Students’ Presentation Shows How to Get Free T Fare

1276 subwayvulnerabilities
This is the first slide of the canceled DEF CON presentation on subway vulnerabilities. The students performed their research as part of 6.857 (Computer and Network Security).
Students’ DEF CON Presentation

Documents made public by an MBTA lawsuit against MIT undergraduates show how anyone can get free T fare by copying an existing CharlieTicket or by making their own.

It is not clear what, if anything, a restraining order issued by the Federal District Court of Massachusetts on behalf of the Massachusetts Bay Transit Authority served to protect. That restraining order had the effect of cancelling the students’ presentation at the annual DEF CON hacker presentation.

MBTA spokesman Joe Pesaturo characterized documents available online and in court filings as “harmless information that is now public” in an e-mail.

But that public information shows how to get free rides with a CharlieTicket, leaving open the possibility that the MBTA suspects an even more serious compromise of its CharlieCard system. In partial response to a request for information about their research, the students submitted a 30-page sealed report to the MBTA last week; its contents are not known but might include some vulnerability even more serious than the ones which are now public.

Numerous ways to get unpaid-for T fare are clearly laid out in the DEF CON presentation, available online at; in a report the students gave to the MBTA, available at; and in prior research on similar systems.

Anyone with a magnetic card writer can repeatedly copy a CharlieTicket onto another card, never having to pay for a ticket again, if the students’ “Vulnerability Assessment Report” is accurate. In the T’s system, a CharlieTicket is worth as much as its magnetic stripe says it is, and no central computer tracks the tickets’ values, according to the report.

A single $25 ticket could be copied onto hundreds, if not thousands of blank cards, providing free travel forever.

A ticket’s identification number or value can also be easily changed, the report says. A $5 card can be made to say it is worth up to $655.36.

A thief could take a 5 cent CharlieTicket, rewrite it so that its value is $99, insert it into an MBTA ticketing kiosk along with a dollar, and receive $100 in T fares on a fresh card, purchased for $1.05, the report says. The ticket would have “$100.00” printed on the front and would appear identical to a legitimate CharlieTicket. The report suggests that an attacker might resell tickets.

Three people arrested in New York are said to have exploited a vending machine bug to get $800,000 worth of Long Island Rail Road tickets and MetroCard fares for free, The New York Times reported Tuesday. They allegedly sold much of that fare — suggesting that someone with similar profit motives might try to operate in Boston.

Magnetic card writers go for $173 on eBay, but they can be made for as little as $5 in parts, according to slides the students were to present at this weekend’s DEF CON hacker convention. Discarded CharlieTickets are available in many subway stations’ trash cans; other cards with magnetic stripes can also be found for less than a dollar online.

The information on the ticket includes a checksum, a six-bit number calculated from the rest of the information on the card, which is used to detect errors in the card’s data. There are only 64 six-bit numbers. If you do not know how the checksum is generated, you need only create 64 tickets, each with a different checksum value, and test each. One will work, according to the report.

The report does not say whether the students have successfully written software to generate forged CharlieTickets without having to try all the possible checksums. The final presentation in the spring 2008 subject Computer and Network Security (6.857) was based on guessing the checksum value by making many cards, a “brute force” approach. That work was done by four students: Samuel G. McVeety G, who did not participate in the DEF CON presentation, along with the three students who did, Zackary M. Anderson ’09, Russell J. Ryan ’09, and Alessandro Chiesa ’09. The project earned an A, according to the MBTA.

Students recommend system changes

A central system should store the current value of all tickets so that people cannot forge new CharlieTickets, the students’ confidential report recommends. An “auditing system” should also be used to detect copied or forged tickets, the report recommends.

The MBTA apparently has a way to track all transactions and trips made on every CharlieCard and CharlieTicket and to associate each transaction with a card’s identification number. MBTA court filings allege that the system showed CharlieTickets depicted in the students’ presentations were used to get unpaid-for travel. But the MBTA system apparently does not prevent unpaid-for travel and is unclear what, if anything, is done to prevent it.

The CharlieTicket and CharlieCard should both include additional encryption to make them hard to duplicate or forge, the students’ report says. The report recommends an auditing system be installed to detect cloning of RFID cards. It also recommends that the CharlieTicket’s checksum be replaced with a cryptographically secure signature which would be harder to duplicate.

The DEF CON presentation highlighted fixable weaknesses in “physical security.” The presentation includes photos of unlocked doors into subway stations, pictures of open “turnstile control boxes” accessible “almost everywhere,” a picture of a “door key” found in an open box, and a photo of a computer screen in the MBTA’s operations center. (That picture was taken from an adjacent building with a telephoto lens, according to Tech photographer Eric Schmiedl, who gave a presentation on physical security at DEF CON.)

Charliecard may be insecure

In place of the students’ talk on Sunday, Dutch journalist Brenno de Winter gave a talk describing vulnerabilities in the MIFARE classic card, made by NXP Semiconductors, which is used worldwide and is called a CharlieCard by the MBTA. He described NXP’s unsuccessful attempts to silence Dutch researchers who found vulnerabilities in the system.

Research results to be published in October will show how the card can be cloned in a few seconds, he said. “If anyone in the room is using MIFARE Classic at this moment, this is your final wakeup call,” de Winter said. “This is your final heads-up. You’ve got two months left, and then you’re screwed.”

The students’ report suggests that all CharlieCards may be protected against duplication by a single encryption key, but the report is unclear on whether they have decoded that key. If they have found this key, this could be what the MBTA’s restraining order seeks to protect. CNET reported on Thursday that the students gave the MBTA “particular information to complete the Charlie card hack which they say they had no intention of revealing in the Defcon discussion,” which could be this key.

The students’ report discusses possible ways to decode the encryption key that protects CharlieCards. It also suggests that the key may be the same on every card, rather than differing from card to card — which could be a serious problem if true. But in a court filing, security consultant Eric Johanson said that the publicly available information about the students’ findings describes an “aspirational” attack on the key rather than a functional one.

NXP’s MIFARE Classic card has undergone worldwide security analysis because it is used, not only in Boston, but also in London’s transport system and in the Dutch transport system. The London system is known to be vulnerable to a cloning attack — by standing near someone, you can decrypt their card and copy its identity and value. A NXP lawsuit against security researchers which sought to keep research details from being presented in public was dismissed in Dutch courts.

An NXP Semiconductors employee advised the MBTA on July 30 about the upcoming DEF CON presentation. “Of special concern is the announced intent to release open source tools required to perform the attacks,” wrote Manuel Albers, director of regional marketing for NXP. “Please let me know if we can support you in any way,” he wrote.