Posted by: The Weave
CIO, Midmarket CIO, Security
Well, this is embarrassing. Three MIT students write a paper on how to hack the greater Boston subway fare cards.
Said students are given an ‘A’ for their work and are booked to present at the annual DEFCON hacker conference in Las Vegas last weekend. The Massachusetts Bay Transportation Authority (known as the MBTA, the state agency that runs the subway) sues to keep the trio from presenting.
Filed in court to stop the presentation: Instructions on how to hack the MBTA fare system. Still available on MIT’s servers: The slide presentation to accompany the talk. This is really worth flipping through.
So not only did the MBTA’s lawsuit completely defeat its own purpose, it has also logged yet another example of the agency’s complete incompetence.
And this is why it deserves to be hacked.
This is life in Boston. Stalled trains, malfunctioning turnstiles and never-ending subway construction projects. And the physical security, as demonstrated by the MIT students’ slideshow, is a mess.
So why on earth should taxpayers and customers believe the agency has bothered to hire qualified consultants to take a hard look at the security of its fare cards?
This is a fine example of justified hacking. If these students hadn’t pointed out the system’s flaws, the MBTA might never have found them.
And they still might not fix them.
“There have been claims in the past that have been made against our card or other cards, and, happily, they’ve all been able to be dismissed or dealt with,” MBTA General Manager Daniel Grabauskas told The Boston Globe. “I’m confident it will be the same thing here.”
What’s startling is the simplicity of the hack, as presented by the three students. In Boston, riders pass a turnstile with a CharlieTicket, which is a card-like piece of stiff paper. Or they can use a CharlieCard, which looks like a credit card and includes an RFID strip. Many other subway systems – including London’s – use the same vendor for their fare cards.
To take the students’ instructions at face value, someone with less than $200 of up-front cash, moderate technical know-how and a little bit of time to kill could crack a CharlieTicket and ride free for life. The CharlieCard work looks a little more complicated, but by no means impossible.
To really dig into the details, go here (Hosted by Wired).
The only real problem with this hack is the kids themselves, or at least Zack Anderson, the 21-year-old Los Angeles native who spoke with the Boston Herald and appears in various photos from the slide show.
Anderson’s petulant anti-authority spirit is to be appreciated. But his claims that the students reached out to the MBTA with ideas to fix the security issues ring a bit false. After all, the slide show takes every pain to mock the MBTA.
And are we really to be impressed that Anderson, a college student, made a fake MBTA employee ID, which is on display in the slide show? Isn’t that what college students do?
And the MBTA claims the agency, not the students, made first contact. Consider also that the students aren’t the first to mess with the CharlieCard. A University of Virginia student made the same claim in February. These kids haven’t broken new ground. They just happened to get in the papers.
So as thrilling as it is to see the MBTA’s incompetence exposed, Bostonians wouldn’t be wrong to take offense at the giant joke it appears to be to Anderson et al. After all, these kids visit for school. They may have exposed a major subway security flaw, but they probably still have no idea how bad public transportation in Boston really gets.