fb-pixelSome Medford students hacked CharlieCards. Then they told the MBTA how they did it. - The Boston Globe Skip to main content

Some Medford students hacked CharlieCards. Then they told the MBTA how they did it.

High school hackers show how they broke MBTA security
Students at Medford Vocational Technical High School show Globe staff reporter Hiawatha Bray how they hacked CharlieCards for free rides.

High school students looking for free rides on the T usually just hop the fare gates. But four students at Medford Vocational Technical High School did it the hard way.

Seniors Matty Harris, Noah Gibson, Zack Bertocchi, and junior Scott Campbell found a way to boost the cash value of any CharlieCard without paying a dime, using either a homemade electronic “vending machine” or a custom app running on a standard Android smartphone.

“We’re able to copy cards infinitely,” said Harris.

The typical Android phone contains a chip that transmits a low-power radio signal that allows Android owners to pay for coffee, snacks, gasoline, and other goods with their phone via the Google Pay service. After two years of research, the students found they could use that same chip to rewrite the data on a CharlieCard, adding up to $300 of credit to a card purchased for just 25 cents.

The students’ vending machine, a rectangular black box with a small video screen, also uses the chip to alter CharlieCards. But it can also forge different types of cards, such as the reduced-fare cards issued to students or those given to employees of the Massachusetts Bay Transportation Authority. Employee cards can open the same gate over and over, so companions can also ride for free.

Advertisement



But instead of abusing their new-found power, the students reached out to MBTA cybersecurity officials in January and told them about it. Scott Margolis, the MBTA’s chief information security officer, said that without the students’ help, the T’s systems would have been defenseless against this newly discovered attack.

“We didn’t even know this could happen,” he said.

In 2008, when several students at the Massachusetts Institute of Technology figured out how to get free rides on Boston’s subways, the Massachusetts Bay Transit Authority won a court order barring the students from describing the hack at the Defcon computer security conference in Las Vegas. Since then, T officials have changed course, and now welcome input from so-called ethical hackers.

Advertisement



For instance last December, independent cybersecurity analyst Bobby Rauch demonstrated a way to copy the monetary value of one CharlieCard onto other cards, using an Android phone. In this way, a cardholder could add, say, $20 to a CharlieCard and fund another card over and over without ever paying another dime to ride the T.

The T worked closely with Rauch to find ways to defend against such attacks.

A group of Medford Vocational Technical High School students developed a way to hack the MBTA CharlieCard system to access free rides with no hardware other than an Android phone.Josh Reynolds for The Boston Globe

The agency has also treated the high school students as allies, not enemies. “They were an impressive group of young people,” said William Kingkade, the MBTA’s senior director of automated fare collection. “My fraud team really enjoyed working with them.”

When Harris, Gibson, Bertocchi, and Campbell spoke at the Defcon conference earlier this month, it was with the MBTA’s blessings. “Luckily one of the parents had frequent flyer miles that paid for most of it,” said Scott’s father, Jay Campbell, who accompanied the group to Las Vegas.

Jay Campbell said he is proud of the students’ achievements — and their integrity. “They really weren’t stealing any money. They weren’t doing anything illegal,” he said. “For them it was just a challenge. It was something fun to do.”

The MBTA says that exploiting the security flaw is so complicated that it doesn’t expect a flood of forged cards. Lucky for the T, because a permanent fix for the problem will require replacing the present CharlieCard system.

Advertisement



Today’s cards store the user’s financial data on the card itself, so it can be rewritten by someone with a card reader and the security key for the card’s embedded chip. Hackers can find the key online.

With help from the students, the T came up with automated scripts that can recognize forged cards and remotely deactivate them every 24 hours. That means a forged card can be used for no more than one day. On the other hand, someone armed with a stack of forged cards could still rack up a lot of free rides.

The only complete solution is a system that stores all financial data in the cloud. A rider’s card would contain a unique identification code, just like a credit or debit card. The money available for rides would be stored remotely and couldn’t be altered by hacking the card itself.

The T is updating the CharlieCard system to store all data in the cloud. This upgrade is scheduled to be completed by March of 2025.

Meanwhile, a more advanced solution is in the works. You may have seen credit card readers attached to the fare gates at T stations. They’re part of a new $930 million system that was supposed to begin service next year, but has been plagued by delays and rising costs.

Kingkade couldn’t say when the new system will be activated. But it will let riders pay with smartphones or tap-and-pay credit cards. And it will make today’s insecure CharlieCards obsolete.

Advertisement



From left, Scott Campbell, 16, Noah Gibson, 17, and Zack Bertocchi, 17, all of Medford, and Matty Harris, 17, of Malden, are Medford Vocational Technical High School students who developed a way to hack the MBTA CharlieCard system.Josh Reynolds for The Boston Globe

Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him @GlobeTechLab.