- cross-posted to:
- technews@radiation.party
- cross-posted to:
- technews@radiation.party
If teens can hack your stuff, you should be really thankful to find out they did, because our stuff is insecure as fuck then.
Better our college students than nefarious actors.
“Known MBTA security flaw remains unpatched after being publicly disclosed 15 years ago. Boston mad. More at 11.”
Given how natty the Boston tubes are people should get paid to use them.
The orange line is offended by this remark and wipes vomit on you in protest.
I’ve been in multiple fantasy football leagues over the years that have had teams named “Orange Line Jumper”.
The worst part is that Boston is ranked like #3 for public transportation in the US (yes, even including the fires). The average commute time on a route is like 30 minutes faster than the national average for public transportation, and somewhere around 50% of Boston’s workers use the T to commute every day.
Last time I visited Boston was 10 years ago for a conference. It was already falling apart back then.
I don’t think it’s gotten better since. I visited Boston back in late 2019, and it was gnarly. See I’m used to the Stockholm tubes, bright, colourful, artwork everywhere, clean-ish floors, elevators that smell of piss.
Boston by comparison was dark and grimy. The carts were super old, and the speaker probably hasn’t worked well since the 70s or so. Couldn’t make out a word of what the announcer said.
People were nice though! I almost fell over on someone, and they were pretty good natured about it!
Boston is outwardly grumpy as hell.
But you need to watch the video of tbe Boston bombing, 3 seconds after the explosions it was like doctors were climbing out of windows and just swarming to take care of people.
That’s how it is, grumbly till you need something, then the best people in the world.
But you need to watch the video of tbe Boston bombing
Those aren’t words one usually expects to read.
I’d moved away a few months earlier, the whole thing was like a stab in the heart, kid was found in a boat down the road from where I lived.
But the way the town united was incredible, never seen anything like it, made me remember why I loved it so much.
Bombs barely stopped echoing, every hand was helping someone, nobody was even confused they just jumped into action like it was a drill they’d practiced for 100 times.
That’s New England in general. Don’t talk to me, asshole you need a hand?
Article text:
Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides—and This Time Nobody Got Sued Andy Greenberg 8 - 11 minutes
In early August of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.
In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.
They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.
Bertocchi skips to the end of the story: “They didn’t.”
Four young people posing together
The Boston subway hackers (from left to right) Scott Campbell, 16; Noah Gibson, 17; Matty Harris, 17; and Zack Bertocchi, 17.Photograph: Roger Kisby
Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.
To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:
In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters earlier this year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.
The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”
“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA’s fraud detection team has increased monitoring to account for this vulnerability [and] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”
The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.
Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.
The hackers figured out how to reproduce a “checksum” calculation intended to prevent the value stored on CharlieCards from being changed, circumventing that anti-hacking protection.Photograph: Roger Kisby
By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.
Not long after they made this breakthrough, in December of last year, the teens read in the Boston Globe about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.
Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.
In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.
The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.
“We’ve had some of our cards get disabled, but most get through,” adds Harris.
So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”
For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.
He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”
Update 5 pm ET, August 10, 2023: Added a statement form an MBTA spokesperson. Update 11:25 am, August 11, 2023: Clarified when the teens’ meeting with the MBTA took place.
Ouch, so the new system will be account based. Say goodbye to your privacy.
Unfortunately, that does seem to be the easiest solution.
Though how much that imposes on your privacy depends on how they implement itThere is no saving privacy. If it was me, I would keep everything the same, except have the checksum tied to an account and it can be checked and updated remotely.This way, most of your transport usage informed would not be stored. In theory they could still log when the checksum is checked or changed by an official machine, leading to a vague idea of when you travel.
The points of attack would then be:
- Somehow spoofing an official machine to talk with the server and modify the stored checksum. Very difficult if done properly.
- Cloning someone’s card and using their account credits. Relatively easy to do. To prevent this they would have to implement usage tracking so the users can check for fraudulent activity. And there goes privacy.
I appreciate your detailed reply, but I believe the fight for privacy is not over. It takes a lot of time, dedication and money to fight for privacy, but it must be done.
I’m glad MBTA were more accommodating to the high school hackers.
I’m also glad there’s bug bounties and a process that connects ethical hackers and rewards them. And any company that retaliates against a security concern from a ethical hacker should burn.
High schoolers should all get free public transit access anyway.
We do here in seattle/king county washington
FWIW the MBTA does offer a heavily discounted student pass called an “S Card”. There is also an “M7” pass that is subsidized by schools (free to students), but it’s opt in by school or program. It would be nice if it was free, but it’s something.
I guess I am just and old grinch, but I feel like this is written to feel more epic and crazy than it really is, and to accuse the subway engineers of incompetence, rather than what seem to be a conscious architectural decision.
The subway system basically encodes how much money you have on your RFID card, and merely overwrites that value when you recharge it or use it. To me, this sounds like a cost-saving measure and a cheap way to have a fault-tolerant system. It is vulnerable to hackers tho, sort of by design. The alternative is to build a very complex and expensive centralized system with higher maintenance cost and points of failure. Both options work, but it is a tradeoff.
To me, the reason they didn’t want word of this to get out is because the system is really good at doing what it is doing otherwise, and the small amount of fraud is probably costing them less than having to build a centralized system.
Kudos for students to even figure that out, but the feat in itself is almost equivalent to learning how to print counterfeit tickets to trick a clerk. It feels more crooked than technically impressive. Those responsibles for the system already knew of this “flaw”. They just don’t need the instructions how to make counterfeit cards out there.
The flaw is that the checksum is so bad.
I knew someone who worked at a company that handled e-payments for a certain service (purposefully being vague). They’re system functioned similar-ish to what you describe, but it also checked the amount on the card with the amount on a database, and also kept a history both on the card and on the database. If they all didn’t match up, they knew there was some tampering going on.
Those 4 teens should get a scholarship for this, paid for by mbta’s IT security budget.
Those 4 teens should first fix mbta’s IT issues. It sounds like they are smarter than the folks at mbta.
It probably has less to do with how smart the MBTAs IT team is and more likely how much the MBTA is willing to spend on IT.
I dunno about that. There’s a difference between people who can find flaws and people who architect systems.
That’s like saying a escape artist should be in charge of building the prison. Ideally they work together and provide both perspectives.
It’s amazing how much NFC stuff is still badly done - and how bad the response to discoveries is. I recently got a police report filed against me here in Finland for pointing out that guarding personal details of kids and parents on a phone used in daycare by an empty tag, just by the tags UID is probably a stupid idea.
It doesn’t surprise me, the vendor probably thinks they’re Agile, their team delivered a Minimum Viable Product and then their Management sold it. Security was always meant to be in a future Sprint.
If that model works for web services, it ought to work for anything, right?
Merriam Webster defines “agile (technology)” as “synonym for trash”.
Agile, their team delivered a Minimum Viable Product
I guess that’s kind of what got me into this mess.
They have some shitty web application where you’re supposed to log times your kids will be in daycare. I logged in, looked around - and told the wife she can chose to log times herself, or tell daycare to do it themselves. I’m paid to deal with broken shit in my main job, I’m not doing that for free in my spare time.
At that point I assumed the web app was some prototype their intern had thrown together for the sales pitch, and they were now desperately trying to get it functional - to my surprise I later learned that it was an older product, with quite a few customers already.
Few weeks later wife came back upset from kindergarten over an argument about missing times - which forced me to actually deal with that dungheap, and prompted me to have a closer look at other components, like the android app they’re using on their phones as well. There’s a lot of stupid beginners mistakes in all components - not necessarily exploitable, but I also didn’t really check as in my opinion the tag thing would be sufficient to have this taken out of use.
Reading the article it seems they made two mistakes. The first was to make the card authoritive instead of having a account data to ensure the information matched. The second was to use a proprietary checksum algorithm instead of using an open secure signature method.
I’d put money on the information they’re holding back being details on the checksum algorithm.
Doesn’t having an account require an online system? By making the card authoritive you can build and offline system.
It wouldn’t need an account. The card can have all the data (in case it is used in an offline situation) but also have a unique serial number.
So when an official ticket machine charges the card, it also logs the balance/tickets on the card with that ID in a central database too. Yes, it needs to be “online” within their own network. But, I’d be concerned if a large city transit didn’t have their own network already.
Whenever it is used, provided the ticket reader has a connection it would be verified against the stored record. If the connection is offline then it uses the local stored information.
I do wonder in a transit system like this what the advantage to an offline system is. If someone works out your “CRC32 except I xored the result with 1337” algorithm, then you’re boned and a lot of kit is “offline” and thus cannot easily be upgraded too.
If there aren’t enough people that are knowledgeable enough to take advantage of something to have an impact on revenue, then you just ignore it.
“The MBTA’s fraud detection team has increased monitoring to account for this vulnerability [and] does not anticipate any significant financial impact to the MBTA."
Oh well thank goodness the business isn’t hurt!
Won’t somebody think of the shareholders??!!
The MBTA is a public agency that is funded by both fares and tax dollars. So you shouldn’t be worried about the business, but the citizens of Boston.
Roads aren’t funded by fares, why should public transit?
Give the teens free passes for life and fire the executives responsible for the lapse in security.
It’s nice to see the MBTA being a bit more modern with their approach to security breaches. The overly hostile “We’ll sue you if you tell anyone” tactic certainly would not encourage anyone to report anything they found so it could be fixed.
This is the ideal response to a system threat of this type, especially if they didn’t know the vulnerability existed.
“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added.
That may be one of the most adult things ever said by an organization executive. Since they have a replacement system (hopefully more secure) in the works and they’ve used the data from he hackers to mitigate potential financial impacts to the system in the mean time, they’re being completely level-headed about the process. It’s a damned shame this doesn’t happen more often.
Absolutely. They even said in the article:
He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”
It’s the Streisand Effect in full force; they drew attention to the vulnerability by fighting it so hard the first time. Who knows how many other people have found vulnerabilities since then that just haven’t been vocal about it. (The article mentions one such person, even.)
Good for them
The MBTA sued some MIT students a while back when they discovered the same thing. So the MBTA hasn’t fixed this in over a decade.
https://www.universalhub.com/2023/some-medford-kids-figured-out-how-hack
If you had read the first paragraph, or even the subheader, you would have seen that the article covers that and that the kids were working off the 2008 research.
Yep, we must have read the same article or something… ;)
Denver just made all RTD service free to teens for at least the next year
I hope that they give these kids a job after college.