Documents made public by an MBTA lawsuit against MIT undergraduates show how anyone can get free T fare by copying an existing CharlieTicket or by making their own.
The Massachusetts Bay Transportation Authority has asked for its temporary restraining order, protecting information about research by MIT students into the CharlieCard and CharlieTicket systems, to be changed to include only “non public” information. MBTA spokesman Joe Pesaturo characterized documents available online as “harmless information that is now public” in an e-mail.
But that public information shows how to get free rides with a CharlieTicket, leaving open the possibility that the MBTA suspects an even more serious compromise of its CharlieCard system.
Numerous ways to get unpaid-for T fare are clearly laid out in the DEF CON presentation, available online at http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf; in the report the students gave to the MBTA, available at http://www-tech.mit.edu/V128/N30/subway/10-declaration-henderson-vulnerability.pdf; and in prior research on similar systems.
Anyone with a magnetic card writer can repeatedly copy a CharlieTicket onto another card, never having to pay for a ticket again, if the students’ “Vulnerability Assessment Report” is accurate. In the T’s system, a CharlieTicket is worth as much as its magnetic stripe says it is, and no central computer tracks the tickets’ values, according to the report.
A single $25 ticket could be copied onto hundreds, if not thousands of blank cards, providing free travel forever.
A ticket’s identification number or value can also be easily changed, the report says. A $5 card can be made to say it is worth up to $655.36.
A thief could take a 5 cent CharlieTicket, rewrite it so that its value is $99, insert it into an MBTA ticketing kiosk along with a dollar, and receive $100 in T fares on a fresh card, purchased for $1.05, the report says. The ticket would have “$100.00” printed on the front and would appear identical to a legitimate CharlieTicket. The report suggests that an attacker might resell tickets.
(Three people arrested in New York are said to have exploited a vending machine bug to get $800,000 worth of Long Island Rail Road tickets and MetroCard fares for free, The New York Times reported Tuesday. They allegedly sold much of that fare.)
Magnetic card writers go for $173 on eBay, but they can be made for as little as $5 in parts, according to slides the students were to present at this weekend’s DEF CON hacker convention. Discarded CharlieTickets are available in many subway stations’ trash cans; other cards with magnetic stripes can also be found for less than a dollar online.
The information on the ticket includes a checksum, a six-bit number calculated from the rest of the information on the card, which is used to detect errors in the card’s data. There are only 64 six-bit numbers. If you do not know how the checksum is generated, you need only create 64 tickets, each with a different checksum value, and test each. One will work, according to the report.
The report does not say whether the students have successfully written software to generate forged CharlieTickets without having to try all the possible checksums. The final presentation in the spring 2008 subject Computer and Network Security (6.857) was based on guessing the checksum value by making many cards, a “brute force” approach. That work was done by four students: Samuel G. McVeety G, who did not participate in the DEF CON presentation, along with the three students who did, Zackary M. Anderson ‘09, Russell J. Ryan ‘09, and Alessandro Chiesa ‘09. The project earned an A, according to the MBTA.
Students recommend system changes
A central system should store the current value of all tickets so that people cannot forge new CharlieTickets, the students’ confidential report recommends. An “auditing system” should also be used to detect copied or forged tickets, the report recommends.
The CharlieTicket and CharlieCard should both include additional encryption to make them hard to duplicate or forge, the report says. The report recommends an auditing system be installed to detect cloning of RFID cards. It also recommends that the CharlieTicket’s checksum be replaced with a cryptographically secure signature which would be harder to duplicate.
The DEF CON presentation highlighted fixable weaknesses in “physical security.” The presentation includes photos of unlocked doors into subway stations, pictures of open “turnstile control boxes” accessible “almost everywhere,” a picture of a “door key” found in an open box, and a photo of a computer screen in the MBTA’s operations center. (That picture was taken from an adjacent building with a telephoto lens, according to Tech photographer Eric Schmiedl, who gave a presentation on physical security at DEF CON.)
Charliecard may be insecure
The students’ report suggests that all CharlieCards may be protected against duplication by a single encryption key, but the report is unclear on whether they have decoded that key. If they have found this key, this could be what the MBTA’s restraining order seeks to protect. CNET reported on Thursday that the students gave the MBTA “particular information to complete the Charlie card hack which they say they had no intention of revealing in the Defcon discussion,” which could be this key.
The CharlieCard uses the MIFARE Classic system, which is also used in London’s transport system and in the Dutch transport system. That system is known to be vulnerable to a cloning attack -- by standing near someone, you can decrypt their card and copy its identity and value. The maker of that card, NXP Semiconductors, has unsuccesfully sued in Dutch courts to keep research details from being presented in public.
The students’ report discusses possible ways to decode the encryption key that protects CharlieCards. It also suggests that the key may be the same on every card, rather than differing from card to card -- which could be a serious problem if true. But in a court filing, security consultant Eric Johanson said that the publicly available information about the students’ findings describes an “aspirational” attack on the key rather than a functional one.
The MIFARE Classic card has undergone worldwide security analysis.
In place of the students’ talk on Sunday, Dutch journalist Brenno de Winter gave a talk describing MIFARE Classic vulnerabilities and NXP’s unsuccessful lawsuit that sought to keep Dutch researchers from presenting those vulnerabilities. The research results to be published in October will show how the card can be cloned in a few seconds, he said. “If anyone in the room is using MIFARE Classic at this moment, this is your final wakeup call,” de Winter said. “This is your final heads-up. You’ve got two months left, and then you’re screwed.”
An NXP Semiconductors employee advised the MBTA on July 30 about the upcoming DEF CON presentation. “Of special concern is the announced intent to release open source tools required to perform the attacks,” wrote Manuel Albers, director of regional marketing for NXP. “Please let me know if we can support you in any way,” he wrote.