The MBTA admits that your CharlieCard can be hacked by an Android phone
But cybersecurity analyst Bobby Rauch says the security flaw makes it relatively easy to exploit a known vulnerability in the system.
“Anyone in Boston with an Android phone who is curious about how CharlieCard works could exploit these same vulnerabilities,” said Rauch, who brought the issue to the agency’s attention in August.
This isn’t the first time that “ethical hackers” have warned about CharlieCard’s problems. In 2008, computer science students at MIT identified a similar vulnerability in CharlieCard. The students said they would publicly describe the security flaw at a major computer hacking conference. In response, the transportation agency sued the students and persuaded a federal court to issue a gag order, forcing the students to rescind the letter. The ruling led to a backlash from civil liberties groups, and the court has reversed itself. The MBTA later dropped the lawsuit and agreed to consult with students about ways to improve CharlieCard’s security.
These days, the MBTA takes a different approach to security whistleblowers. “It’s no longer punitive,” said William Kingkid, senior group director of motorized fare at the MBTA. “He was welcome.”
Instead of trying to silence Rauch, the agency worked with him to better understand the shortcomings of the CharlieCard system.
It doesn’t hurt that Rauch, who graduated in computer science from MIT, is a veteran bug hunter with a proven track record. Last year, it revealed how hackers could use Apple’s AirTag personal tracking devices to steal sensitive user information. Earlier this year, it reported a flaw in Microsoft Teams that could be used to smuggle malware into computer systems.
This time around, Rauch took a look at a new way to exploit some of the same security flaws discovered by MIT students in 2008.
Each CharlieCard contains a near field communication, or NFC, radio chip, which keeps track of the money stored on the card. This data is encrypted using an algorithm that is easy to crack; In fact, encryption keys are easily available online. With the right equipment, a clever hacker could intercept a radio signal from someone’s CharlieCard, record its data, and copy it onto a blank card to get free rides on the subway. The original CharlieCard will still work, but so will a clone.
In the past, such an attack required a lot of expensive equipment, which made it completely impractical. But Rauch has found that some existing Android phones can pull it off. Almost all of them have NFC chips for use in making payments at credit card terminals. And some of them, including many of Google’s Pixel phones, use NFC chips that can talk to those inside CharlieCards. There is even an app available for free in the Google Play Store to allow such phones to download data from CharlieCard and copy the data to a blank card. (Apple’s iPhones also have NFC chips, but none are compatible with CharlieCards.)
“I could theoretically take a dump file for a real CharlieCard, write it to a blank card I bought online, ride a frequent T, and then once I empty my money, refill it by writing the real card dump file to my blank card,” Rauch wrote. in a blog post. “In addition, I can write to multiple clone cards and either distribute or sell them.”
Rauch even speculated that someone with an Android phone could steal data from another passenger’s CharlieCard, simply by standing close enough to intercept the card’s radio signal.
The MBTA’s Kingkade said the agency isn’t too concerned, as he expects few people to attempt this type of exploitation. He said the MBTA had installed firewalls in its computer network capable of detecting cloned CharlieCards. “We’re looking for fraud and catching fraud every single day,” he said. “It’s very small numbers,” he added — about 10 per month. When a fake card is detected, it is immediately deactivated.
But Kingkade admits that the current CharlieCard system can never be completely secure against this type of attack. expected solution by 2024, when the MBTA is supposed to adopt a new and improved fare payment system.
#MBTA #admits #CharlieCard #hacked #Android #phone