A while back I got called on my cell phone by some rather unpleasant saleswoman who wouldn’t take no for an answer. Luckily, it’s possible to stop this sort unsolicited advertizing in Norway by registering in the Brønnøysund Register Centre’s “Central Marketing Exclusion Register“. However, much to my surprise, the online registration didn’t require more than my Norwegian social security number (ssnr) as an identification. Now, why is this a bad idea? Isn’t your ssnr supposed be your identification number and a secret? Well, your ssnr is secret, but ssnrs as a whole isn’t. The Norwegian ssnr is 11 digits, the first 6 is the persons birthday and -year (ddmmyy), the next 3 is basically a counter over the births that specific day (which also acts as a gender flag since women are given even numbers and men odd) and the last two a checksum. In other words, it’s easy to compute random valid Norwegian ssnrs.

I’ve written a small Java ssnr-calculator as a proof of concept. It’ll calculate about 80 valid ssnrs for a given date. The text parsing is a bit basic, so I can only guarantee valid ssnrs for actual dates between 1900 and 1999. Now, before you get any fancy ideas, logging onto the system with someone else’s ssnr might as far as I know be considered a crime since it can be interpreted as identity theft or something else entirely. And even if it isn’t illegal you really shouldn’t. Just don’t.

This means that while it may not be trival to pin any ssnr to a specific person, it is trivial to find a ssnr belonging to some random Norwegian. Thus, it’s possible for an attacker generate valid ssnrs and log onto the system as those poor sods and potentially change their status. A determined attacker can undermine the whole system by generating a large number of ssnrs and using a botnet and some patience change a large number of entries. I’m sure the good folks in Brønnøysund has some nifty system logs and intrusion detection systems, but given enough time and bots for the attack the poisoned entries could be made pretty hard to spot.

Now, this isn’t the most critical of systems. To put it into perspective the Norwegian Internet Banks had similar security holes making it possible for an attacker to log onto random accounts a few years back. The system is never the less unnecessarily vulnerable, and can be taken down. However, there is an easy fix. As mentioned it’s relativly hard to pin a ssnr to a specific person or the other way around*, so if the registration process asked for your name in addition to your snnr, the possibility of a large scale attack like this would be thwarted with miniumum inconvenience to the normal users. Life can be easy.

The Brønnøysund Register Centre was informed of the weakness a week before this post.

*It’s actually easier than one would think. In 2002, there was 55400 births giving an average of 150 births a day. Thus, if you know the persons birthday and -year and its sex you’ll end up with about 75 possibilites, and expect to find the correct one in 32.5 attempts on average. Still, way too complex for a large scale attack on a system like this. You can read more about the Norwegian social security numbers at matematikk.org.