How To (Hypothetically) Hack A University’s Surveillance System

How To (Hypothetically) Hack A University’s Surveillance System

This week, hacktivist and security engineer Lance R. Vick tweeted an enticing proposition along with a gut-punch headline: “Colleges are turning students’ phones into surveillance machines, tracking the locations of hundreds of thousands,” read the Washington Post link. The report revealed nearly instantaneous and sweeping adoption of smartphone-tracking platforms implemented in roughly 60 U.S. campuses, ranging from limited classroom attendance check-ins to pervasive 24/7 surveillance, mostly with fuzzy consent policies.

Vick countered with an offer to students:

If you are at one of these schools asking you to install apps on your phone to track you, hit me up for some totally hypothetical academic ideas on how one might dismantle such a system.

We’re always up for hacker class, so Vick supplied Gizmodo with a few theories for inquiring minds.

First, some context: one app, SpotterEDU–which purportedly has been implemented in around 40 U.S. universities–pings camouflaged Bluetooth tracking beacons installed in classrooms. When contacted by Gizmodo, SpotterEDU founder Rick Carter insisted that Spotter only looks for one specific classroom beacon during the student’s scheduled class time, only to log attendance and that the company doesn’t see data associated with students’ anonymised IDs. But we’ll have to trust him on that because SpotterEDU’s over-4,000-word privacy policy gives it wide leeway to go in a different direction.

SpotterEDU states that it reserves the right to modify the policy at their discretion, “so we suggest that you review the current Privacy Policy regularly,” which is, to say the least, a wildly unrealistic stipulation for a person with the option to do literally anything else. That privacy policy allows Spotter to “collect and infer your approximate location” even when students have turned off location tracking and for third parties to “set and access their own tracking technologies on your devices.”

Schools not only see students’ names, but they can also break down groups by “students of colour” and “out-of-state students”–a depressingly (apparently) marketable feature which, Carter told the Post, allows schools to hone in on minority groups to evaluate “retention” data.

“We’re kind of a blank canvas; schools can use [Spotter] however they want,” Carter told Gizmodo. He said that students can manually log their class attendance, but it seems kind of unlikely (for whatever reason) that they’re taking that option or that it is presented as an option. Regardless, Carter says the adoption rate is 98 per cent among students. (Syracuse University of Missouri, and Virginia Commonwealth University, which reportedly all use some kind of surveillance tech, were not available for comment over holidays.)

For an incoming freshman not planning on advocating for their basic privacy rights during orientation week, the sign-up process doesn’t make clear that this is optional, nor that they can turn it off. A user opts-in to the app by entering a keycode, but prior to that, a pop-up screen instructs you to change your location services settings to “Always”, the privacy policy and user agreement are available only through click-throughs, and the user agreement seems to cover the company and the school more than it does the students (basically, don’t hack, don’t sue).

The arguably creepier surveillance system implemented by Degree Analytics doubles as a campus Wi-Fi network that tracks students’ every move unless they check “no” on an opt-out window offering to “support student success, operations, and security.” Degree Analytics not only tracks attendance, but it also monitors students’ movements from dorms to dining halls to ostensibly identify unhealthy behavioural patterns (sleeping too much, not eating, avoiding student life programs). Degree Analytics has not returned Gizmodo’s request for comment.

Granted, universities aren’t sovereign territory in the already-boundless corporate surveillance state. “Unfortunately, surveillance is becoming increasingly diverse, and, by the looks of things, there’s no way to avoid it,” Jay Balan, chief security researcher at Bitdefender, told Gizmodo. (Bitdefender is a security company and the inspector general of all systems hackable; they’ve found vulnerabilities in Windows machines, the Amazon Ring, and PayPal, to name a few.) But implicitly forcing surveillance on people with punitive measures, like class attendance records, is beyond the pale. “People should have the option to choose to be surveilled or not,” he said. “This is a fundamental aspect of privacy.”

Balan listed off several easily foreseeable scenarios in which relatively untested school-wide surveillance systems put data in the hands of faculty. An evildoer can carry out a man-in-the-middle attack on any network, injecting downloads with malicious code. An impersonation attacker could spoof a Bluetooth identifier. A bad teacher with access to location data could stalk a student; a good teacher with a dumb password could be easily hacked. “Say I’m a teacher, and my password is Whitney123,” Balan postulated. “Arguably, out of ten thousand students, someone is going to try that password.”

If school surveillance looks anything like school security, he says, a “password123” blunder ranks high on the list of probabilities; Balan calls the present state of security tech in public spaces like hospitals and university campuses “a disaster.” “The software and operating systems are outdated, and passwords are leaked,” he said. “Surveillance cameras are on the same network as other computers, and the access to that network would be the word ‘password.’ And by no means was this an isolated case.”

Balan said that at the least, companies should disclose their source code and offer a bug bounty problem to head off underlying issues to head off perpetrators. “The vulnerability is there, and sooner or later someone is going to find it.”

Aside from the perennial question of why teachers can’t just use the stupid sign-in sheet and trust students not to blow their own money by skipping class, surveillance systems always present the same issues which are compounded by the rules, personal vendettas, and discrimination specific to community settings.

Lance Vick told Gizmodo that he worries that such apps could change their terms and conditions at any time, and users would have to accept in order to score the points the sponsoring organisation offers–passing a class, maybe.

Then, he noted, it’s possible that the app doesn’t accurately log times due to bugs or un-synced clocks, a problem which he’s seen pop up with automated traffic ticketing. Plus, he’s found that it’s quite common that small companies don’t operate their own security teams, leading to a high rate of flaws in their apps. Add to that the possibility that students who can’t afford smartphones will have to go out and spend several hundred dollars for the opportunity to put themselves at risk.

“This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine.”

While he cautions students to check out the legality of such a challenge, he has some food for thought.

Here’s Lance Vick on some hypothetical hacking that you (a student with a bright future who doesn’t want any trouble) should probably not do because you might be breaking the law:

If I was at such a school back in my early twenties, I would likely have gone directly for undermining the system to make an example of it. Students could reverse engineer the app to develop their own app beacon emulators to tell the tracking beacons that all students are present all the time. They could also perhaps deploy their own rogue tracking beacons to publish the anonymised attendance data for all students to show which teachers are the most boring as evidenced by lack of attendance.

If one was hypothetically in an area without laws against harmful radio interference (like outside the U.S.) they could use one of many devices on the market to disrupt all Bluetooth communications in a target area so no one gets tracked.

As far as practical steps one might take to start to understand and manipulate this system, you would likely want to start by getting the APK file for the Android app and attempt to run a tool like “dexdump” to decompile it back into something similar to the original source code.

From there, you can start looking for what servers it communicates with, how it identifies itself, and what types of data it exchanges. This often teaches one enough to write a simple script to login to the system without the app and start exploring the API on your own and do things the app would not ordinarily let you do, like attempt to increment your user identifier to see if you can impact the accounts of other people.

This is often a process of lots of trial and error, and one can look at many CVEs found in other android apps for ideas, as many software engineers tend to make the same mistakes. If nothing else, you could potentially just find a call in the API that takes a bit longer to come back than the rest. This tells you it takes some amount of processing on their side. What happens if you run that call a thousand times a second? Or only call it partway over and over again? This often brings poorly designed web services to a halt very quickly.

Here, you might also learn enough to write your own app that can log in just like the real one and emit your own “I am here” signal. Maybe as a first step, you voluntarily collect the credentials of lots of other students for your custom app which can log in as all of them at once… then just hide this phone somewhere near the classroom to register all the time as all of those students at once.

Getting beyond the app… to learn more about the beacons, the best thing to do would be to find a sympathetic teacher willing to let you play with one, so you can learn how it gets firmware updates, intercept one, and take steps similar to those you would to learn about the API in the phone app. The ability to learn about the beacons themselves (which naturally have elevated privileges to report on more than one user at a time) would be ideal.

Assuming explorations on the endpoints like the phone app or beacon firmware fail you could still potentially learn useful information exploring the wireless traffic itself using popular SDR tools like a HackRF, Ubertooth, BladeRF. Here you potentially see how often they transmit, what lives in each packet, and how you might convert your own devices, perhaps a Raspberry Pi with a USB Bluetooth dongle, to be a beacon of your own.

Anyone doing this sort of thing should check their local and federal laws and approach it with caution. But these exact sorts of situations can, for some, be the start of a different type of education path—a path into security research. Bypassing annoying digital restrictions at colleges was a part of how I got my start, so maybe a new generation can do similar. 🙂


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.