Click on a label to read posts from that part of the world.
Hack your local subway
Frequent travelers on any metropolitan subway system know that the two major means for fare tracking and billing are via magnetic strip and Radio Frequency Identification (RFID). And every nerd and his RPG character know that those systems can be both readable and exploitable.To see how secure the Boston subway system was, several MIT students decided to run an analysis on the security of the infrastructure; what they found was a little disturbing. By simply wandering into unlocked doors, opening unlocked cabinets and peering around they were able to find keys to the system, get access to network hardware and find and copy employee identification.
On looking into the security of the magnetic and RFID systems, they were able to reverse engineer the code on the magnetic stripes and reconfigure the data to post $653 to a subway card. Similarly, the group analyzed the RFID contents and were able to disassemble the code.
The students point out that numerous transportation systems around the globe use these systems and technology.
Naturally, all of this quite illegal -- the students were just illustrating a point to the MBTA that there are security vulnerabilities in the system that can fairly easily be exploited. Hopefully, they and the company that makes subway infrastructures perks up and makes some serious security changes as a result of this reserach.
Check out the full 87 page presentation on the execution hosted at MIT.
Filed under: Activism, Transportation
Reader Comments (Page 1 of 2)
Craig Aug 13th 2008 6:10PM
One would hope that the authorities would take the advice seriously, but instead they'll probably just label those kids as "security threats" and lock them up.
This is Boston, after all, the city that went into hyper emergency mode when LED signs of cartoon characters appeared in the city: http://en.wikipedia.org/wiki/2007_Boston_Mooninite_Scare
Patricktimothy1 Aug 14th 2008 8:37AM
Craig is right. The authorities will never learn from this because they always hire arrogant snotty people who would rather have a disaster happen than admit being wrong.
Catherine Aug 14th 2008 8:50AM
Most people aren't smart enough to reverse-engineer codes. I think the "T" has more to worry about from gate-jumpers. There will be more of those when the T hikes its fares again.
grmijag Aug 14th 2008 11:41PM
Catherine - The problem isn't with the handful of people that are able to reverse engineer codes. The problem is with the thousands of blank magnetic strip cards they can load with $1,000 in fake tokens and sell illegally to the public at $50 each.
Brian M is a moron Aug 14th 2008 9:16AM
All the subway would have to do to stop these nerds is set up a big net with a Dungeons and Dragons game set up underneath it, or some Magic: The Gathering cards. Drop the net and cuff the geeks....Boston 1, Nerds 0.
zymo Aug 14th 2008 12:29PM
Hey Brian M is a moron.. i think you are the biggest moron.. these so called 'nerds' are going to maintain your standard of living in this country..ohh, just in case you didn't know, we are seriously in danger of LOSING the war on crucial talent and slipping down the drain.. just because pple like u think science and math as uncool...
Brian M is a moron Aug 14th 2008 1:13PM
Zymo, it's called a joke, dude. "Nerds" don't "maintain [my] standard of living" more than any other professionals. Besides, I probably know more about "science and math" than your 13 year old ass does.
Chris Aug 14th 2008 1:46PM
You run your mouth, and it makes people angry. If you know so much more than everyone else, why are you sitting at home, staring at your computer and waiting for people to reply to your stupid, thoughtless comments?
Chuck M Aug 14th 2008 10:05AM
You have to wonder what's being done in America about keeping the public safe. That's America in the 21st Century: image is everything. It's far more important to put on a big show of security that might not really accomplish anything rather than addressing real problems that might not be exciting enough to make the MSM news.
Good thing Richard Reid had explosives in his shoe rather than his underwear. What a fun scene it would be at airport security checkpoints with people taking that off to put on the xray machine.
C Aug 14th 2008 9:38AM
Why don't you just post how to go about building a dirty bomb and where to get the materials, so the terrorists will have an easy time at it.
Mary Aug 14th 2008 9:41AM
Brian Is a Moron - the point is not to stop the students to whom you refer as "nerds", Moron, it is to stop criminals and terrorists who might use the security breaches they discovered to kill you and other morons who don't get it.
albert Aug 14th 2008 9:43AM
somebody somewhere is pissed that they will soon no longer be able to get free money on their subway card.
s. perry Aug 14th 2008 10:06AM
Uh-h-h-h! Wake up America!!!
Lola Aug 15th 2008 7:24PM
I think this is a very important study. That being said... it is a little worrisome that the report they posted on the event basically tells you how to do everything they did... just in case you were an absent minded terrorist, this takes away any chance you might not know what you're doing. That's a little careless. I agree MBTA needs to step it up, but they deserve a period of safety to do that.
rcott Aug 14th 2008 10:14AM
You have some students who COULD have done serious damage to the transit system. Instead, they wrote a report and gave it to the transit system so that others with less with less honorable intentions can't do that kind of damage the students could have done. These students are not bad people. Sure, they may be nerds, but they're wearing white hats. Don't bunch all computer techies into a single bundle. We need brilliant good guys, too, if the brilliant bad guys are going to be stopped.
mommienessa Aug 14th 2008 11:13AM
Thank you rcott! I wish more people would realize that it's "nerds" who keep the infrastructure running. It's nerds who program the street lights, the "geek" squad pulls up the files that are accidentally deleted form hospital computers, the "dweebs" that get our bank account information texted to us, and the "dorks" who came up with satellite communications...... I love nerds!
Terry Aug 14th 2008 10:31AM
These kids aren't nerds...they're some of the best and brightest. They've got the brains and resourcefullness to identify the problem areas in security, and in a few years they're going to be the ones keeping us safe. Nerds are wannabees...wanting to be smart to make up for lack of "coolness" but not quite there. Nerds end up at state colleges, not MIT.
J.H. Aug 14th 2008 10:48AM
I think that New York and Philadelphia are getting similar sgnaling and fare collection systems. Imagine from the computer you can open and close the subway doors, or reroute a train. That is scary. Sometimes the older technology is better (you can hack a vetag, but you can't hack an identra coil).
Omnislash89 Aug 14th 2008 11:28AM
Wow, there's a broad-daylight reference to Final Fantasy VII's first few minutes of gameplay!
The rebel organization you start playing in has witty and technologically smart members that find a way to bypass the security for the Midgar subway (train) system...because they're all labeled as fugitives and cannot use their own cards... so they sneak around the checkpoints by using fabricated ID cards...
I cannot believe this article hints to this example! ...and the worst part is, I don't think alot of people understand the reference.
Nimue10433 Aug 14th 2008 11:49AM
What they neglected to tell you in this report is that, they have posted it on line after they were asked not too. And that these bright students are using the system to hop on for free. Funny how things get turned around to benifit those who could have easily just went to the MTA with their findings but nope they posted how to do it on line