MIT Kids: Please come hack us!

Who knew all we needed was some MIT kids to help us get around any future fare hikes.

Apparently, some students at MIT made it a class project to hack the Boston subway system (aka the T).  As a matter of fact, the title of the project is: “The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems.”

Now, the students are computer security majors, so you can see the fit.

They planned to give their 80+ slide presentation at Defcon, a very large security conference.

However, the MTBA sued to have the presentation stopped.  A judge ordered a temporary restraining order keeping the presentation quiet.

The EFF (Electronic Frontier Foundation) got involved to fight the order.

Anyway, the kids had successfully shown how to generate and reverse engineer CharlieCards and CharlieTickets, the Boston version of Metrocards.

They basically did in a semester what any professional hackers could do, but planed to use it as an educational tool.  Sure, stealing rides is illegal, but the bigger issue is that some students were able to beat a system pretty easily.

Makes me wonder what kind of havoc they could wreak with the Metrocard system.

4 thoughts on “MIT Kids: Please come hack us!

  1. It’s been done. Read here:

    Click to access 594-paper_MagneticStripeTechnology2.pdf

    Basically, MetroCards (unlike CharlieCards) store their information in an unencrypted, but completely non-standard format. Because of this you’ll need to construct a custom card reader (off the shelf one won’t work). but once that has been completed you can read and rewrite your card including the card value.

    But there’s a catch: The MTA stores your fare in a central database. To speed up fare collection, the turnstile “trusts” your card at face value, but every few minutes it will update its information with the central DB. So you can use your hacked card once, but once the turnstile “phones home” it will notice the difference and add your card to a list of invalid cards. This list is pushed to the turnstiles and stored locally, so you will be rejected next time you try to swipe.

    So the question becomes, how can you trick the central DB into believing your hacked card is valid? The MIT presentation doesn’t seem to address this issue.

    Click to access Defcon_Presentation.pdf

    Perhaps because CharlieCards are encrypted the central DB trusts their value, although this seems unlikely.


  2. These kids were exposing stupidity on the part of a large mass transit management team. They did good. When you slam students or hackers for good hacks, you force them below ground. Narrow minded idiots will prosecute non-malicious hacking because they need to prove they are worthy of their pay and the fact is they could not catch a serious hacker to begin with so they pick the low hanging fruit. We as a nation have to support good hacks. Sooner or later a good hacker will save us in a way nobody can even imagine yet.


  3. Nothing. The Metrocard system is entirely different. The cards sync with the master computer every 7 minutes. THe master computer understands the balance of each card. The metrocard is broken into three “stripes” on the magnetic strip. It records date and time of purchase, original amount, current amount, number of times swiped, time of last swipe, location of last swipe and amount removed in last swipe.

    You could alter this data (I seem to remember the encoding scheme is the same as they used to use on older airline tickets) and add extra money, but after the central computer was updated 7 minutes later it’d notice the anomoly of your card (more money than it shouold have had) and just disable it. So, at most, you can get $2 extra from a card. Being that you need to spend at least $4 to buy one, you’ll break even.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s