Not so smart cards easily hacked
MIT students hack into Boston's transit system, highlighting security flaws in mass-transit cards.
Oakland, Calif.; and Boston
The recent hacking into Boston's mass transit system by three local university students underscores a much broader problem: More than a billion mass-transit fare cards and door-swipe badges worldwide have a security weakness.Skip to next paragraph
Subscribe Today to the Monitor
That's due to a flaw revealed in a smart chip's design earlier this year. Other agencies that use the chip – from the London Tube to the Dutch government – have scrambled to adopt temporary countermeasures, says Karsten Nohl, the researcher who first uncovered the trouble. All their smart cards, he says, need to be shored up or replaced.
Three Massachusetts Institute of Technology students drove home this and other weaknesses in Boston's transit system when they claimed to have found a way to add money onto fare cards free of charge.
For now, a restraining order taken out by the Massachusetts Bay Transportation Authority (MBTA) stops the students from publicizing their work. But details are already leaking out. And their exploits come less than a year after Mr. Nohl's research had already pointed down one path to hacking such systems.
That's leaving some security experts to question the MBTA's efforts to maintain security through secrecy. "I'll predict for you that within a couple of months someone will reproduce the attack, whether or not the details were released," says Mike Davis, a senior security consultant with IOActive in San Francisco. "What these new hard-core attacks are starting to show us is that the obscurity we relied on to protect these systems are just assumptions people have made."
The MBTA spent $192 million upgrading its fare collection system in 2006, and picked a smart card system with the "Mifare Classic" chip. Mr. Nohl, now finishing his PhD at the University of Virginia, showed in December that this chip relied on a quickly crackable cipher whose only real strength turned out to be its secrecy.
"Now [MBTA officials] are trying to decide whether they should again replace everything with a third technology, or seek alternative means to combat fraud – one of which is to sue researchers," says Nohl.
Others have responded differently, he adds. London Tube officials developed a stopgap that could protect them until an upgrade becomes available. The Dutch government has dispatched security guards at key doorways once guarded only by smart cards using that technology.
However, only Boston's system has actually suffered a public hack.
Doing MBTA a good turn?
The MBTA cannot be sure that its security system is vulnerable until it has more detailed information from the MIT students, such as the report they submitted to their professor and the computer code they planned to reveal earlier this month at the DefCon hacker conference in Las Vegas, according to MBTA spokeswoman Lydia Rivera.
"If we get additional information, then we can actually make an informed and responsible decision on whether in fact their findings have merit," she says. "These students, along with the MIT staff and teachers overseeing them, have a responsibility to the public to share the information [with us] prior to making the information public or trying to make it public."
The students found flaws not included in Nohl's research and developed ways to add hundreds of dollars onto both the MBTA's new smart cards and its older-style paper tickets with magnetic strips.