After a late-December Washington Post story revealed a nationwide epidemic of colleges quietly installing pervasive wireless location-tracking systems on campus, which gathered data on students without meaningful consent, inside and outside of class, broken down by protected categories such as race and gender, as well as on potentially invasive lines such as whether a student is from abroad, security researcher Lace R Vick (previously) tweeted an offer to students to explain how they could “dismantle such a system.”
In a followup Gizmodo article, Vick delves into the deficiencies with the notifications, consent and privacy policies associated with these services — which are a typical mess of overbroad grabs that are subject to change without notice, couched in deceptive language.
Vick also puts campus location-tracking in the context of campus information security, which is historically very poor, with low-quality passwords, a lack of access auditing, and interconnection of services and networks that allow both outside attackers and insider threats (such as a professor who wants to stalk a student) to operate with wide latitude and a low likelihood of being caught. Adding location-tracking to such a system vastly increases the risks of the kinds of cyberattacks that are already endemic to campuses.
For his finale, Vick explains what he would have done had he been an undergrad on a campus with such a system, including setting up fake beacons that record every student as being present in every class; using their own tracking beacons to create public league tables of which profs preside over classes that students are likely to skip; disrupting Bluetooth radio frequency bands to block all the tracking beacons; decompiling the app to analyze how the services share data and to see if there are strong protections to stop users from getting location-data on other people.
Vick also lays out how he could create rogue firmware for the location-tracking beacons, and deploy protocol analyzers to understand what kinds of information is being extracted and stored by the system.
He notes that some or all of this conduct could violate federal law and campus policies and could get students into serious trouble and Gizmodo specifically recommends that students not engage in this behavior.
Here, you might also learn enough to write your own app that can log in just like the real one and emit your own “I am here” signal. Maybe as a first step, you voluntarily collect the credentials of lots of other students for your custom app which can log in as all of them at once… then just hide this phone somewhere near the classroom to register all the time as all of those students at once.
Getting beyond the app… to learn more about the beacons, the best thing to do would be to find a sympathetic teacher willing to let you play with one, so you can learn how it gets firmware updates, intercept one, and take steps similar to those you would to learn about the API in the phone app. The ability to learn about the beacons themselves (which naturally have elevated privileges to report on more than one user at a time) would be ideal.
Assuming explorations on the endpoints like the phone app or beacon firmware fail you could still potentially learn useful information exploring the wireless traffic itself using popular SDR tools like a HackRF, Ubertooth, BladeRF. Here you potentially see how often they transmit, what lives in each packet, and how you might convert your own devices, perhaps a Raspberry Pi with a USB Bluetooth dongle, to be a beacon of your own.
How to (Hypothetically) Hack Your School’s Surveillance System [Whitney Kimball/Gizmodo]