Stories
Slash Boxes
Comments

SoylentNews is people

Operation Charlie: Hacking the MBTA CharlieCard From 2008 to Present

posted by janrinok on Saturday December 17, @05:04AM   Printer-friendly
from the sorry-Charlie dept.

owl writes:

https://medium.com/@bobbyrsec/operation-charlie-hacking-the-mbta-charliecard-from-2008-to-present-24ea9f0aaa38

Archive link: https://archive.vn/Pfc6Q

The CharlieCard is a contactless smart card used for transportation fare payment in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (aka MBTA or the T) and several regional public transport systems in the U.S. state of Massachusetts. Nearly 15 years after a group of MIT students first publicly disclosed security vulnerabilities in the CharlieCard, I am publicly disclosing that it is possible using only an Android phone to:

  • Have a replacement CharlieCard delivered to a listed address, without paying
  • Provision a new CharlieCard with funds, without paying
  • Steal anyone's CharlieCard with a single physical tap of the card against a phone in a matter of seconds

This post will tell the story of the CharlieCard, complex system design, how vulnerability likelihood and severity can change with rapid changes in technology, the importance of OSINT (Open-Source Intelligence) monitoring and threat intelligence, and the process of responsible vulnerability disclosure to a government agency without a Vulnerability Disclosure Program.

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Operation Charlie: Hacking the MBTA CharlieCard From 2008 to Present | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by SDRefugee on Saturday December 17, @02:03PM (2 children)

    by SDRefugee (4477) on Saturday December 17, @02:03PM (#1282878)

    Not sure how that works.. On every transit system I've seen, if you don't the correct fare, you don't get on, they don't let you on and then keep you prisoner if you don't have the correct fare, but I guess it makes a cool song, love the Kingston Trio.

    --
    America should be proud of Edward Snowden, the hero, whether they know it or not..
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Saturday December 17, @08:43PM

    by Anonymous Coward on Saturday December 17, @08:43PM (#1282918)

    Here, the subway is open, anyone can get on. But!! There are toll checkers roving making random checks on the trains and platforms and if you can't show them the correct ticket (purchased in advance), then you get fined (like a highway speeding ticket).

  • (Score: 2) by krishnoid on Saturday December 17, @08:47PM

    by krishnoid (1156) on Saturday December 17, @08:47PM (#1282919)

    I think that counts as "false arrest" if you're prevented from debarking (veterinarians/arborists excluded). They can try to collect later under the terms of the contract, but they can't restrict your freedom without legal charges and/or a trial, I believe.