Teens Hacked Boston Subway Cards For Infinite Free Rides, and This Time Nobody Got Sued

Long-time Slashdot reader UnCivil Liberty writes: Following in the footsteps of three MIT students who were previously gagged from presenting their findings at Defcon 2008 are two Massachusetts teens (who presented at this year's Defcon without interference).

The four teens extended other research done by the 2008 hacker team to fully reverse engineer the "CharlieCard," the RFID touchless smart card used by Boston's public transit system. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives them unlimited free rides. "You name it, we can make it," says Campbell.

you don't get sued you can get jailed for that

[Joe_Dragon]

you don't get sued you can get jailed for that

Re:

[JaredOfEuropa]

For reverse engineering the card, I don't know. But using the card would be a rather stupid move.
I remember something about our national card getting reverse-engineered with unlimited top-ups. However the transport authorities quickly added some software, they are able to see that there are no transactions in the ledger to justify the balance on the card, and proceed to block it (or flag it so they can nab you when you use it next).

Re:

[jslolam]

> However the transport authorities quickly added some software, they are able to see that there are no transactions in the ledger to justify the balance on the card, and proceed to block it

1. Put real money on the card.
2. Top up the card with fake value but never exceed the original real money amount.
3. Use the card.
4. Profit by riding for free.

Re:

[beuges]

The readers at the turnstiles or on the busses/trains that you tap your card on records the card number and the fare being deducted, and those are reconciled against the topups applied to the card. So if you do an initial real topup of $100 and then just keep on adding fake topups of $10 every day, they will soon notice that the card has only done a $100 topup but has had $1000 deducted off it.
The readers often have a list of cards and balances that gets updated as often as is practical, to allow additional

Re: you don't get sued you can get jailed for that

[Registered Coward v2]

Nah. Just sentence them to riding the MTA until they are out of ridesâ¦

Re:

[jmccue]

Have you ridden the Boston Subway recently ? It is a death defying experience, and someone I know has an app on their Iphone that can somehow tell you how fast it is going, even undergtound. On his line, it averages 3 MPH (4.8kph) for 10 miles (16km). You can commute by bicycle much faster that that.

So no, it should be free or you should be paid to ride it.

Re:

[Registered Coward v2]

Have you ridden the Boston Subway recently ? It is a death defying experience, and someone I know has an app on their Iphone that can somehow tell you how fast it is going, even undergtound. On his line, it averages 3 MPH (4.8kph) for 10 miles (16km). You can commute by bicycle much faster that that.

Of course riding a bike in Boston traffic is a bit more of a death defying activity.

So no, it should be free or you should be paid to ride it.

Which is why a said a suitable sentence would be to ride it until the card expired...

my boy's wicked smaht

[apparently]

"Infinite Rides On A Boston Subway" is literally the definition of Hell.

Re:

[Anonymous Coward]

"Let me tell you the story of a man named Charlie, On that tragic and fateful day..."

Re:

[TWX]

Was gonna say, there's a song about that, and they literally named the transit card after the character in it.

Re:

[glitch!]

If his wife could throw him a sandwich, why couldn't she send him money for his fare? I guess the story is deeper than the song suggests. (For those who do not get the reference, look up the "Man who never returned".)

Where can you buy one of these?

[drainbramage]

Where can you buy one of these?
(Asking for a friend.)

The new generation of hackers

[mustafap]

Glad they publicised. I would have just kept it quiet and benefited from it. Nice to see the new generation of hackers have better morals!

When I was a kid in the UK in the 1970's, I was taught how to put matchsticks up the coin return of public phone booths. That was where I got my pocket money as a kid.

Re:

[franzrogar]

Hackers have good morals.

Maybe you're mistaking them for crackers?

Re:

[haruchai]

Maybe you're mistaking them for crackers?"
Stop hating on white people

Re:

[kmoser]

Cracking doesn't make you immoral any more than hacking. It's your motivation and what you do with your newfound knowledge that separates the moral from immoral (not to mention legal from illegal).

Re:

[yagmot]

Back in my day, the term "cracker" meant immoral / criminal hacker. We had to come up with some way to differentiate the tinkerers from the criminals since the media was (and still is) giving hackers a bad name, and that was the word we settled on.

I guess the stupid question...

[TWX]

...is why the card is anything but an identifier at all. Is it because they're concerned that their toll-paying gates' connectivity is so poor that they need the off-network device to be capable of interpreting the fare status without database backend reachability?

Because it would seem like just connecting toll-paying gates to the MBTA network and having them query against databases would be the best approach provided that they could keep their transaction rate good and connectivity reliable and secure.

I g

Re:

[ls671]

That's how it works where I live and you simply get a free ride if the system is down or no network, which is rare. It works fine like that even for buses.

Re:I guess the stupid question...

[Wrath0fb0b]

Yes. Almost all of these systems are what's called "Truth On Card" which is exactly what it sounds like -- all balances, plans and modifiers are stored locally on the card. This is done for throughput reasons -- having the gate be able to do a local transaction (100-200ms or so) is far quicker than phoning home and adjusting it in a database (>500ms and subject to connectivity). Faster transactions means you need fewer gates in a given station to accommodate a specific volume of passengers, even if it increases the complexity of the gate. For super high volume systems it isn't even possible to add more gates to make up for it, so maintaining throughput is super critical -- Tokyo subway stations often pass 60 passengers per gate per minute at peak hour.

You do intuit correctly though that even in truth-on-card systems, there is a ledger and the backend does periodically reconcile all the transactions with all the gates and they do all feature a denylist system -- although the usual use is for "I lost my card, give me back my balance".

Finally, a small-but-growing number of systems are moving to a "Truth in the Cloud" systems where the cards is just a (secure) account # similar to a chip based credit card. But the transit agencies are slow and many of these systems were put in place decades ago and these transitions are not cheap in an era where transit budgets were wrecked by COVID. Plus there's a lot of "don't fix what ain't broke" here -- and the security story for hacked cards might look bad optically at DEFCON but it isn't actually losing them enough money by fraud to be worth spending what it would take to upgrade. This is especially true with denylisting as an imperfect backup measure.

Re:

[Anonymous Coward]

At some of the gates in the MBTA system, you can use a QR code on your phone, or one of the Charlie Cards. If you present a Charlie Card, communication is over an RFID protocol and the gates react essentially instantaneously.

But if you present a QR code, there's a substantial delay that is a fair fraction of a second.

Re:

[Wrath0fb0b]

Yup, that's the difference between doing it locally (truth on card) and hitting the cloud (truth on server)!.

Re:

[Zarhan]

Couldn't you just use a PKI here?

Card would contain the truth, validated by a certificate.

When you top up the card, the device (at kiosk or whatever) doing the top-up signs the new amount/service/whatever with it's issued cert, that in turn has been signed by a the (intermediate?) root cert of the system.

When you attempt to tap it at the gate, the gate will check the signature against the cert. It might also do an online check against a revocation list either having a full CRL on the gate, or using OCSP. If

Re:

[Chrontius]

OCSP provides a single point of failure, though, and is a glowing weak spot for a denial-of-service attack.

Re:

[Zarhan]

Sure, but those do not last forever. If someone is willing to get a botnet to do a DDoS for a free public transit ride... I really don't think that's a major issue.

Re:

[codebase7]

CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,”

That kilobyte of memory isn't enough to store a strong cryptographic signature. So the data isn't trustworthy at all. That's the first fault. A proper system would have had the data protected with a signature created with a key known only to the database back-end server.

The second fault is them "rolling their own checksum". Never assume your IT guys can whip up something better than the industry standard when it comes to crypto. You're begging for hacks otherwise.

PSA: The linked wired article has a hal

Re:

[pjt33]

That kilobyte of memory isn't enough to store a strong cryptographic signature.

What's your threshold for "strong cryptographic signature"? I consider Ed25519 to qualify, and that has 512-bit signatures. Even with plain semiprime RSA, I think 4096-bit is currently considered secure, and that's only half a kilobyte.

Re:

[Wrath0fb0b]

I'm not sure what you're talking about here -- AES128 in CMAC mode is 16 bytes and is a perfectly strong cryptographic signature. It's even in the NIST recommendations as good through the end of the decade and adopted by the PIV cards that government agencies use to secure their own buildings and log into their own machines.

Second of all, the key that produces this has to be known to all the gates in the system. It can't just be in the backend because then the gate couldn't see $20 and deduct $2 and then wr

Re:

[AmiMoJo]

The other major issue with server/cloud systems is what do you do when the system is down? Say an individual station loses connectivity - either nobody can use it, or you let everyone on for free there, or you try to record every transaction and reconcile it later. It gets very messy.

The backend reconciliation system has a major weakness - you can just keep changing the card ID so that by the time it notices and denylists the card, you have a "new" one. These days there is a risk with things like facial rec

Re:

[chas.williams]

The other stupid question is, how much effort do you want to put into this card system? You know you can jump the turnstile to get a free ride. These types of systems only work because people, in general, follow the rules. While you could design and implement the perfect card system, is it really worth it? Are you going to recover the money spent implementing your undefeatable card system?

Re: I guess the stupid question...

[transwarp]

The new Boston fare system cost a billion, and the extra cost for the complexity of handling busses will take one or two decades to recoup from meagre bus fares. That's if bus drivers don't just wave passengers on so they can get back on the road.

Re:

[codebase7]

Are you going to recover the money spent implementing your undefeatable card system?

Well the first thing to do would be to upgrade the turnstiles to prevent jumping. (Think double door system like most schools are required to have. One door is always closed, so you can't just walk though without being stopped.) Physical security is the most important, and if they don't have that no tech upgrade will fix problem.

Some will probably balk at the idea of a locked cage, but hey the transit service tried the more welcoming system (simple turnstile and mostly unverified pass cards) and got scre

Surveillance arms race

[The Evil Atheist]

They're just going to update the software and tag any suspicious event, or when anyone uses a staff designated card, so they can easily match it with security footage. Then there's also randomized checks on the vehicles by transport officers. They won't need to do it often either.

CharlieCard?

[VeryFluffyBunny]

A credit card sized rectangle of plastic called a CharlieCard? Does it come with a small mirror & straw? It's as if Boston's not even trying to hide it anymore.