Honey, I canceled the laundry. – No factor authentication

How would you feel if you couldn’t wash your clothes ? Like , never ? Well, there’s a (web)app for that !!!

Let’s take things from the start : This post applies to people living in student accommodation offered by SSSB ( Striftelsen Stockholms Studentbösteder ) in Stockholm, Sweden. Well , most of them actually, specifically the ones in which the electronic lock and booking system provided by aptus has been installed already.

The situation : In the aforementioned housing establishments, external (and some internal ) ordinary door locks have been replaced with electronic proximity readers and keys . Those proximity keys are also used for booking (laundry) services , offered by the same company. Basically, when one needs to book a slot in the laundry rooms , he/she accesses the control unit, uses his/her proximity key to activate it and book the desired time slot. As advertised in the company brochures: “Communication between control unit and booking board is encrypted using 32-bit keys.” I’ll leave out the discussion about cloning proximity keys/cards, as it is irrelevant to the point of this post. For the time being, let’s just all assume that the proximity keys are clone-proof , the 32-bit key sufficient, and the communication is tamper-proof as implied.

The problem : SSSB, trying to be tech-savy and helpful , offers another way to access the booking system , provided again by the same company. It is a web application, built on asp.net where users can login and manage their bookings ( book, cancel , view ) without having to physically access the installed control unit. Hm, so what is the problem , you might ask. Login credentials. Aptus portal uses a username/password authentication system , which , although not without all the potential password related  problems ) can be considered a safe practice . I copy wikipedia’s wording : ” A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.” (emphasis is mine)  Well, SSSB went a bit over in their attempt to make things easy for users, providing themselves the username and password. What’s worse ? The username and the password is the same string. What’s worst ? The password is not secret, publicly available in many cases, and in worst case easily deduced. The string used as a username and password in the system is the object number of the apartment ( Hyresobjekt ) which is a 11 digit string in the form of abcd-efgh-xyz . The abcd part is the 4-digit code of the housing area ( for example , Lappkärrsberget has 7404 , Jerum has 1106 e.t.c. ) . The efgh part is somehow (not in a consistent manner from what I’ve seen ) deduced from the street number of the building and the floor number of the room ( en example room has 1308 because the address is xxxxxx 13, and it is on the seventh floor . The rooms on the sixth floor have 1307 and so on and so forth ). Lastly the xyz part is deduced from the room number inside the floor. Some correspond to the actual room number , so if the room number is 11 the code is 011 , some are deduced from some older ordering I guess . My room’s xyz part doesn’t correspond to my room’s number, but it corresponds to my kitchen cupboards number, which I suppose is a left-over from previous numbering schemes. Taking into consideration that the room’s object number is publicly available in the SSSB’s website when the room is open for biding , and that especially in some periods like August , SSSB updates the available rooms every 3 days, it shouldn’t be really difficult to deduce all the possible object numbers for all the apartments in SSSB premises. Worst case scenario, with only the abcd part available for each housing area , one could fire up his THC Hydra and get the valid object numbers from the successful logins. ***I’m not suggesting that you should go and do that ***.

Sure it’s not a life threatening issue , but it just comes to show how easily sophisticated access control systems can be circumvented due to bad design and implementation solutions. Your neighbor had a party at the night before your exam ? Well, no laundry for him in the next month ! Or worse, consider an automated script changing laundry booking times every hour for all the students leaving in SSSB ( That was up to 7000 rooms in 2000, sssb doesn’t have updated statistics but I guess it’s valid to argue that it is more than 10000 people ) . Really not convenient . 10000 students walking around with dirty clothes in the trendy and fashion-victim Stockholm , shouldn’t be that much fun ! One can go a bit further in the paranoia zone and claim that valuable information about the whereabouts of a tenant can be determined from the laundry bookings ( time of day that he/she is at home e.t.c. )

The solution : The solution isn’t that hard to implement. SSSB already has an authentication system for the website and a general sssb account, based on the personal number of tenants and a password. How hard can it be to connect that to the booking portal ? I contacted SSSB in October 2010 but after the kind reply from the helpdesk thanking me about my thoughts and assuring me that it will be forwarded to the people managing the system, nothing has been done , so I guess it’s fair to come out with the issue and let all interested parties know. I , for one, am already irritated enough by my bookings moving time slots “by themselves” often enough.

Keep clean 😉