Security Review: Husky Cards with Smart Card Technology
Summary
The Husky Card is a University of Washington student’s lifeline. It provides student identification, building access, public transportation, and access to monetary funds for use on and around campus.
Starting in 2009, the Husky Card will get an upgrade to smart card technology. This is in response to the local public transportation agencies’ ORCA (One Regional Card for All) project which implements an electronic fare system. Following implementation of this system, Regional Transit will no longer accept the current U-PASS stickers and will require smart cards.
Assets and Security Goals
- The Husky Card identifies of University of Washington students
- It provides access to Husky Card Account for accessing student funds for use on campus
- It allows unlimited use on Seattle-area public transport systems
- It allows after-hours access to campus buildings
Potential Adversaries
- Any person seeking to impersonate a student
- Any person seeking unauthorized access to campus buildings
- Any person seeking to illegally withdraw or use funds from a student’s Husky Card Account
Potential Weaknesses
- Small size. Card can easily be dropped or lost.
- Embedded Smart Chip broadcast range. An adversary may be able to scan cards in a crowd or during a pass-by to obtain information or locate an individual.
Potential Defenses
- Student photograph will be prominently visible on card to help avoid potential misuse by unauthorized individuals
- UW claims the Smart Card only has a broadcast range of a few inches[i], thus limiting potential unauthorized scans.
Risks
The addition of the embedded smart card chip in the Husky Card can lead to numerous issues involving student security. If the broadcast range of the chip is strong enough, students can be identified and tracked throughout campus or anywhere card readers are stationed. Should the UW decide to utilize this technology for use with the Husky Card Account, such as by implementing smart card payment readers in local businesses that accept the Husky Card, illegal account withdrawals and unauthorized purchases may be simplified since the Husky Card may no longer need to be presented to the merchant and may simply be waved over a reader instead.
Conclusion
All in all, the addition of smart card technology may not have a great impact on student security if the broadcast range is kept, as the UW states, to a couple of inches. Greater impact may be seen if the smart card technology is extended to the monetary functionality of the Husky Card.
[i] Husky Card Project. 16 March 2008. http://www.hfs.washington.edu/husky_card/default.aspx?id=953
Comment by alpers
March 16, 2008 @ 9:13 pm
I think you left a tag open in here or something. 😛
Also, Prof. Boriello talked a bit about this on RainyDawg late last year, it was fun listening to his concerns about privacy there. 🙂
http://thedaily.washington.edu/2007/10/15/what-about-radio-update-is-the-smart-card-too/
Comment by nekret
March 16, 2008 @ 10:58 pm
I wish there was some more information available on what information was going to be exchanged between the cards and the readers. If it was only a unique ID for that particular physical card, I wouldn’t be too worried about tracking since a new card would end the ability of an adversary to track you. Unauthorized scans are still a bit of a problem which could be mitigated by one-time use codes programmed into the card.
Comment by Robert
March 17, 2008 @ 12:37 pm
Thanks for the comments. The “tag” you see is actually a footnote marker that the system misinterpreted and I didn’t fix. 🙂
It’s very interesting to see the same concerns we have been talking about detailed in that article. It is shocking to me that, even though only a serial number will be transmitted, the UW does not seem to understand the ability to cross-reference that serial number to an individual just by hanging out at a bus-stop with a reader. Privacy is a serious concern to me but as I also pointed out fraud can also be a strong possibility and one that I do not know if the UW has contemplated.
Comment by alpers
March 18, 2008 @ 8:25 pm
The big thing that Boriello was worried about was the fact that all of this information about when the card was used would eventually be transfered to a master database where it would be stored for *three months*. I believe he and other professors from CSE drafted up a paper detailing the risks behind the original UW ID schematic.
Comment by Karl Koscher
March 21, 2008 @ 3:50 am
I’ve been looking into the ORCA cards for over a year now, and what we know is kind of scary. The cards are ISO 14443-complaint, with a fairly short read range, so I wouldn’t worry too much about surreptitious reads. What I do worry about is the fact that the card stores your last ten trips per transit agency, so someone with access to your card could determine where you’ve boarded the bus the last ten times. This could happen when you use another ISO 14443 card, like an RFID credit card, if you keep both in your wallet. Even more concerning is the fact that there will be a database of these transactions (which will likely keep the data for about six years, unless the law is changed), and UW will have access to it. So, they could easily track where you’ve been. They have talked about trying to do fraud detection by mining the data, but I think they’ve backed away from this plan.