"Among the documents the MTBA filed with its declaration to the court today is a vulnerability assessment report (http://blog.wired.com/27bstroke6/files/vulnerability_assessm...) that the three students gave the MTBA about the flaws in its system. The document is dated August 8, the day the MTBA filed its lawsuit against the students, and is essentially the information the students declined to give the MTBA before it filed its lawsuit."
I can't help but think Wired got this wrong. Knowing who the students' advisor is, I find it pretty hard to believe that the students refused to give the assessment to the MBTA before publishing this presentation.
Incredibly cool. How could they possibly think they could just put the stored value on the card itself, unencrypted? I always assumed the card was just a token that refreshed some database on their end, instead of stupidly storing it in hex right there on the card stripe.
Smartcard security is notoriously bad in the vast majority of deployed systems.
The people designing these high human traffic systems are usually much more concerned about other factors (low latency at the turnstile, minimal number of network connections to wire, card reliability, etc.) than they are about security.
Agreed. The cost of implementing such an open system is negligible compared to the cost of securing it. You can harden a system as much as you want, but the business case for doing so is nil until it becomes a problem. At 0.000000003 of rides are being stolen it doesn't make sense.
While the security tzars are focused on the electronic hackers just having fun the majority of losses are probably coming from kids who jump the turn styles or go through 2 at a time.
Doesn't this apply more to the vendor and less to the customer? The vendor can sell a system and skimp on the added cost of security. If they are good at managing the account and spinning the situation, when security issues do come up, they have a chance to sell the customer an entirely new system.
The customer is probably better off with a spec for proper security in the first place, so they can avoid the cost of refitting or replacing the entire system.
Sometimes I wonder why they even bother collecting fares. Fares rarely cover the cost, so paying money to develop an expensive fare collection system that's easily hackable doesn't make much sense.
Oh well, at least the politicians can give their contractor buddies my money!
Well not sure about what part of the world you are in, but here in Manhattan the MTA subway system pays for itself. Only about 4-5% of their operating budget comes from taxes, with the remainder coming from fares. A serious vulnerability would crush their budget.
I can just imagine going into some back room to buy a $1,000 metro card for $5. However I can't imagine many people really bothering, an unlimited card is only $81 a month. When rent is $2500 a one bedroom apartment in brooklyn, and lunch is $15 every day, $81 for all of your transportation really isn't a big deal.
You guys are so lucky. Here in DC, we have the second-highest ridership in the country, and somehow these nincompoops can't get the system to pay for itself. Never mind that we don't have month passes like in most normal cities, and that somebody who regularly rides the Metro will easily spend in excess of $200, even $300 per month. Thanks for hiking fares again, guys! And the number of cars, stations, and miles of track almost certainly pale in comparison to those in New York.
Hell, I pay $140/month to take the Orange line two stops west and a flat-fee bus to its second stop on the route. And people wonder why we have such awful traffic: Driving is often cheaper!
MBTA, the system they hacked, is notoriously inefficient. Apart from fares, they get 20% of state sales tax, or 1 cent of every dollar you spend in the state, even if you don't live in a place that has a train station. The new (electronic) fare system was introduced about 18 months ago and was accompanied by a fare raise from 1.25 to 2.00/1.75, and one of the major reasons quoted was the cost of the new system.
There needs to be good standards program for security audits. There is a serious problem, because security is not well understood. It's very easy to sell the government and private organizations a shoddy set of goods.
What about institutionalizing white hat hacking, somehow? I could imagine a system where two competing tiger teams ensure good results. Basically, pay bonuses for actually breaking the security measures. If only one team succeeds in breaking in, then they get both team's bonus.
I think maintaining consistent state over all turnstiles at all stations is too complicated. It requires a large infrastructure overhead. Putting the stored value on the card is much simpler and doesn't require nearly as much overhead b/c it allows each turnstile to be an independent unit that reads and writes the card.
I don't think the data changes all that fast assume 5billion cards at 10bytes a user it's ~500MB per station. Assuming 2million transactions an hour your talking about ~40megabytes of data an hour DSL would be fast enough. Now each station would keep a local copy the Database and transmit to the 30 or so other stations as long as they send data before you can reach the next station it should work just fine.
Granted 10 years ago storing value on each card would have been more useful but the turn styles should easily be able to handle the full database.
I'm not saying it's not doable, I'm just saying it's more complicated (and probably much more expensive) than the alternative. It also makes individual turnstile failures more difficult to handle. Suppose the network died on one of the turnstiles. Then you'd have to have build a caching system that it resorts to in case of network failures to prevent giving people free rides, and a way to merge state with the rest of the network once it rejoined. Of course you can do it, but I hope you're starting to see how complexity could grow faster than one might expect.
I imagine that there are better ways to solve the problem at hand (security) that don't involve adding thousands of lines of code, miles of fiber, and hundreds of thousands of dollars.
If you are referring to "they" the MBTA I doubt they knew how it worked and the only party who probably did understand ie: the company selling them the system was just interested in keeping costs down.
Just hope the media and security services (and alarmists) in general don't use it to go on about anti-terrorism and how we are all under constant terrorist threat (and push more anti-terror measures).
Not just jailed, tortured. Unless you think that stress positions and sleep deprivation are just rough questioning. That man will have psychological trauma for the rest of his life.
First off, let me say that I thought this presentation was cool as hell - a holistic view of security, showing all the various weaknesses, with cost/value. Very, very well done.
Having said that, I also have to say that there's an underlying attitude that often exists from folks showing off security loopholes that bugs me - "we're just showing all the ways in which this system sucks, so we're really the good guys." Right. And if I walk up to you on the street and stab you in the eye with my pen, I'm just showing you how vulnerable you are by not wearing body armor and a helmet with a face shield.
Sometimes it's a little showy and really more intended to harm than help, yeah.
In this case it's probably more like this:
Government is selling everyone body expensive armour that claims to protect your vitals against BIC pen stabbings, built by contractors who are buddies with those in power. A group of hackers walk around and take pictures of holes on people's armours. They also demonstrate stabbing a dummy wearing said expensive armour.
LOL... Thanks for the improvement on the analogy. From now on this is going to be my mental model for whether or not a "white hat" security guy is making the world better or worse.
It's nice that they used the GNU Radio for their attack. I was planning on doing this with Chicago's "Chicago Card", but didn't have the money for a USRP when I was in school. (And, there was no research budget for undergrads.)
I opened the slides only expecting the analysis of the contents and security vulnerabilities of Charlie cards. As it's easy to exploit a broken fare collection system with little risk (perhaps even commercially), this design shows serious negligence on the part of the MBTA. Kudos to them for figuring out something every Boston hacker was casually wondering about.
However, these slides go beyond that, briefly covering many avenues that seem to be more aimless mischief than serious analysis. Most of the slides remind me more of the Anarchist Cookbook than a vulnerability disclosure. I wonder why they didn't include the "hop over the gate" and "pay with counterfeit money" exploits?
I still wouldn't use a modified MTA card - cameras are pointed at every turnstile, and swipes could be logged with card id/money left on card. From a master log, it would be pretty trivial to find any inconsistencies and id you from the tapes...
There is no id on the cards, I pay for cash with mine every time, how are they going to know? I usually put $60-100 on mine each time, if I just kept refilling it at home how would they know? Sure they will notice a guy with a $50,000 card, but if you just update it to a modest amount every day they would never notice.
In their slides, the first bits are an unique id (it's also printed on my MTA card (from NYC) under the date). This doesn't make you personally identifiable if you paid cash for the card, but it's an unique to the card, so discrepancies could be caught pretty easily.
I took the bus yesterday and they just starting rolling out a new magnetic card system. I was actually thinking of buying a card reader off ebay and try to reverse engineer it.
I tried the Scribd vacuum link right after posting and I got an error saying that the PDF was encrypted, so it wouldn't be able to show it. I think that result gets cached and Scribd just redirects to the PDF for subsequent requests.
It would be useful to indicate that the link was a pdf. Maybe it's because I haven't had a coffee yet today, but the [scribd] in the title made me think the whole link was going to scribd not a PDF.
Okay, this is evidentally about people stealing subway fares or some shit. I nodded off about 3 slides in, so I could be wrong. Correct me if I'm wrong, do.
Still, I'm glad to know what the best minds of my generation are up to: utilizing their magnificent collective genius to steal the occasional nickel. The occasional dime. Great work, guys. Here's a quarter. Einstein always held out for the quarters...
Here's a tip: Just pay the goddamned fare and get some real work done. Thanks.
Seymour cray [iirc] had an algorithm for buying the best car:
1. Enter dealership.
2. Point at car.
3. Purchase car.
...point is: Don't worry about the trivial parts of life.
You're missing the point. This is about demonstrating that it is a bad idea to use this technology for anything other than limited low-value transactions. The smartcard industry has been pushing "one card for everything" for years, and this shows that it's still a long way off. I'll keep my credit card and my travel pass separate, thanks.
The amount of work that went into this is awesome. They're hacking real life.