Hacking the MBTA


1218464060If we’d read the online listing that read “Want free subway rides for life?” we probably would have clicked to find out more. Unfortunately for three MIT students, a vendor that services the MBTA’s CharlieCard system found the post first, and alerted the agency to the students’ work.

The T won an injunction, so the group couldn’t share their findings at a hacker convention that took place in Las Vegas this weekend. But the T might be a little late in keeping the public from learning that the CharlieCard technology is easily manipulated.

Back in March, the Herald reported on the work of University of Virginia grad students, a tech-savvy group that found it took only a little know-how and less that $1,000 to break the encryption on smart cards like the CharlieCard.

At the time, MBTA spokesman Joe Pesaturo sounded fairly calm about the damaging news.

“It is MBTA policy not to discuss the security measures around its smart card technology. If this group is well intentioned and has information it wants to share with the MBTA, then MBTA staff would be happy to review the information.”

Zack Anderson, one of the MIT students, claims the T was much less gracious about his team’s findings.

“We wanted to let them know what we found and we wanted to tell them some ideas we had on how they could fix that system … We felt like the issue was resolved. That was verbally affirmed in a Monday meeting. Then Friday we find out there’s a federal lawsuit against us.”

Hey, guys? These kids are exposing the holes in your security software. For free. Why not ask them politely to turn over their findings and give them some internship credits for their efforts? Once they graduate, they’ll expect to be paid more for their consulting work than you’ll ever be able to shell out.

Photo from MBTA.com