“I’m not a number, I’m a free man” said Number 6 in the serie called “The Prisoner” (for the oldest amongst us). The serie was broadcasted in the Sixties but we have to admit that, still today, we are only numbers! And this will be worse in the coming years.
Personally, I’m not against being a number if controls are properly implemented. Numbers are easy to be indexed, to be sorted and searched. Numbers are a good way to identify things or people but they can easily be spoofed. As Wikipedia says:
“In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data (in this case the number) and thereby gaining an illegitimate advantage.“
My daughters are also numbers! Sometimes, they arrive at school early in the morning or stay a little longer after the regular hours, depending on our agenda. The school proposes day care services to welcome kids waiting for their parents. Of course, this is not free of charge. Before we had to buy (in advance) paper tickets with time slots which were completed by hand everytime my daughters used this service. One day, they came back at home with a new keychain like this:
Of course, my first reflex was to scan the QRcode. For both, it returned just a simple integer. Note that I took a picture with a good resolution, feel free to scan the code by yourself to check (it is safe ;-)). Then I asked for more information to my kids:
Kid0: “Our supervisor has a mobile device like the one of Mom, she scans the small drawing and ask us to confirm our name…”
Me: “And do you have to type something on the little device? Another number?”
Kid1: “No, we just have to say if our names are correct”
Basically, from the information I grabbed, the school now uses an application developed on an Android device. Each student got an integer ID printed on the QR code. The application scans the code, performs a lookup in its database and display the information. Then the supervisor just press an “accept” button to record the time. Based on the data, they generate monthly invoices. This is a dumb time management application and “dumb” is the right word.
The implementation of the solution is a big fail for multiple reasons:
1. The keychain protecting the QRcode is sealed with scotch tape! Very easy to replace the QRcode with a rogue one without breaking the plastic (physical security).
2. Given the school size (hundreds of students), it is easy to pickup a random integer and print a rogue QRcode (spoofing).
3. Training kids to do some social engineering is funny. They will positively answer to the question about their name.
If it could be very easy (and tempting!) to get the registered time credited to other families, I did not test it. Mainly because I don’t want to involve my kids in bad practices like this. Anyway, I explained them what was the problem and they understood. That’s the key point for me! It was also very tempting to add some SQL code in the QR code or any common attack.
My recommendation to the developer of this application: Keep in mind: Identification is not authentification. Identification is the act or process to recognize a valid identity of somebody or something. Authentication is the process of verifying the claimed identity. You must implement an extra control to authenticate the user, like a PIN code. Asking a verbal confirmation is not safe.
To conclude, do not blindly accept new evolutions without checking first what is used behind the curtain!