The ease with which a computer hacker said he could exploit a campus identification and debit card system operated by more than 220 colleges nationwide has aroused little concern from schools because his intrusions involved vandalism more than outright theft.
Billy Hoffman, a 22-year-old computer engineering major at Georgia Tech, in Atlanta, used a screwdriver and a laptop to break into cables that connect that university’s Buzzcard debit system to washers, dryers and soda machines.
The Buzzcard, a Blackboard Inc. system, allows students to create debit accounts on their university ID cards, which can be used to gain access to buildings, as well as purchase snacks, supplies and services.
Virginia campuses using Blackboard said they are unconcerned because of the nature of the attacks that Hoffman planned to detail at a recent hacker conference.
“It was a physical hack more than a technological hack,” said Mark Gettys, the assistant director of auxiliary services at the College of William and Mary, which began using Blackboard’s system in 1996. The college now generates more than $200,000 each year in off-campus sales.
Gettys said the break-in would have been more alarming if Hoffman gained access to specific student accounts instead of attempting to manipulate service stations.
“If he was sitting behind a computer and transferring funds from Dave’s account to Anne’s account then it would have been a completely different story.”
Blackboard, a D.C. – based education technology company, filed for a temporary restraining order in DeKalb County Superior Court last month when Hoffman and co-defendant Virgil Griffith, a student at the University of Alabama, planned to detail their exploits at the InterzOne computer conference in Atlanta. A hearing on the case has been set for May 30.
“What we really objected to was the fear that he was trying to inject in our clients,” said Michael Stanton a spokesman for Blackboard. The company reported revenues of $69.2 million in 2002.
While Hoffman, known in the hacker world as Acidus, has been unable to discuss the specifics of the hack because of the restraining order, he had previously published the information on a Web site that is still viewable.
Because it was a physical break-in Blackboard says it was not part of the “white hat” hacking they normally employ to test system defenses. White hat hackers “are an important piece of the technology community, but I think you need to separate the issues,” Stanton said.
But Hoffman did show that physical implementation of the technology plays an important role in the overall security of the system. Because wires must connect each location with the main system, Hoffman suggests the use of tamper proof screws and more metal conduit piping to keep information more secure.