Not so smart cards easily hacked
MIT students hack into Boston's transit system, highlighting security flaws in mass-transit cards.
(Page 2 of 2)
As security researchers, they feel they are contributing to the public welfare by exposing critical vulnerabilities in the transit system. Transit authorities assessing their computerized systems need to sweat the details, says Zack Anderson, one of the students involved in the project.Skip to next paragraph
Subscribe Today to the Monitor
"There are a lot of small intricacies that, if not done correctly, could result in systemwide failure," he says. "Some of the issues sometimes come down to fundamental mathematical errors like cryptography algorithms. That wouldn't be the MBTA's fault or the system integrator's fault. That would be the [fault of the] vender who sells the technology."
Mr. Anderson says the students did approach the MBTA about their findings before the conference.
Another court hearing takes place Tuesday, and researchers are warning that if the lawsuit succeeds it will poison future cooperation. "I think hackers will keep hacking, but they won't do responsible disclosure anymore," says Nohl.
Despite the legal wrangling, the cat is almost out of the bag anyway. A slide show presentation the students planned on giving at DefCon has already hit the Internet, even though they canceled the speech.
MBTA's Ms. Rivera says she does not recollect those reports.
Nohl says the MBTA was aware of the vulnerabilities he outlined and that they considered implementing additional security measures. He adds that his Dutch colleagues will be publishing more explicit research on the chip's weakness in October.
"Once that paper is published, everybody can easily copy cards," he says.
John von Goeler at Scheidt & Bachmann, the system integrator for many US public transit systems including Boston's T, declined to comment.
Older system was weaker
Still, transit fare systems that don't use smart cards are often even weaker. Older-style subway tickets with magnetic stripes usually have no encryption, but they also tend to store value in a central computer rather than on the cards themselves. New York City's MetroCard doesn't even have that security.
"The monetary value of the card itself [is] stored on the magnetic stripe," says Joseph Battaglia, an electrical engineer who mapped most of the data fields on the MetroCard. "If a criminal wanted to proceed to continue the reverse-engineering effort in order to create their own cards, there would be absolutely nothing preventing them."
Nor is encryption used for highway toll collection, according to Nate Lawson, founder of the Oakland-based security consultancy Root Labs. He discovered that the Bay Area's FasTrak transponders could be tampered with remotely, even by people in nearby cars.
Adding encryption increases the costs. The MBTA could have chosen smart cards with strong cryptography, says Mr. Lawson, but since the fare cards are given out free of charge, the MBTA saved money upfront by choosing the much cheaper Mifare Classic chips.
The danger for weak systems like the MBTA's is that "somebody will take the attack and package it nicely," says Lawson.
Such systems can be sold to criminals who can then use it to churn out bogus cards to sell on the street. "Once it hits that level, that's when it costs the transit company a lot of money."