Hacking the MBTA
Posted by Fred Jandt
Editor, Mass Transit magazine
The Massachusetts Bay Transportation Authority (MBTA) was in court last week getting a temporary restraining order (TRO) against three MIT students who were planning a presentation on how to hack the MBTA’s CharlieTicket and CharlieCard systems at the Defcon hacker conference in Las Vegas. This week the authority was back in court seeking to extend the TRO while it scrambles to plug the security holes pointed out by the students.
Unfortunately it seems that the MBTA might be a bigger security risk than the defendants in this case.
The students pulled their presentation from the conference and presented MTBA with a more detailed paper on the security flaws entitled “Fare Collection Vulnerability Assessment Report Analysis and Recommendations.” The MBTA took the report and offered it as evidence to the court of how damaging this information would be if the student’s released it to the public. Except when you enter materials into a court case they become a matter of public record — whoops!
Yep, this report that could be so damaging to MBTA is now being spread all across the Internet. A simple Google search got me a story with a link to the offending document. But here’s the thing, I read the document and I realized that while in fact, CharlieTickets and CharlieCards could indeed be hacked, I couldn’t do it.
What the MBTA in its zest to suppress this information failed to realize was that the paper isn’t a blueprint to ripping them off. It states in broad terms how the tickets could be hacked, but it doesn’t give you step-by-step instructions. It even presents ways the students found MBTA could solve these security holes.
I have to wonder whether or not MBTA would have targeted these students with legal ramifications so quickly had their paper been released at APTA’s Fare Collection Workshop or TransITech as a cautionary tale for other agencies with provided solutions. Should the three MIT students (or their professor) have presented the document to MBTA before they planned to present it at Defcon? Yes. Of course, they may have called MBTA and had their calls fall on deaf ears. Earlier this year Dutch researchers showed how the card the CharlieCard is based on could be hacked, but the MBTA stated in court documents that its proprietary encryption made those concerns moot.
The report is vague enough that unless you are dead set on hacking the MBTA’s system and have a moderate level of skill you aren’t going to be able to figure out how from it. And if the document as it stands allows people to start wildly hacking MBTA’s fare collection system, maybe it’s time it took a longer look at its own security. I know three college students from MIT who could probably help them out.
Thanks for reading the MT Position updated every Friday,
August 15th, 2008 at 11:35 am
I think the MBTA should pay those three students a healthy consultants fee. After all, they would pay that to anyone they hired to review the security of the system and they basically got this for free! Of course they also got a beak full of bad PR as well. Over all, the situation was poorly handled and only served to alert other computer savy types that it could indeed be done. This type of over reaction has, unfortunately, become all to common in our post 9-11 society (does anyone remember the trash can memo from FTA?) Common sense, restraint and dialogue would have prevailed nicely in this situation.
John Landrum
McKinney Avenue Transit Authority