|Home » News
Boston T Party
The hackers are coming!
Following an increasingly popular trend Zack Anderson and his friends at MIT worked on finding holes in the local transit authority's security system. They were rewarded.
They were scheduled to speak at DEFCON but a judge yanked their appearance. The EFF got into the picture and somehow their presentation made its way onto the Internet anyway.
This is a story in two parts.
Prepared for the MBTA
Zack Anderson, Russell Ryan, and Alessandro Chiesa presented an unsolicited report to the Massachusetts Bay Transit Authority on 8 August 2008 entitled 'Fare Collection Vulnerability Assessment Report - Analysis and Recommendations'. The report details vulnerabilities in the MBTA's CharlieTicket system and is marked 'CONFIDENTIAL'.
A CharlieTicket is a 'magnetically encoded paper ticket that contains a stored value or a pass', according to MBTA's website. 'A CharlieTicket encoded with a pass allows for unlimited travel for a certain period of time.'
The MIT team found weaknesses in the CharlieTicket system.
CharlieTicket values are stored on the card, not in a central database.
Anyone with a card can read it and write to it, given proper equipment.
The card does not use a cryptographic signature to ensure its integrity.
The MBTA networks do not have any form of centralised card verification.
CharlieTickets can be easily cloned and forged.
A suggested cloning attack.
Using a magnetic card reader/writer and software a criminal can easily purchase one authentic card of a larger value and copy it onto cards of minimal value. The attack does not require any knowledge of or skills in computer science.
A suggested forgery attack.
Buy a magnetic card reader/writer on the Internet (eBay) for $150. Go to a fare vending machine and purchase a handful of 5 cent CharlieTickets. Re-encode the tickets to put at least $1 less than the maximum value ($655.36 - get it) onto each card and give each card a unique ID. Now take the tickets to a fare vending machine and add $1 to each. The machine will print out new tickets with the correct value printed on the face of each. Now sell them all and make lots of money.
It be good business.
The sensitive CharlieTicket information is not only stored on the cards themselves - it's stored in unencrypted form. The tickets do contain a checksum - but it's created with a 6-bit [sic] algorithm - and that yields only 64 distinct values.
And so forth.
Scheidt & Bachmann
The CharlieTicket system was designed by German Scheidt & Bachmann. They've also delivered systems for a half dozen more municipalities in the US and similar systems to Germany, Croatia, the United Arab Emirates, Australia, Switzerland, Turkey and other countries. And their systems use a 6-bit checksum, no encryption, and monetary values calculated with binary arithmetic and with sensitive data always in the wrong place.
Scheidt & Bachmann have also expanded into petrol station systems.
Free petrol, anyone?
Scheidt & Bachmann: Signaltechnik Juli 2008
Ryan, Anderson, Chiesa: Anatomy of a Subway Hack
Wired: Fare Collection Vulnerability Assessment Report