Stories
Slash Boxes
Comments

SoylentNews is people

Operation Charlie: Hacking the MBTA CharlieCard From 2008 to Present

posted by janrinok on Saturday December 17, @05:04AM   Printer-friendly
from the sorry-Charlie dept.

owl writes:

https://medium.com/@bobbyrsec/operation-charlie-hacking-the-mbta-charliecard-from-2008-to-present-24ea9f0aaa38

Archive link: https://archive.vn/Pfc6Q

The CharlieCard is a contactless smart card used for transportation fare payment in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (aka MBTA or the T) and several regional public transport systems in the U.S. state of Massachusetts. Nearly 15 years after a group of MIT students first publicly disclosed security vulnerabilities in the CharlieCard, I am publicly disclosing that it is possible using only an Android phone to:

  • Have a replacement CharlieCard delivered to a listed address, without paying
  • Provision a new CharlieCard with funds, without paying
  • Steal anyone's CharlieCard with a single physical tap of the card against a phone in a matter of seconds

This post will tell the story of the CharlieCard, complex system design, how vulnerability likelihood and severity can change with rapid changes in technology, the importance of OSINT (Open-Source Intelligence) monitoring and threat intelligence, and the process of responsible vulnerability disclosure to a government agency without a Vulnerability Disclosure Program.

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Operation Charlie: Hacking the MBTA CharlieCard From 2008 to Present | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday December 17, @07:32PM

    by Anonymous Coward on Saturday December 17, @07:32PM (#1282903)

    It's kind of interesting how open they are about it, and how little seems to be done about it. I recall similar, or more or less the same, issues as the once described in the article but instead of being a subway card it was payphone cards. But this was in the mid 90's. But the principle was the same, the card was weak on protection and everything was stored on the card and could be manipulated.

    But this used to be one of those things that wasn't really talked about or shared with the public in general. But more a somewhat open secret among the selected few that enjoyed such things. You built them yourself, so it wasn't just cloning and hex editing but hardware the size of about an actual card and a bit more. So if they ever spotted you with one it would be hard to deny what it was. But the principle of it all was the same or similar, a good or full dump overwriting the card on command thereby refilling it or restoring it.