MBTA affirms that vulnerabilities exist, judge lifts gag order on MIT students
By Darren Murph 
posted Aug 20th 2008 11:22AM
posted Aug 20th 2008 11:22AM
No surprise here, but the kids from MIT were (presumably) right all along. The three students who were muffled just before presenting their case at Defcon have finally been freed; the now-revoked gag order had prevented them from exposing insecurities in the Massachusetts Bay Transportation Authority ticket system, but during the same court setting, the MBTA fessed up and admitted that its current system was indeed vulnerable. Of note, it only confessed that its CharlieTicket system was susceptible to fraud, while simply not acknowledging any flaws in the more popular CharlieCard option. Pish posh -- who here believes it doesn't have dutiful employees working up a fix as we speak?
My Golden Ticket already gets me free rides for life.
And where might one procure such a ticket? Having to pay for the torture of the B line less than pleasurable.
It wouldn't much surprise me if the MBTA is pretty screwed on this one. The Mifare classic system, which charliecard is based on, has been demonstrated to be made of a mixture of suck, vulnerability, and proprietary "encryption". NXP, the vendor, has been less than cooperative in the past(most notably, they sued the dutch researchers who discovered some of the vulnerabilities, even though said researchers gave them ample prior disclosure).
Having bought a severely broken system from an uncooperative vendor, the MBTA is in a lousy spot of its own making.
NXP, the MBTA, and the entire MA government sound about the same then. I'm sure they deserve each other.
WOOT! Another opportunity to hack, good thing I live in MA.
Hack? Or crack? What you would call a hack in other states is called a crack in MA, because MIT has the word "hack" reserved for its several high-profile pranks.
Too bad Georgia Tech doesn't believe in "hacks" - stealing the Whistle and the "T", long considered part of GT's equivalent to the MIT hacks, are now outlawed, but at least George P Burdell stil lives on.
ha ha ha ha ha ha
wow that's great. the mbta needed to confirm that you could spoof a magnetic stripe. wow.
The MBTA didn't need proof of anything. They're been spoofing their own cards for maintenance purposes for years.
The MBTA doesn't have "dutiful employees". It's among the worst-run agencies in MA, and that's saying something. It's taken them years to roll out a modern fare collection system and it's not shocking that they effed it up. The agency is mired in debt, needs a state bailout to continue operating, and has a horrible record of on-time performance and customer service. It's a bastion of hacks biding their time until they can collect a bloated pension. It's an embarrassment to the state....but just one of many.
I love how the MBTA totally shot themselves in the foot on this one. The researches did the right thing - they gave a public disclosure, but left some critical the details missing. They confidentially gave these details ahead of time to the MBTA, so that they could understand the seriousness of the problem, and also provided solutions on how to fix them. The MBTA then filed these secret documents in open court, and the court was published them: http://cryptome.org/mbta-v-zack/mbta-v-zack.htm#10
From that document: "[the checksum] is only 6 bits long which allows an attacker to execute a brute-force attack (trying all 64 possible cards) until one works We have purposely omitted details of this checksum in any public disclosures we have made. That said, this 'security feature' has weaknesses that should be improved. We detail how this can be done in the Recommendations section."
Nice find. It's difficult for me to admit that I am still surprised every time I find out about the Massachusetts government doing something stupid like this.
"who here believes it doesn't have dutiful employees working up a fix as we speak?"
If you know them MBTA you know NOTHING will be done about it besides perhaps a few press releases talking about how they are "working on improving the system blah blah blah" 10 Years from now everything will be the exact same.
I don't know what you guys mean by 'left out details.'
If you look around real quick, there's an 85 page .pdf called 'anatomy of a subway hack'
which basically shows how disgustingly inept MBTA is.
I gave up on the MBTA and went 100% bicycle powered when they raised the fare this year, can't wait for them to raise it again in order to revamp the charliecard!
Oh, and they detail very clearly in the pdf how the charliecard is very vulnerable as well.
In the defcon presentation, they illustrate a 16-bit checksum -- not the far easier 6-bit checksum. I think they actually went beyond "leaving out" information an in to the realm of disinformation to dissuade potential attackers. Also, the defcon presentation did not give the master 48-bit rfid key.
The T's magnetic cards have been vulnerable to fraud for decades. There are T employees who got the 84 page PDF and laughed at this information only just now becoming public information.
Unfortunately for the T, or fortunately for the would-be defrauder, after the millions spent on the fare system overhaul, there really isn't a lot they can do to fix things without millions more in changes.
Gee, the MBTA system sucks just like the Red Sox. HAHAHA.
MARTA PWNS THE "T". My Breeze Card has never failed me except for one instance when my free train-to-bus transfer was not triggered when boarding a bus and again when that same day my later [free] bus-to-bus transfer also was not triggered (thus three trips instead of just one were deducted from my card)
Wait someone said MBTA is one of the worst run orgs in Mass??
I think we should expand that to one of the worst transit systems in the nation.
Not only does MBTA not have dutiful employees not working on this problem, but they also aren't working on any other problems.
This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/