When Erik Johnson couldn’t get his university’s mobile student ID app to reliably work, he sought to find a workaround.
The app is fairly important, since it allows him and every other student at his university to pay for meals, get into events and even unlock doors to dorm rooms, labs and other facilities across campus. The app is called GET Mobile, and it’s developed by CBORD, a technology company that brings access control and payment systems to hospitals and universities. But Johnson — and the many who left the app one-star reviews in frustration — said the app was slow and would take too long to load. There had to be a better way.
And so by analyzing the app’s network data at the same time he unlocked his dorm room door, Johnson found a way to replicate the network request and unlock the door by using a one-tap Shortcut button on his iPhone. For it to work, the Shortcut has to first send his precise location along with the door unlock request or his door won’t open. Johnson said as a security measure students have to be physically in proximity to unlock doors using the app, seen as a measure aimed at preventing accidental door openings across campus.
It worked, but why stop there? If he could unlock a door without needing the app, what other tasks could he replicate?
Johnson didn’t have to look far for help. CBORD publishes a list of commands available through its API, which can be controlled using a student’s credentials, like his. (An API allows two things to talk to each other over the internet, in this case a mobile app and a university’s servers storing students’ data.)
But he soon found a problem: The API was not checking if a student’s credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student’s account without having to know their password. Johnson said the API only checked the student’s unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret.
Johnson described the password bug as a “master key” to his university — at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present — simply by sending back the approximate coordinates of the lock itself.
Read more on TechCrunch
Since the bug was found in the API, Johnson said the bug could affect other universities, though he didn’t check to see if he was right, fearing that would exceed the bounds of his account access. Instead he looked for a way to report the bug to CBORD, but couldn’t find a dedicated security email on its website. He called the phone support line to disclose the vulnerability but a support representative said they didn’t have a security contact and was told to report the bug through his school.
Assuming that the bug could be easily exploited, if not already, Johnson asked TechCrunch to share details of the vulnerability with CBORD.
The vulnerability was resolved a short time after we contacted the company on February 12. In an email, CBORD chief information officer Josh Elder confirmed the vulnerability is now fixed and session keys were invalidated, effectively closing off any remaining unauthenticated access to the API. Elder said that CBORD’s customers were notified, but Elder declined to share the correspondence with TechCrunch. One security executive, whose organization is also a CBORD customer, told TechCrunch that they had not received any notice from CBORD about the vulnerability. It’s unclear if CBORD ever plans to notify users and account holders — including students like Johnson.
Elder did not dispute Johnson’s findings, but declined to comment further when asked if the company stores logs or has the ability to detect malicious exploitation of its API. TechCrunch did not hear back after we requested to speak with a company spokesperson to answer our further questions.
It’s not the first time that CBORD had to fix a vulnerability that could have remotely unlocked doors. Wired reported in 2009 that it was possible to intercept a door unlock command and guess the next sequence number, defeating the need for an ID card.