Dear Editors of the Reed College Quest,
I am one of the sources for the recently-published article on vulnerabilities related to the Reed ID system. The Information Security department sent out an email in an apparent attempt to address the issue before the Quest could release their story; however, it is very misleading and even flat-out inaccurate in many claims. Below is a line-by-line breakdown of the email and its issues.
September 28, 2023
Dear Reed community,
I’m writing to provide an update on a cybersecurity issue addressed by Reed IT last spring.
Although many issues were known about, none of them being discussed in this email were “addressed” in any way. I have seen no evidence that IT took any substantial steps to mitigate the issues until the Quest reached out earlier in September.
In April, one of our IT student workers discovered unique ID numbers displayed within the URL string of a directory web search within IRIS.
This is accurate, however I have heard that Reed Computer Science Students discovered the issue independently of the student worker.
With a directory ID number and the purchase of a swipe device (similar to what is used for hotel key cards), one can leverage this information to clone a Reed ID so long as they also have the IT programming skills, access to unique ID numbers, and access to additional swipe cards to clone.
By “a directory ID number,” this is referring to just knowing your own ID number, not some piece of internal information. The “swipe device” is readily available on Amazon for $90.
And to be clear, you do not need any “IT programming skills” to abuse this vulnerability. You can write a card using the software that comes with the card writer, and you don’t need to write any code to access the ID numbers on IRIS.
It’s unclear what is being referred to “access to unique ID numbers” – a large part of the vulnerability was that you can get staff, faculty, students or alumni’s ID from IRIS, so knowing an ID number isn’t a prerequisite to cloning someone’s card.
We have addressed this vulnerability, and no one’s personal identity was compromised or is at risk.
This issue was not fixed. The ID cards still use the same format, where if you know someone’s Reed ID number you can create a clone of a swipe card. To fully fix this, IT would have to re-issue all magnetic stripe cards, which clearly has not happened.
Some parts of the IRIS vulnerability were fixed, but there still exist some endpoints, which are discoverable with a very basic knowledge of web development, which can still provide the same data as the original directory vulnerability.
Claiming that “no one’s personal identity was compromised” doesn’t make sense — we know that, for many months, a CSV file containing names, values easily convertible to a Reed ID number, and department/student status was accessible by visiting a simple URL and was downloaded by students. This file exists on multiple peoples’ hard drives.
Recently, we were also informed that a secondary vulnerability was discovered related to the mag swipe data on Reed ID’s that can be re-engineered using a known algorithm. We are coordinating a plan of action to address this issue.
The wording of this is very confusing and doesn’t align very well with the timeline of events. Presumably, IT is talking about the Quest reaching out about the vulnerabilities; they already knew about all vulnerabilities initially reported. After their initial attempt to fix the directory vulnerability, additional endpoints providing the same information were discovered and reported on Monday, September 25.
The issues with the magstripe data format are far simpler than implied here: there is no “re-engineering” to be done, and no “algorithms” that need to be used. The data on the magnetic card is quite literally just your Reed ID, name, and some padding data which is almost always the same on all cards.
Our practice is to address cybersecurity issues when they are presented to our IT teams. This usually happens by utilizing CVE reports, with continual scanning & patching of our IT environment and by individual discovery. New issues around Reed ID numbers may emerge in the future, and we will address them should they arise.
CVE reports are an industry-standard database of vulnerabilities found in widely-used software systems. Reed IT monitoring for new CVEs and applying patches to their systems is excellent and commendable, however the vulnerabilities in IRIS would not show up in this sort of database, as IRIS is a system built in-house by the IT department. It’s unclear if Reed or an external party, such as Blackboard, the company who provide ID readers, is responsible for the issues with the magnetic stripe data format, but either way, it likely would not have been the type of issue to be included in a database of software vulnerabilities such as CVE.
To clarify, the IT team did *not* address the issue when it was initially presented to them.
Cybersecurity work is dynamic and ever-evolving. We live in a digital age where with the right skills and pertinent information, all technology systems within and outside of Reed College are susceptible to hacking.
While yes, technically, all systems are susceptible to hacking (see the attacks on smartphones of political dissidents by state-sponsored actors), this in no way excuses the vulnerabilities with Reed’s systems. Some systems are far easier to exploit than others, and this could have easily been identified and prevented.
I am incredibly proud of our Reed IT staff who work tirelessly to respond with urgency to all requests that present themselves and send a thank you to our IT student worker who had the time to wonder and to explore.
While initial parts of this vulnerability were found by an IT student worker, the issue was discovered independently by other students, and further, more severe issues were discovered by individuals who are not IT student workers. This was in no way simply the discoveries of a single tech-savvy security enthusiast.
And again, this issue wasn’t addressed with urgency. It seems that many Reed IT staff members were kept in the dark, but some in the department knew about the issue for several months (at least) before addressing it when prompted by the Quest.
This is a good time to remind our community if your ID is lost or stolen, please immediately report back to community safety to ensure your ID is disabled and a new one is issued.
This is good advice, however the issues with the magstripe format mean that it’s impossible to fully invalidate an ID card. If a bad actor with knowledge of the ID format found a lost card, they could bump up a counter to make the ID work again.
Chief Information & Security Officer