Hacking the T: MBTA sues to keep MIT students from telling how they cracked the CharlieCard

UPDATE: The MBTA won a temporary restraining order that will keep the students from discussing their findings. Read the judge's order (in PDF). Read the MBTA complaint (in PDF).

Wired reports the T wants to stop three MIT students from giving a talk at a hacker convention this weekend on their efforts to crack the CharlieCard system.

The transit authority, known as the MBTA, is also seeking to prevent the students from "publicly stating or indicating" that electronic passenger tickets used on the transit system have been compromised until the MBTA can fix security flaws in the system. It further seeks to bar the students from releasing any tools or providing any information that would allow someone to hack the transit system and obtain free rides.

A hearing is scheduled for 11 a.m. in U.S. District Court in Boston on the T's request for a temporary restraining order to keep Zack Anderson, RJ Ryan and Alessandro Chiesa from giving a talk at the DefCon conference in Las Vegas on Sunday on The Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems:

In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subways around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We survey 'human factors' that lead to weaknesses in the system, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote in the process of researching these attacks. With live demos, we will demonstrate how we broke these systems.

Human factors? So they managed to sweet-talk some T employees to inadvertently help them out.

Anderson told the Register the trio initially contacted the T to offer their help in fixing the vulnerabilities and that they weren't planning to release specific enough details to let somebody else replicate their feats.



    Free tagging: 


    Human factors?

    "Human factors"?

    I understood this vague term to mean that they were identifying stupid decisions made by humans in choosing, configuring, monitoring, and/or (not) modifying the system -- not that they "sweet-talked" an MBTA employee. But I may very well be wrong.

    Didn't the story itself break many months ago? What has the MBTA done in the interim to deal with it? Or does the solution require a totally new card system?

    Different hack

    By on

    They're claiming they used completely different techniques than those used a year or so ago.

    Human factors

    By on

    For a hacker, "human factors" usually means social engineering. Calling up someone within the company and telling them that you are in IT and need their secure login and password to update their system and them giving it to you is a "human factor". A "human factor" for the MBTA would be like lying to one of the "ambassadors" about how it ate your card or something to have them put you through for free.

    Who needs these guys?

    By on

    Human factor #1) Lazy commuter rail conductors: Easily exploited. Don't buy a pass. Get on train. Done.

    Hack #1) Walk behind someone else: Easily exploited. Don't buy a ticket. Walk behind someone through the gate. Get on subway. Done.

    Hack #2) Scratch magnetic region on paper ticket: Easily exploited. Buy a CharlieTicket. Scratch the strip to make it dead. Insert, remove, insert, remove...observe annoyed bus driver and shrug. Get invitation to ride for free so as to unblock doorway and maintain schedule. Done.

    Hack #3) Get on at the back door: Easily exploited. Use the rear door of a green line train. Wave old ticket/pass (optional). Done.

    Who needs to reverse engineer the crappy RFID cards when there are so many ways they let you ride for free as it is. The MBTA fare collection system is a mess of a joke.



    By on

    Where were you when I was writing this post? :-)

    Yeah, what I should've written was something like:

    MBTA sues to prevent hacking of CharlieCards; ignores people already getting free rides the low-tech way.

    Where I was

    By on

    I was watching women's indoor volleyball. Sorry to have to say it, but they're a little more visually attractive than UHub on a Saturday morning. ;)

    Plus, you only get to watch this kind of quality play once every four years on TV. I think I'm going to have to hook up my old TiVo in my bedroom just to be able to tape all of the Olympic coverage on the NBCs. I'm going to be a zombie for the next 2 weeks as I try and get my fill of live coverage in the middle of the night here.

    It's a shame more channels don't realize the potential in handball, badminton, shooting competitions, and other sports that aren't baseball, basketball, or football. I'm already anxious in anticipation of more curling on the tube...just 2 more years!!

    from volleyball foxes

    to the women's weightlifting, to women's soccer. I'm pleased with all the women's sports that were on today.


    Serious response

    By on

    So, I'm wondering. Are the lawyers being put on this suit hired as-needed or on staff? If these guys were getting a paycheck no matter what, then I guess there's no harm in putting them to some use with this lawsuit...but why does the MBTA have a standing set of lawyers? If these guys are outside hires because the MBTA had some desire to go with this lawsuit, then this is yet ANOTHER example of how the MBTA completely mismanages its problems.

    I see companies do this all of the time too; it's sad. Practical solutions are never sought and money isn't spent on engineers or other problem solvers. Instead some manufactured issue from someone of the business-side of the company is brought up and suddenly money is no object with lawyers, consultants, and other "problem solvers" being paid huge contracts to decrypt the nonsense from this business person and "solve" the problem. Considering the tremendous hole that the MBTA finds itself in, you'd think it would look at how to get BASIC fare compliance higher rather than worry about the 10 nerds who will have the know-how and willpower to actually hack an RFID chip.


    Brilliant Response

    This is a great response, and so true. Except that if there is an "ambassador" there, Hack #1 can bite you in the butt. Unless it's one of the lazy "ambassadors" who could give a rat's ass about people following others in.

    And as for Hack #2, that's risky, because at many stations, it's hard to actually find an "ambassador." I suppose then you could resort to Hack #1, though.

    And re: Hack #3, do they open the back doors on the Green Line at surface stations now? I know they do on some buses at major stops, but I always thought that the Green Line only opened the front doors when above ground.

    Green line

    By on

    It's the discretion of the driver. They can open all doors and just let everyone on; open all doors and request people to come forward to pay; or open only the front door.

    When it gets packed, they will often open all doors just to keep moving. Some stations, like Coolidge Corner on the C line, have pre-check machines and they'll open all doors expecting you to have used the receipt machine to pre-check your pass for that ride.


    who ought to be footing the bill here

    I wonder if the manufacturer(s) of the equipment is indemnified by the contract or whether they're liable for defect and responsible for fixing the problem.

    The T is seeking a temporary restraining order which may be to buy time to fix the security hole. The T has its own general counsel and uses outside counsel too, which is a common.

    I don't anyone is trying to permanently silence what was learned by the researchers. In fact, that is the information that is needed to make the products more reliable.

    I agree the manufacturer, who is the for-profit entity in this business deal, and who made the product specifically to secure access to the T for paid patrons, ought to be footing the bill here unless they got protection against such responsibility in the contract.

    I suggest we commence

    I suggest we commence bombing MIT on Tuesday (Im taking a long weekend) their students have been nothing but a big pain in Bostons butt over the past year or so with their fake bombs and hacking the MBTA.

    How fast can we get a B-52 bomber up here?

    I read the slideshow, and it

    I read the slideshow, and it doesn't amount to an step-by-step guide by any means. If you really know what you're doing you can probably reproduce their results, but it's quite likely that they've left out important steps and introduced intentional errors. I'd rather have some MIT kids make the MBTA stand up and take notice than have some commercial hackers come up with the same stuff and sell it to everyone.

    Do you have any idea how important MIT is to the economy of Cambridge/Boston? They could start stealing entire red line trains and still be an overall financial benefit.

    My comment was mostly tongue

    My comment was mostly tongue in cheek.

    That being said, just because someone contributes to the economy doesnt make it ok to cause trouble for the rest of us.


    I don't find that remotely funny

    As someone who works at MIT in a completely non-hacker capacity, I have to tell you I found your comment disturbing and not at all funny. What is wrong with you? How is making a presentation about the MBTA's security flaws "causing trouble" for you? And how would potentially killing thousands and thousands of innocent people fix that trouble for you?

    My favorite part is how you describe your sick comment as "mostly" tongue in cheek. So, while you "mostly" don't condone someone committing an act of terrorism on thousands of innocent people, there is also a big part of you that is A-OK with that? Classy.

    A common but useless technique

    By on

    It's common for operations that have really bad security to resort to lawyers to keep it from being known. Since the invention of blogs, that technique usually backfires and makes the weaknesses more widely known. In this case, though, the students may have made a serious mistake; the MBTA alleges that they got unauthorized access to T computers. If that's true (which it may or may not be), they went clearly outside the bounds of legitimate code-breaking analysis and could be in serious trouble.

    I doubt that any MBTA employees know how the card encryption works; the "social engineering" may have been to get their hands on special employee cards which have no limit, or something of the kind. Depending on what they did, that could also show they went out of bounds.

    On the other hand, some operations sue reflexively and allege anything they can imagine. We'll have to wait and see.

    The low hanging fruit of T "security"

    By on

    The Tech has thoughtfully posted a copy of the slides from the talk, which has been cancelled because the MBTA got its temporary restraining order. Before the authors even get to the fun deconstruction of CharlieCards, they discuss some of the issues Kaz brought up herre: "There is always a free way to get in." You know, stuff such as unmanned Charliegates, unlocked doors and unlocked turnstile control boxes. This is followed by some human-engineering fun, such as buying old T uniforms and hats off eBay to make yourself look like you belong where you are.


    More discussion

    By on

    I've posted some additional commentary here.

    Who designed this thing, anyway?

    By on

    TJIC, a computer engineer, starts to read the vulnerability assessment the MBTA included in its court filings:

    ... I'm only halfway through it, but my opinion so far is that the idiots who designed this couldn't have passed a sophomore year course on security engineering, and/or haven't read even a quarter of the cryptography and security books that I, a non-security engineer, have read. ...

    Wow..6-bit checksum

    By on

    Wow, whoever they hired to make this system should be sued, not these MIT students.

    I still love the fact that all of these turnstile switches are being left unlocked. Makes me want to keep my eyes open to see one left alone and just flip the switch to let everyone in for free until the "ambassador" figures out what the hell is going on.

    Also, I hope someone starts sniffing credit card data from the MBTA as outlined by the MIT students. Then maybe the state could join in a class-action lawsuit against the MBTA and absorb it back into a wholly public agency. It's really sad that making the MBTA a part of state government would actually improve it at this point.