MIT students cause controversy with subway hack
Boston’s transit bosses have gained a temporary restraining order banning three MIT students from giving a presentation explaining how they were able to hack the city’s subway system. But public record rules mean the details are now available online.
The Massachusetts Bay Transportation Authority (MBTA) secured a 10-day gagging order designed to stop Zack Anderson, R.J. Ryan and Alessandro Chiesa from discussing their security breaches at last Sunday’s DEFCON 16 conference in Vegas.
Unfortunately for the officials, they included a full copy of the presentation in their court filings. MIT’s student newspaper The Tech has taken advantage of those filings being public record and published the entire presentation on its website.
The students’ research uncovered problems with the ‘Charlie Card’ and ‘Charlie Ticket’, electronic fare cards which replaced metal tokens in 2006. They found the major flaw was that the details of how much credit a passenger has are actually stored on the card itself. That makes it a lot less secure than if it simply identified the passenger and the financial records were stored on the computer network.
There’s also no reliable encryption on the cards and no central system for verifying them. That means criminals could use a magnetic card reader (which costs around $150 online) to take a card with just 5c credit and rewrite it with the maximum credit of $655.36. Clearly that would make it possible to sell the cards on the street at an almost irresistible discount while still making huge profits.
The students also found that cables in stations which carry purchasing data are not always physically secured, which is particularly risky as they can carry details of passenger’s credit cards.
MBTA officials found out about the project when DEFCON organisers began publicising the presentation. They spoke to the students on 5 August, and the students sent them a summary of the presentation three days later. They refused to hand over a full copy before their Vegas appearance; MBTA said its court filing was necessary so it could make any necessary security changes before the details became public.
Related Posts:
August 13th, 2008
I personally feel that computer hackers should get the death penalty. They are the most DISGRACEFUL ANNOYING little creatures on the face of the Earth! They are absolute SCUM for doing that!
@ Hackers….Hey do idiots know how much money it costs to get computers repaired from viruses, spam, etc due to your stupidness!?!?????