Boston’s Transit Authority – Lessons Learned, Maybe
In 2008 a group of MIT students were going to present a paper at the hacking convention Defcon on vulnerabilities in the Boston Transit (called the MBTA) fare card. The MBTA sued Defcon and the presentation was cancelled. But not before the slides for the presentation were published online.
While this is an alternative to fixing their problems, it probably was not the best alternative.
In 2021 a couple of 15 year old Boston Vo-tech students learned about the hack in a Wikipedia article and decided to try and replicate the hack.
They also figured that since this was more than a decade later and since the vulnerability received widespread attention, surely the MBTA fixed the problem. They had not.
During the time the kids were trying to replicate the attack the MBTA finally, 11 years later, retired the old fare card.
So what are kids to do? They decided to try and hack the new fare card.
What they figured out how to do was to add any amount of money to one of these cards or designate it a (discounted) senior card or student card or even an employee card (free rides!).
They even created their own portable kiosk to update any card. They also created an Android app to do the same thing.
However, the MBTA did learn one thing in eleven years.
Instead of suing the hackers they asked to come to MBTA HQ to give them a presentation on the vulnerabilities they found.
They did ask them to obscure a few key details so that script kiddies could not replicate the attack. Seems fair enough.
BUT, they still are not fixing the vulnerabilities. It may be too hard to fix. They are going to replace this vulnerable fare card with yet another fare card in 2025.
The MBTA says that this doesn’t affect safety, just money, so (since they are part of the government) no big deal. They are increasing their fraud detection process to try and detect this specific type of fraud.
The flaw in the current card is that it works offline, so the data is stored on the card and not in a central database. This means if you can crack the encoding on the card, you can change the data.
What are the takeaways here?
- Don’t wait 11 years to fix a security problem
- Don’t try to suppress bad news, it doesn’t work
- Work with the good-guy hackers to learn as much as you can
- Mitigate the damage as best you can
- Get the best brains you can find to help you build a secure system
We shall see if the new, new system is any more secure than either of the previous two systems. Unfortunately, the MBTA operates in the back yard of MIT, Harvard, Amherst and a bunch of other great colleges. Oh, and some vo-tech schools with smart 15 year olds.
If you need help with the secure design of software you build, please contact us.
Credit: Wired