Posted by: Shamus McGillicuddy
Network, Network devices, Network security
Shocking news: The RFID fare card system that the Massachusetts Bay Transportation Authority (MBTA) uses on its buses and subway is totally hackable.
This past weekend, three Massachusetts Institute of Technology (MIT) students (Alessandro Chiesa, RJ Ryan, and Zack Anderson) were supposed to deliver a presentation at Defcon, a hacker conference in Las Vegas, about how they hacked the MBTA’s “Charlie Card” fare card system. They created software that allowed them to create clones of the RFID cards that could allow them to ride for free on the transit system forever.
They made one mistake. Before delivering their presentation, they met with MBTA officials to warn them about the transit system’s insecurity and to offer tips on how to protect it. The MBTA responded by seeking and winning a court injunction, preventing the students from presenting their findings.
However, the injunction didn’t come through until after the students had already distributed copies of their PowerPoint presentation to all Defcon attendees. Those slides are now available online via The Tech, MIT’s student newspaper.
The slides reveal some very disturbing but unsurprising pieces of information. For instance, the turnstile control boxes in Boston’s subway stations are often unlocked and wide open. High-tech surveillance stations are often left unattended (I’ve seen this myself many times at the Back Bay T station.). Official MBTA materials, such as MBTA inspector coat patches, MBTA hats and MBTA license plates are available on eBay. The students were even able to find an unlocked room where the network switches that connect fare card vending machines to the MBTA’s internal network are located.
Was the MBTA trying to get hacked? Look at the photographs and see for yourself.
This should come as no surprise. After all, this is an organization that is running a $75 million deficit, despite a 27% fare increase in January 2007 and a 6.1% increase in ridership during the last fiscal year. Does anyone expect them to run a tight ship?
Any organization in Boston should be on its toes at all times. MIT is known for its hacking hijinx. Just look at the school’s own website, where you can find a gallery of Interesting Hacks to Fascinate People.