers if it saw fit.
Under its current privacy policy, USyd currently threatens anybody who alters or tampers with their student card with prosecution. The anonymous source who drew attention to the vulnerability criticised this policy for failing to allow benevolent actors to responsibly alert the University to vulnerabilities in its security.
“I implore the University to implement a bug bounty programme or at least some way to allow the disclosure of security issues that impact the safety and privacy of students without risk of prosecution,” the source said in a statement to Honi.
A USyd spokesperson encouraged students and staff to take responsibility for the security of their own ID cards.
“Like most organisations using security cards, we are aware that under certain circumstances some cards can be ‘cloned’. The safety and security of our staff, students and the broader campus is critical and that’s why it’s important that all staff and students make sure their cards are secure at all times – a condition of use for all card holders,” the spokesperson said.
The University advised students in its weekly Student News email on the 25th of November — after Honi had approached them — to keep their cards secure “at all times, including over the holidays.”
It remains to be seen whether the University will upgrade to a newer generation of contactless card technology in 2020. However, according to the website of USyd’s security provider, the cost of the newer cards are “high”, compared with the “low” cost of the current cards, making it essentially a question of financial priority.