A hacker with an Android phone and a little know-how can create their own CharlieCards and ride MBTA buses and subways without paying, according to research from a Boston-based cybersecurity expert.
And for now, the MBTA admits there’s not much they can do about it, other than deactivating fraudulent cards.
CharlieCards are used by thousands of Boston-area commuters to pay for subway or bus rides. A user can charge them up with cash value by swiping a credit card or inserting cash at a payment terminal. Then the user taps the card on a subway gate or bus fare box. An amount equal to the fare is deducted from the card.
But cybersecurity analyst Bobby Rauch says a security flaw makes it relatively easy to exploit a well-known weakness in the system.
“Anyone in Boston with an Android phone and a curiosity about how the CharlieCard works can exploit those same vulnerabilities,” said Rauch, who brought the problem to the agency’s attention in August.
This isn’t the first time “ethical hackers” have warned about CharlieCard problems. In 2008, computer science students at the Massachusetts Institute of Technology identified a similar CharlieCard security lapse. The students said they would publicly describe the security flaw at a major computer-hacking conference. In response, the transit agency sued the students and persuaded a federal court to issue a gag order, forcing the students to cancel the speech. The ruling spawned a fierce backlash from civil liberties groups, and the court reversed itself. The MBTA later dropped the lawsuit and agreed to consult with the students on ways to improve CharlieCard security.
These days, the MBTA takes a different approach to security whistleblowers. “It’s no longer punitive,” said William Kingkade, the MBTA’s senior director of automated fare collection. “It was welcoming.”
Instead of trying to silence Rauch, the agency worked with him to better understand the flaws in the CharlieCard system.
It doesn’t hurt that Rauch, who graduated in computer science from MIT, is a veteran bug hunter with a strong track record. Last year he revealed how hackers could use Apple’s AirTag personal tracking devices to steal a user’s sensitive information. Earlier this year, he reported on a flaw in Microsoft Teams that could be used to smuggle malware onto computer systems.
This time, Rauch took a look at a new way to exploit some of the same security flaws that the MIT students discovered back in 2008.
Each CharlieCard contains a near-field communication, or NFC, radio chip, which keeps track of the money stored on the card. This data is encrypted using an algorithm that’s easy to break; indeed, the encryption keys are readily available online. And with the right equipment, a clever hacker could intercept the radio signal from someone’s CharlieCard, record its data, and copy it onto a blank card to get free subway rides. The original CharlieCard would still work, but so would its clone.
Back in the day, such an attack required a lot of costly equipment, making it quite impractical. But Rauch figured out that some of today’s Android phones could pull it off. Nearly all of them contain NFC chips for use in making payments at credit card terminals. And some of them, including several of Google’s Pixel phones, use NFC chips that can talk to the ones inside CharlieCards. There’s even an app, freely available on the Google Play store, to let such phones download the data from a CharlieCard and copy data to a blank card. (Apple’s iPhones also contain NFC chips, but none of them are compatible with CharlieCards.)
“I could theoretically capture a dump of a real CharlieCard, write it to a blank card I purchased online, repeatedly ride the T, and then once I emptied my funds, replenish by writing the dump of the real card back to my blank card,” Rauch wrote in a blog post. “Additionally, I could write to multiple cloned cards and either distribute or sell them.”
Rauch even speculated that somebody with an Android phone could steal the data from another commuter’s CharlieCard, simply by standing close enough to intercept the card’s radio signal.
The MBTA’s Kingkade said the agency isn’t too worried, because he expects few people to attempt this kind of exploit. He said the MBTA has installed software safeguards in its computer network capable of detecting cloned CharlieCards. “We look for the fraud and capture the fraud every day,” he said. “It’s very small numbers,” he added — about 10 a month. When a counterfeit card is detected, it’s immediately deactivated.
But Kingkade admits that the present CharlieCard system can never be made completely secure against this kind of attack. A solution is expected by 2024, when the MBTA is supposed to adopt a new and improved fare payment system.