Monday, August 11, 2008

MIT Students Hack Boston Charlie Cards

The Facebook generation makes hacking transit look easy. From the Subway Blogger:

Apparently, some students at MIT made it a class project to hack the Boston subway system (aka the T). As a matter of fact, the title of the project is: “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems.”

Now, the students are computer security majors, so you can see the fit. They planned to give their 80+ slide presentation at Defcon, a very large security conference. However, the MTBA sued to have the presentation stopped. A judge ordered a temporary restraining order keeping the presentation quiet.

It's my understanding that Defcon doesn't have a lot of leaks. I'm not really sure what Boston is worried about. If these kids can do it, certainly anyone can if they have the appropriate skills.

1 comment:

arcady said...

The fundamental problems here are that the MBTA doesn't care about security: despite all the Homeland Security funding they get and their bag searches and so on, they leave doors unlocked and network cabinets open. And their fare system was designed by the vendor, who probably didn't think too hard about security. Magstripe cards are a known risk: it should be expected that people can mess with them, and the system should be able to at least reduce the damage that can be done that way, as NYC's Metrocard system does. And the CharlieCard uses the now completely broken MiFare system. And Boston was one of those lucky cities that rolled out their RFID system without too much trouble or delays, unlike the various schemes in the Bay Area, LA, and so forth.