Anatomy of a Subway Hack

Sunday 10 August 2008This is almost 15 years old. Be careful.

A trio of MIT students found security weaknesses in the MBTA, the Boston public transporation system, colloquially known as “the T”. The students were going to present their findings at Defcon, that is, until a judge ordered them not to.

Of course, the injunction did far more to spread the news than the talk alone would have, including making public the students’ whitepaper about the vulnerabilites. Their slides, Anatomy of a Subway Hack are also online, including a photo of an over-the-top modded shopping cart that they somehow used as part of their work.

How many times do we have to see this story played out? A system is deployed with poor security, someone figures out the weaknesses, tries to talk about it, and is sued to prevent disclosure, only making the information even more available to the public. These injunctions are like putting a flashing red light on top of something: they only attract more attention to the situation. The presentation slides have already been distributed to all Defcon attendees, that toothpaste is not going back in the tube.

The MBTA should either decide that this is not that big a deal (how many people are really going to hack RFID cards to get on the T for free?), or get to work designing improvements. And they should hire these students to crack the new system before it’s deployed.


>how many people are really going to hack RFID cards to get on the T for free?

A lot.
On the channel 7 news tonight, the reporter tells us that the MBTA says there are "no flaws in their security". Yeah, right. OTOH I suppose that it is technically true that there are no flaws in their security, since the whitepaper clearly shows that they don't actually have any security.
The swipe card reader has to read and then write magnetic record in only one swipe, with the encoding that has to tolerate occasional errors. I don't think that it is possible to make much more secure solution that would allow almost free cards. More secure solution would have to store more information, more densely packed on the magnetic strip, and thus more likely to be damaged in my pocket next to my keys.

It seems that the RFID uses one of the strongest encryptions possible for the low power CPU. The card has neither the batteries nor the heat sink that you are used to in your laptop.

If the city managed to make the perfect solution (which will be breakable in a few years of CPU improvement at Moore's law rate) then they would saddle the tax payers or riders with hundreds of thousands of dollars of cost. As opposed to losing a few hundred dollars on the hands of a capable hacker who will do it for fun.

The court decision is correct in this case, from the common sense perspective.
The hilarious part of all this, is that MBTA entered the detailed, not-disclosed-by-the-students vulnerability analysis of their entire system into the court's public record. Which effectively puts the blame on them for leaking the real meat of the information.
You can get a copy from Wired's Threat Level blog here:
@Zoran: you say the court decision is correct from a common sense perspective, but I think you are wrong. What was the MBTA's goal? To keep the information from becoming well known. Did the court's decision achieve that goal? Hardly. If anything, it made matters worse.

If the MBTA believes that its security is the best that could be achieved, then they should accept the consequences of their design. Trying to muzzle discussion of their (public) system is pointless and will only hurt their efforts.

BTW, Here's a radical proposal: make the T free. Then we wouldn't need any of this infrastructure, and wouldn't have to worry about its security. We wouldn't have to spend tax dollars to build this bogus system, we could spend them on providing public transportation. Roads are nearly 100% subsidized infrastructure for cars, why not provide subsidies for alternatives to cars? It would also speed service, since people could board trolleys faster without stopping to pay, and could use all the doors on the trolley instead of just the front door to get on.
Ned, I do agree that MBTA would be better off just letting it slide. The court, however, made the correct decision. MBTA lawyers might know of a reason I don't know about (e.g. making it hard to go after fare evasion if you knew of an infringment previously and didn't stop it).

I used T only a couple of times. From what I observed, I could not agree more: making it free would save money. However, a free subway in New York City would probably attract a lot of homeless people, or poor people who would otherwise walk a couple of blocks to work. People also tend to take less care of things that they perceive are free. Plus tourists get to ride for free making congestion at rush hour while not paying taxes.

This "radical proposal" of free worked for online newspapers, and did not work in socialism (health care, education, roads - all free but crummy). It would be great if Boston did the first experiment.
For an example of a quite successful (and relatively cheap) RFID subway card system, check out Korea's T-Money system (wiki it!). I've had the same card for 2 years now and still no problems. Well, other than that I just dis-assembled it today... FOR GREAT PROGRESS!

But yeah, it still works if I attach the antenna leads.

Each card costs 2,500 won or roughly $2. Not bad eh?

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.