But cybersecurity analyst Bobby Rauch says a security flaw makes it relatively easy to exploit a well-known weakness in the system.
“Anyone in Boston with an Android phone and a curiosity about how CharlieCard works can exploit these same vulnerabilities,” said Rauch, who brought the issue to the agency’s attention in August.
This is not the first time that “ethical hackers” have warned of CharlieCard problems. In 2008, computer science students at the Massachusetts Institute of Technology identified a security flaw similar to CharlieCard. The students said they would publicly describe the security flaw at a major hacking conference. In response, the transit agency sued the students and persuaded a federal court to issue a gag order, forcing the students to cancel the speech. The ruling drew a fierce backlash from civil liberties groups, and the court overturned. The MBTA later dropped the lawsuit and agreed to consult with students on ways to improve CharlieCard security.
Today, the MBTA takes a different approach to security whistleblowers. “It’s no longer punitive,” said William Kingkade, MBTA’s senior director of automated fare collection. “It was welcoming.”
Instead of trying to silence Rauch, the agency worked with him to better understand the flaws in the CharlieCard system.
It doesn’t hurt that Rauch, an MIT computer science graduate, is a seasoned bug hunter with a solid track record. Last year, he revealed how hackers could use Apple’s AirTag personal tracking devices to steal a user’s sensitive information. Earlier this year, he reported a flaw in Microsoft Teams that could be used to smuggle malware into computer systems.
This time, Rauch looked at a new way to exploit some of the same security flaws MIT students discovered in 2008.
Each CharlieCard contains a Near Field Communication, or NFC, radio chip that keeps track of the money stored on the card. This data is encrypted using an easy-to-crack algorithm; indeed, encryption keys are readily available online. And with the right equipment, a clever hacker could intercept someone’s CharlieCard radio signal, log their data, and copy it to a blank card to get free subway rides. The original CharlieCard would still work, but so would its clone.
At the time, such an attack required a lot of expensive equipment, which made it impractical. But Rauch figured out that some of today’s Android phones could do it. Almost all contain NFC chips for making payments at credit card terminals. And some of them, including several Google Pixel phones, use NFC chips that can communicate with those inside CharlieCards. There’s even an app, available for free on the Google Play Store, to allow these phones to download data from a CharlieCard and copy the data to a blank card. (Apple iPhones also contain NFC chips, but none of them are compatible with CharlieCards.)
“I could theoretically capture a dump of a real CharlieCard, write it to a blank card I bought online, step up to the T repeatedly, then once I’ve emptied my funds, replenish by writing the dump of the real map onto my blank map,” Rauch wrote in a blog post. “Additionally, I could write to multiple cloned maps and distribute or sell them.”
Rauch even speculated that someone with an Android phone could steal another traveler’s CharlieCard data, simply by standing close enough to intercept the card’s radio signal.
MBTA’s Kingkade said the agency isn’t too worried, as he expects few people will attempt this kind of feat. He said the MBTA has installed software backups in its computer network capable of detecting cloned CharlieCards. “We look for fraud and catch fraud every day,” he said. “These are very small numbers,” he added – around 10 per month. When a counterfeit card is detected, it is immediately deactivated.
But Kingkade admits that the current CharlieCard system can never be completely secure against this type of attack. A solution is expected by 2024, when the MBTA is expected to adopt a new and improved fare payment system.
Hiawatha Bray can be contacted at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.
#CharlieCard #hacked #Android #phone #admits #MBTA #Boston #Globe