Social Engineering Your Way Into a Dorm Room

By Chad at 6:24 pm on January 13, 2008 | 8 Comments

It is shocking to learn that while the University of Washington Housing and Food Services own nine residence halls with a total capacity of nearly 5000 students, the security barring access to individual students’ rooms can be compromised with little more than a little research and a good story. For the first homework assignment, I reviewed the security of the dorms. I thought of ways to get into other residents’ rooms and found that it wouldn’t be as difficult as one might hope. I tried the “attack” on myself, trying to gain access to my own room. It’s not surprising that I got into my room (in fact it’d be more surprising if I couldn’t), yet the attack could be used against others, especially those the adversary knows well.

All the dorm entrances are protected with card readers. Yet, anyone who has lived in the dorms knows how easy it is to tailgate your way into the dorms. When my girlfriend lived in the dorms, she only had to come let me in two or three times. The rest of the time I would tailgate my way in. It wasn’t difficult at all. No one likes to be the rude person to quickly close the door behind them. Even if you get to the door and there’s no one to follow, it’s easy to wait until someone gets there and then fumble around in your pocket when they do. Assuming you can’t find your card, they usually take compassion and simply open the door. An “I forgot my card” works even better.

While getting into the residence halls may be easy, getting into someone else’s room seems at first a lot more difficult. Yet this last week, while reviewing the security of everything, as Yoshi prompted us, I began to doubt the security of my own room. From lecture and the readings, bump keys and lockpicking were fresh in my mind, and although this would work, I felt that the neighboring residents may become curious of the pounding noise as you learn how to bump. But what if the adversary had a key that fit my lock exactly? Could they get this? How?

The answer was so simple, it scared me: Ask for it. Other than a little research, that’s practically all they’d have to do. Let me backtrack. When a resident looses their key, or locks it in their room, they go to the front desk and ask for it. So, to test how hard it would be for someone to impersonate me, and gain my key, on my way to class I stopped at the front desk and asked for it.

“Do you have your Student ID?”
Me: “No, it’s locked in my room.”
“Ok, I’ll need you to fill out this form.”

She handed me a form that asked for name, hall, room number, phone number, my signature and the date. She took the form behind the desk, talked her supervisor, and a few minutes later came back out with a few “security” questions.

“What is your student ID number?”
“What is your birthday?”
“Who was your room mate last year?”

I was shocked at how easy these questions were. I have very little doubt that my roommate from last year would have any trouble with these questions, especially the last. The best part is that after answering the questions correctly, she not only handed me a key to my room, but also a key card to get into the building. Now the front desk was waiting for Chad-the-Resident to return the key, yet Chad-the-Resident had no idea that he had checked out a key nor did he have any reason to expect the fine for not returning it. Chad-the-Adversary had the key and a key card to the hall.

Student ID numbers are commonly tossed around, in fact, later that same day I had to sign up into a group for one of my courses. The TA required us to put down our name, student ID number and the group number we wanted to be in. Birthday’s are also easily obtained just by asking or perhaps by looking it up on facebook. And the name of your last room mate would probably be well known by your circle of friends.

Now, maybe there are cameras watching the front desk or the employee at the front desk checked my signature, yet it still was quite shocking that I could have greeted my last roommate with a hello and then handed him a key to his own room.

Filed under: Ethics,Miscellaneous,Privacy8 Comments »


  • 1
    Get your own gravatar for comments by visiting

    Comment by Sharon Denham

    February 1, 2008 @ 8:27 am

    Security seems to be an on ongoing problem; it seems that each time we find the solution to the problem a new one arises!!!!

  • 2
    Get your own gravatar for comments by visiting

    Comment by ashok

    February 1, 2008 @ 8:32 am

    I am tired of all the security questions, IDs and password. Why don’t we ave biometric systems. I just stick my finger in the hole and it recognizes me through my unique finger print. Done!

  • 3
    Get your own gravatar for comments by visiting

    Comment by lazer epilasyon

    February 20, 2008 @ 4:12 pm

    yes very nice point thanks.

  • 4
    Get your own gravatar for comments by visiting

    Comment by Karl Koscher

    March 20, 2008 @ 12:09 pm

    HFS has some strange policies. While I’ve never lived in the dorms, I’ve heard that if you check out a vacuum cleaner, you leave your Husky Card with them and they loan you another card to use the elevators. I’m guessing that those cards never expire, and give you access to all sorts of things. They’re certainly not hard to clone (you can read them with the final CSE 370 project), so if you happened to clone one, you could potentially have dorm access for a very long time.

  • 5
    Get your own gravatar for comments by visiting

    Comment by Will

    March 21, 2008 @ 5:27 am

    Most of the ease of cracking these processes stems from how often people in college lock themselves out and how much more time it would take to ensure that you are who you say you are.

    Your own room break-in required you to forge a signature and pose as someone else. This is pretty serious and schools are not exactly the police if u know what I mean. The job of campus security is different from the police. The ultimate goal is not always perfect it is mainly to maintain the good image of the school.

  • 6
    Get your own gravatar for comments by visiting

    Comment by Quine

    March 21, 2008 @ 9:44 am

    Believe it or not, this is an improvement over previous UW security methods. Back around 2001 (my freshman year), all they required was someone’s Husky card to hold while you had the keys. So two people would go up, one would claim to be and locked out and the other one would put up his id. A record of the lockout was made, but not of the id provided.

  • 7
    Get your own gravatar for comments by visiting

    Comment by Quine

    March 21, 2008 @ 9:47 am

    Even the keycards are an improvement, cloning aside. With real keys, they wouldn’t replace the outdoor locks every time someone lost a key, so for a whole $5 per dorm, you could get your own key that worked for any dorm you had a friend in for the rest of the year. And even changing the locks yearly was a new procedure as of 2002ish.

  • 8
    Get your own gravatar for comments by visiting

    Comment by Scott Wright

    April 15, 2008 @ 1:27 am

    This is an interesting topic. I’m not sure how much the actual door hardware has changed, but when I lived in a dorm, the universal room key was a margarine container lid with the lip trimmed off. Almost any room could be carded in less than a minute. So, changing locks wasn’t the issue. They should have deadbolts, or other safeguards against carding.

    Also, don’t forget detection is sometimes more cost-effective than prevention. Perhaps this is the case in a college dorm where tenants can change every few months. Somebody mentioned video surveillance, which may help, but would have to be more than a high corner angle in the lobby. My guess is that students of privacy protection would start to become the adversary, as they would for biometric solutions.

    It’s a tough problem. Awareness goes a long way as both a deterrent and detection safeguard; especially for the key recovery staff of the dorm.

    – Scott

RSS feed for comments on this post