“Known MBTA security flaw remains unpatched after being publicly disclosed 15 years ago. Boston mad. More at 11.”
Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides
Submitted 1 year ago by GravelPieceOfSword@lemmy.ca to technology@lemmy.world
https://www.wired.com/story/mtba-charliecard-hack-defcon-2023/
Comments
xodoh74984@lemmy.world 1 year ago
dojan@lemmy.world 1 year ago
Given how natty the Boston tubes are people should get paid to use them.
InvertedParallax@lemm.ee 1 year ago
The orange line is offended by this remark and wipes vomit on you in protest.
PineapplePartisan@lemmy.world 1 year ago
I’ve been in multiple fantasy football leagues over the years that have had teams named “Orange Line Jumper”.
Khotetsu@lib.lgbt 1 year ago
The worst part is that Boston is ranked like #3 for public transportation in the US (yes, even including the fires). The average commute time on a route is like 30 minutes faster than the national average for public transportation, and somewhere around 50% of Boston’s workers use the T to commute every day.
masterairmagic@sh.itjust.works 1 year ago
Last time I visited Boston was 10 years ago for a conference. It was already falling apart back then.
dojan@lemmy.world 1 year ago
I don’t think it’s gotten better since. I visited Boston back in late 2019, and it was gnarly. See I’m used to the Stockholm tubes, bright, colourful, artwork everywhere, clean-ish floors, elevators that smell of piss.
Boston by comparison was dark and grimy. The carts were super old, and the speaker probably hasn’t worked well since the 70s or so. Couldn’t make out a word of what the announcer said.
People were nice though! I almost fell over on someone, and they were pretty good natured about it!
Elderos@lemmings.world 1 year ago
I guess I am just and old grinch, but I feel like this is written to feel more epic and crazy than it really is.
The subway system basically encodes how much money you have on your RFID card, and merely overwrites that value when you recharge it or use it. To me, this sounds like a cost-saving measure and a cheap way to have a fault-tolerant system. It is vulnerable to hackers tho, sort of by-design.
To me, the reason they didn’t want word of this to get out is because the system is really good at doing what it is doing otherwise, and the small amount of fraud is probably costing them less than having to build a centralized system.
Kudos for students to even figure that out, but the feat in itself is almost equivalent to learning how to print counterfeit tickets to trick a clerk. It feels more crooked than technocally impressive. Those responsibles for the system already knew of this “flaw”. They just don’t need the instructions how to make counterfeit cards out there.
Hazdaz@lemmy.world 1 year ago
I knew someone who worked at a company that handled e-payments for a certain service (purposefully being vague). They’re system functioned similar-ish to what you describe, but it also checked the amount on the card with the amount on a database, and also kept a history both on the card and on the database. If they all didn’t match up, they knew there was some tampering going on.
matter@lemmy.world 1 year ago
The flaw is that the checksum is so bad.
psychothumbs@lemmy.world 1 year ago
High schoolers should all get free public transit access anyway.
BigJDC@lemmy.world 1 year ago
We do here in seattle/king county washington
hownowbrowncow@lemmy.world 1 year ago
FWIW the MBTA does offer a heavily discounted student pass called an “S Card”. There is also an “M7” pass that is subsidized by schools (free to students), but it’s opt in by school or program. It would be nice if it was free, but it’s something.
InvertedParallax@lemm.ee 1 year ago
Those 4 teens should get a scholarship for this, paid for by mbta’s IT security budget.
masterairmagic@sh.itjust.works 1 year ago
Those 4 teens should first fix mbta’s IT issues. It sounds like they are smarter than the folks at mbta.
Ape550@lemmy.world 1 year ago
It probably has less to do with how smart the MBTAs IT team is and more likely how much the MBTA is willing to spend on IT.
Potatos_are_not_friends@lemmy.world 1 year ago
I dunno about that. There’s a difference between people who can find flaws and people who architect systems.
That’s like saying a escape artist should be in charge of building the prison. Ideally they work together and provide both perspectives.
aard@kyu.de 1 year ago
It’s amazing how much NFC stuff is still badly done - and how bad the response to discoveries is. I recently got a police report filed against me here in Finland for pointing out that guarding personal details of kids and parents on a phone used in daycare by an empty tag, just by the tags UID is probably a stupid idea.
dhork@lemmy.world 1 year ago
It doesn’t surprise me, the vendor probably thinks they’re Agile, their team delivered a Minimum Viable Product and then their Management sold it. Security was always meant to be in a future Sprint.
If that model works for web services, it ought to work for anything, right?
Proweruser@feddit.de 1 year ago
Merriam Webster defines “agile (technology)” as “synonym for trash”.
aard@kyu.de 1 year ago
Agile, their team delivered a Minimum Viable Product
I guess that’s kind of what got me into this mess.
They have some shitty web application where you’re supposed to log times your kids will be in daycare. I logged in, looked around - and told the wife she can chose to log times herself, or tell daycare to do it themselves. I’m paid to deal with broken shit in my main job, I’m not doing that for free in my spare time.
At that point I assumed the web app was some prototype their intern had thrown together for the sales pitch, and they were now desperately trying to get it functional - to my surprise I later learned that it was an older product, with quite a few customers already.
Few weeks later wife came back upset from kindergarten over an argument about missing times - which forced me to actually deal with that dungheap, and prompted me to have a closer look at other components, like the android app they’re using on their phones as well. There’s a lot of stupid beginners mistakes in all components - not necessarily exploitable, but I also didn’t really check as in my opinion the tag thing would be sufficient to have this taken out of use.
r00ty@kbin.life 1 year ago
Reading the article it seems they made two mistakes. The first was to make the card authoritive instead of having a account data to ensure the information matched. The second was to use a proprietary checksum algorithm instead of using an open secure signature method.
I'd put money on the information they're holding back being details on the checksum algorithm.
masterairmagic@sh.itjust.works 1 year ago
Doesn’t having an account require an online system? By making the card authoritive you can build and offline system.
vlad76@lemmy.sdf.org 1 year ago
If there aren’t enough people that are knowledgeable enough to take advantage of something to have an impact on revenue, then you just ignore it.
gornar@lemmy.world 1 year ago
“The MBTA’s fraud detection team has increased monitoring to account for this vulnerability [and] does not anticipate any significant financial impact to the MBTA."
Oh well thank goodness the business isn’t hurt!
Gork@lemm.ee 1 year ago
Won’t somebody think of the shareholders??!!
aegis_sum@lemmy.world 1 year ago
The MBTA sued some MIT students a while back when they discovered the same thing. So the MBTA hasn’t fixed this in over a decade.
twotone@lemmy.world 1 year ago
If you had read the first paragraph, or even the subheader, you would have seen that the article covers that and that the kids were working off the 2008 research.
alienanimals@lemmy.world 1 year ago
Give the teens free passes for life and fire the executives responsible for the lapse in security.
KoboldCoterie@pawb.social 1 year ago
It’s nice to see the MBTA being a bit more modern with their approach to security breaches. The overly hostile “We’ll sue you if you tell anyone” tactic certainly would not encourage anyone to report anything they found so it could be fixed.
overzeetop@lemmy.world 1 year ago
This is the ideal response to a system threat of this type, especially if they didn’t know the vulnerability existed.
“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added.
That may be one of the most adult things ever said by an organization executive. Since they have a replacement system (hopefully more secure) in the works and they’ve used the data from he hackers to mitigate potential financial impacts to the system in the mean time, they’re being completely level-headed about the process. It’s a damned shame this doesn’t happen more often.
KoboldCoterie@pawb.social 1 year ago
Absolutely. They even said in the article:
He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”
It’s the Streisand Effect in full force; they drew attention to the vulnerability by fighting it so hard the first time. Who knows how many other people have found vulnerabilities since then that just haven’t been vocal about it. (The article mentions one such person, even.)
kitonthenet@kbin.social 1 year ago
Good for them
buckykat@lemmy.blahaj.zone 1 year ago
Denver just made all RTD service free to teens for at least the next year
popemichael@lemmy.sdf.org 1 year ago
I hope that they give these kids a job after college.
CookieJarObserver@sh.itjust.works 1 year ago
Based.
harry315@feddit.de 1 year ago
If teens can hack your stuff, you should be really thankful to find out they did, because our stuff is insecure as fuck then.
Gork@lemm.ee 1 year ago
Better our college students than nefarious actors.