5/17/2023 0 Comments Exploit defcon![]() ![]() He emphasized that the system lacked confidentially, integrity, and availability. Nair explained that the way the attendance system works is the student's device is just broadcasting its presence over a radio signal without any real authentication. The big problem with the attendance system has to do with authentication. That would quickly overwhelm the host device, eventually causing it to crash and making it impossible for legitimate students to submit answers. Going a step further, he noted that if he were even more nefarious still, the Time Turner could be used to launch a denial of service attack, flooding the classroom's base station with hundreds of votes per second. "A vulnerability that allows me to change someone else's answer on the polling system is a major oversight." "If I were more nefarious, what I could do is try to change the votes of my classmates," Nair said. The system is aware of all the other answers coming into the main base station in the classroom and can be set to automatically select the most common answer to submit, on behalf of the absent student. Going a step further, Nair demonstrated how the custom Time Turner could also respond to polling quiz questions that a teacher might ask. That means it could enable a student to claim to be physically in a class that they aren't actually in. ![]() He noted that the Arduino is a low-power technology that could be powered with a small battery.īy placing the custom Arduino-based Time Turner in a classroom, it could potentially mimic the actions of a legitimate device. Nair said that a clone device could be built using a low-cost Arduino electronics platform. "It is hard to overstate how vulnerable the system is, and it's even more shocking that this exact model is currently used at over 1,100 universities, and in nearly 100,000 classrooms," Nair said. With that knowledge, he realized that there was no encryption on the device transmissions and it could be possible to mimic a real device. In his talk, Nair outlined how the RFID-based system was reverse engineered so he could learn how it works. "It is, of course, hacking."īuilding a Time Turner to Exploit a Modern University "Without the luxury of magic, what is the next best thing?" Nair asked. ![]() Nair noted that in the popular Harry Potter fiction series there is a magical device known as a Time Turner, which is used to help enable a student to be in two classes at the same time, via time travel. The system includes a base station for each classroom or lecture hall, and then each student is required to carry a device, which can also be used to answer multiple-choice questions. Nair explained that many schools use an RFID-based attendance system known as an iClicker to track whether or not a student is present. student Vivek Nair outlined a scenario where a hack of the attendance system could, in fact, enable him, or anyone else, to be in two places at the same time. In a session at the DEF CON 29 conference on August 7, Ph.D. We value our partnership with broadcasters and appreciate your efforts to maintain public trust and confidence in the Emergency Alert System.Ĭontact the IPAWS Office at This communication is provided by FEMA’s Integrated Public Alert and Warning System’s Program Management Office to highlight program announcements and does not endorse any non-government organizations, entities, or services.If a computer science student has a scheduling conflict and wants to attend two different classes that occur at the same time, what should that student do? EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.EAS devices are protected by a firewall.EAS devices and supporting systems are up to date with the most recent software versions and security patches.FEMA strongly encourages EAS participants to ensure that: In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks. This exploit was successfully demonstrated by Ken Pyle, a security researcher at, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14. We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).
0 Comments
Leave a Reply. |