Stories
Slash Boxes
Comments

SoylentNews

SoylentNews is people

Sections

SoylentNews

Operation Charlie: Hacking the MBTA CharlieCard From 2008 to Present

posted by janrinok on Saturday December 17, @05:04AM

from the sorry-Charlie dept.

owl writes:

https://medium.com/@bobbyrsec/operation-charlie-hacking-the-mbta-charliecard-from-2008-to-present-24ea9f0aaa38

Archive link: https://archive.vn/Pfc6Q

The CharlieCard is a contactless smart card used for transportation fare payment in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (aka MBTA or the T) and several regional public transport systems in the U.S. state of Massachusetts. Nearly 15 years after a group of MIT students first publicly disclosed security vulnerabilities in the CharlieCard, I am publicly disclosing that it is possible using only an Android phone to:

Have a replacement CharlieCard delivered to a listed address, without paying
Provision a new CharlieCard with funds, without paying
Steal anyone's CharlieCard with a single physical tap of the card against a phone in a matter of seconds

This post will tell the story of the CharlieCard, complex system design, how vulnerability likelihood and severity can change with rapid changes in technology, the importance of OSINT (Open-Source Intelligence) monitoring and threat intelligence, and the process of responsible vulnerability disclosure to a government agency without a Vulnerability Disclosure Program.

Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.

Operation Charlie: Hacking the MBTA CharlieCard From 2008 to Present | Log In/Create an Account | Top | 9 comments | Search Discussion

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

That's one way to get off the train That's one way to get off the train (Score: 2) by krishnoid on Saturday December 17, @05:25AM (5 children)

by krishnoid (1156) on Saturday December 17, @05:25AM (#1282831)

Maybe Charlie can load the exploit and finally get off the MTA [youtu.be]. Someone needs to make a sequel to this song (originally made as a political statement) with a cybersecurity theme.

Starting Score: 1 point

Karma-Bonus Modifier +1

Total Score: 2
Re:That's one way to get off the train Re:That's one way to get off the train (Score: 2) by Thexalon on Saturday December 17, @01:31PM (3 children)

by Thexalon (636) on Saturday December 17, @01:31PM (#1282875)

Of course, Charlie could have gotten off that train had his wife handed him a nickel instead of a sandwich, or any kind stranger with a nickel handy helped him out, but why let logic get in the way of a good story?
I also have to think these techniques might also work with other fare-card systems such as London's OysterCard.

--
The only thing that stops a bad guy with a compiler is a good guy with a compiler.

Parent
- Re:That's one way to get off the train Re:That's one way to get off the train (Score: 2) by SDRefugee on Saturday December 17, @02:03PM (2 children)
  
  by SDRefugee (4477) on Saturday December 17, @02:03PM (#1282878)
  
  Not sure how that works.. On every transit system I've seen, if you don't the correct fare, you don't get on, they don't let you on and then keep you prisoner if you don't have the correct fare, but I guess it makes a cool song, love the Kingston Trio.
  
  --
  America should be proud of Edward Snowden, the hero, whether they know it or not..
  
  Parent
  - Re:That's one way to get off the train (Score: 0) by Anonymous Coward on Saturday December 17, @08:43PM
    
    by Anonymous Coward on Saturday December 17, @08:43PM (#1282918)
    
    Here, the subway is open, anyone can get on. But!! There are toll checkers roving making random checks on the trains and platforms and if you can't show them the correct ticket (purchased in advance), then you get fined (like a highway speeding ticket).
    
    Parent
  - Re:That's one way to get off the train (Score: 2) by krishnoid on Saturday December 17, @08:47PM
    
    by krishnoid (1156) on Saturday December 17, @08:47PM (#1282919)
    
    I think that counts as "false arrest" if you're prevented from debarking (veterinarians/arborists excluded). They can try to collect later under the terms of the contract, but they can't restrict your freedom without legal charges and/or a trial, I believe.
    
    Parent
Re:That's one way to get off the train (Score: 2) by stormwyrm on Saturday December 17, @10:37PM

by stormwyrm (717) on Saturday December 17, @10:37PM (#1282936) Journal

Interestingly that's been a much beloved song of Lisp hackers. It was referenced by Guy L. Steele and Gerald Jay Sussman in one of the Lambda Papers (AIM-453) [mit.edu] where they speak of functions that never return (like the Lisp REPL loop). Henry Baker also referred to it in a paper CONS should not CONS its arguments, part II: Cheney on the M.T.A. [acm.org] describing an implementation of Cheney's garbage collection algorithm that uses C functions that never return.

--
Numquam ponenda est pluralitas sine necessitate.

Parent

Moderator Help

The mosquito is the state bird of New Jersey. -- Andy Warhol