Archive link: https://archive.vn/Pfc6Q
The CharlieCard is a contactless smart card used for transportation fare payment in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (aka MBTA or the T) and several regional public transport systems in the U.S. state of Massachusetts. Nearly 15 years after a group of MIT students first publicly disclosed security vulnerabilities in the CharlieCard, I am publicly disclosing that it is possible using only an Android phone to:
- Have a replacement CharlieCard delivered to a listed address, without paying
- Provision a new CharlieCard with funds, without paying
- Steal anyone's CharlieCard with a single physical tap of the card against a phone in a matter of seconds
This post will tell the story of the CharlieCard, complex system design, how vulnerability likelihood and severity can change with rapid changes in technology, the importance of OSINT (Open-Source Intelligence) monitoring and threat intelligence, and the process of responsible vulnerability disclosure to a government agency without a Vulnerability Disclosure Program.
(Score: 0) by Anonymous Coward on Saturday December 17 2022, @05:22AM
Origin of "Charlie" --
https://www.youtube.com/watch?v=S7Jw_v3F_Q0 [youtube.com]
(Score: 2) by krishnoid on Saturday December 17 2022, @05:25AM (5 children)
Maybe Charlie can load the exploit and finally get off the MTA [youtu.be]. Someone needs to make a sequel to this song (originally made as a political statement) with a cybersecurity theme.
(Score: 2) by Thexalon on Saturday December 17 2022, @01:31PM (3 children)
Of course, Charlie could have gotten off that train had his wife handed him a nickel instead of a sandwich, or any kind stranger with a nickel handy helped him out, but why let logic get in the way of a good story?
I also have to think these techniques might also work with other fare-card systems such as London's OysterCard.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by SDRefugee on Saturday December 17 2022, @02:03PM (2 children)
Not sure how that works.. On every transit system I've seen, if you don't the correct fare, you don't get on, they don't let you on and then keep you prisoner if you don't have the correct fare, but I guess it makes a cool song, love the Kingston Trio.
America should be proud of Edward Snowden, the hero, whether they know it or not..
(Score: 0) by Anonymous Coward on Saturday December 17 2022, @08:43PM
Here, the subway is open, anyone can get on. But!! There are toll checkers roving making random checks on the trains and platforms and if you can't show them the correct ticket (purchased in advance), then you get fined (like a highway speeding ticket).
(Score: 2) by krishnoid on Saturday December 17 2022, @08:47PM
I think that counts as "false arrest" if you're prevented from debarking (veterinarians/arborists excluded). They can try to collect later under the terms of the contract, but they can't restrict your freedom without legal charges and/or a trial, I believe.
(Score: 2) by stormwyrm on Saturday December 17 2022, @10:37PM
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Saturday December 17 2022, @07:32PM
It's kind of interesting how open they are about it, and how little seems to be done about it. I recall similar, or more or less the same, issues as the once described in the article but instead of being a subway card it was payphone cards. But this was in the mid 90's. But the principle was the same, the card was weak on protection and everything was stored on the card and could be manipulated.
But this used to be one of those things that wasn't really talked about or shared with the public in general. But more a somewhat open secret among the selected few that enjoyed such things. You built them yourself, so it wasn't just cloning and hex editing but hardware the size of about an actual card and a bit more. So if they ever spotted you with one it would be hard to deny what it was. But the principle of it all was the same or similar, a good or full dump overwriting the card on command thereby refilling it or restoring it.
(Score: 2) by Uncle_Al on Saturday December 17 2022, @07:47PM
https://groovyhistory.com/deck-us-all-with-boston-charlie-pogo [groovyhistory.com]