

The Tech (MIT student newspaper) publishes the banned DEFCON slides - pius
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

======
dcurtis
Epic. That's all I can say.

The amount of work that went into this is awesome. They're hacking real life.

------
pius
Context: [http://blog.wired.com/27bstroke6/2008/08/injunction-
requ.htm...](http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html)

~~~
pius
From the Wired article:

"Among the documents the MTBA filed with its declaration to the court today is
a vulnerability assessment report
([http://blog.wired.com/27bstroke6/files/vulnerability_assessm...](http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf))
that the three students gave the MTBA about the flaws in its system. The
document is dated August 8, the day the MTBA filed its lawsuit against the
students, and _is essentially the information the students declined to give
the MTBA before it filed its lawsuit._ "

I can't help but think Wired got this wrong. Knowing who the students' advisor
is, I find it pretty hard to believe that the students refused to give the
assessment to the MBTA before publishing this presentation.

------
rantfoil
Incredibly cool. How could they possibly think they could just put the stored
value on the card itself, unencrypted? I always assumed the card was just a
token that refreshed some database on their end, instead of stupidly storing
it in hex right there on the card stripe.

~~~
pius
Smartcard security is notoriously bad in the vast majority of deployed
systems.

The people designing these high human traffic systems are usually much more
concerned about other factors (low latency at the turnstile, minimal number of
network connections to wire, card reliability, etc.) than they are about
security.

~~~
jrockway
Sometimes I wonder why they even bother collecting fares. Fares rarely cover
the cost, so paying money to develop an expensive fare collection system
that's easily hackable doesn't make much sense.

Oh well, at least the politicians can give their contractor buddies my money!

~~~
krschultz
Well not sure about what part of the world you are in, but here in Manhattan
the MTA subway system pays for itself. Only about 4-5% of their operating
budget comes from taxes, with the remainder coming from fares. A serious
vulnerability would crush their budget.

I can just imagine going into some back room to buy a $1,000 metro card for
$5. However I can't imagine many people really bothering, an unlimited card is
only $81 a month. When rent is $2500 a one bedroom apartment in brooklyn, and
lunch is $15 every day, $81 for all of your transportation really isn't a big
deal.

Excellent hack though.

~~~
GavinB
". . . lunch is $15 every day . . ."

Get some bread and make a sandwich, already!

~~~
gaius
Haha, half the apartments in Manhattan barely even have kitchens!

------
aspirant
Look at the man on the Charlie Card. Seriously, go look.

See him leaning out of the window with that mocking grin, waiving his forged
card in triumph and thinking, " _Suckers!_ "

------
babul
Awesome social and software hack.

Just hope the media and security services (and alarmists) in general don't use
it to go on about anti-terrorism and how we are all under constant terrorist
threat (and push more anti-terror measures).

~~~
pmorici
Yeah, god forbid Osama and his ilk get a free ride on the subway.

~~~
froo
He will probably need it now that his driver has been jailed?

~~~
mleonhard
Not just jailed, tortured. Unless you think that stress positions and sleep
deprivation are just rough questioning. That man will have psychological
trauma for the rest of his life.

Go USA - We're Number One!

~~~
mleonhard
I want to delete this comment, but the 'delete' option is gone!

~~~
dfranke
You can only delete comments for the first two hours.

------
andreyf
Make sure to pay in cash for any cards that you alter...

------
fnazeeri
Brilliant! Like the warcart, particularly the smoke grenade!

~~~
pius
<http://web.mit.edu/zacka/www/warcart.html>

I want one. :)

~~~
pmorici
That thing is so obnoxious. The video is hilarious!

------
projectileboy
First off, let me say that I thought this presentation was cool as hell - a
holistic view of security, showing all the various weaknesses, with
cost/value. Very, very well done.

Having said that, I also have to say that there's an underlying attitude that
often exists from folks showing off security loopholes that bugs me - "we're
just showing all the ways in which this system sucks, so we're really the good
guys." Right. And if I walk up to you on the street and stab you in the eye
with my pen, I'm just showing you how vulnerable you are by not wearing body
armor and a helmet with a face shield.

~~~
Chocobean
Sometimes it's a little showy and really more intended to harm than help,
yeah.

In this case it's probably more like this: Government is selling everyone body
expensive armour that claims to protect your vitals against BIC pen stabbings,
built by contractors who are buddies with those in power. A group of hackers
walk around and take pictures of holes on people's armours. They also
demonstrate stabbing a dummy wearing said expensive armour.

~~~
projectileboy
LOL... Thanks for the improvement on the analogy. From now on this is going to
be my mental model for whether or not a "white hat" security guy is making the
world better or worse.

------
jrockway
It's nice that they used the GNU Radio for their attack. I was planning on
doing this with Chicago's "Chicago Card", but didn't have the money for a USRP
when I was in school. (And, there was no research budget for undergrads.)

I am seriously tempted to buy one now, though.

~~~
mleonhard
DJB probably could have found money for it. Did you take his class?

~~~
jrockway
Yes. And I asked him about it; he is more of a math professor, and this was an
engineering activity.

------
mindslight
I opened the slides only expecting the analysis of the contents and security
vulnerabilities of Charlie cards. As it's easy to exploit a broken fare
collection system with little risk (perhaps even commercially), this design
shows serious negligence on the part of the MBTA. Kudos to them for figuring
out something every Boston hacker was casually wondering about.

However, these slides go beyond that, briefly covering many avenues that seem
to be more aimless mischief than serious analysis. Most of the slides remind
me more of the Anarchist Cookbook than a vulnerability disclosure. I wonder
why they didn't include the "hop over the gate" and "pay with counterfeit
money" exploits?

------
andreyf
I still wouldn't use a modified MTA card - cameras are pointed at every
turnstile, and swipes could be logged with card id/money left on card. From a
master log, it would be pretty trivial to find any inconsistencies and id you
from the tapes...

~~~
krschultz
There is no id on the cards, I pay for cash with mine every time, how are they
going to know? I usually put $60-100 on mine each time, if I just kept
refilling it at home how would they know? Sure they will notice a guy with a
$50,000 card, but if you just update it to a modest amount every day they
would never notice.

~~~
andreyf
In their slides, the first bits are an unique id (it's also printed on my MTA
card (from NYC) under the date). This doesn't make you personally identifiable
if you paid cash for the card, but it's an unique to the card, so
discrepancies could be caught pretty easily.

~~~
eru
So how about choosing a new ID every time you update your card?

------
DanielBMarkham
Kudos -- especially for the RFID work. Decidedly non-trivial.

------
lpgauth
I took the bus yesterday and they just starting rolling out a new magnetic
card system. I was actually thinking of buying a card reader off ebay and try
to reverse engineer it.

------
emmett
Bug: the scribd link seems to point to the pdf as well.

~~~
pius
That's not a bug, it's a feature. I think. :)

I tried the Scribd vacuum link right after posting and I got an error saying
that the PDF was encrypted, so it wouldn't be able to show it. I think that
result gets cached and Scribd just redirects to the PDF for subsequent
requests.

------
sh1mmer
It would be useful to indicate that the link was a pdf. Maybe it's because I
haven't had a coffee yet today, but the [scribd] in the title made me think
the whole link was going to scribd not a PDF.

------
chris_l
So what's the phantom meeting exploit?

~~~
pmorici
Sounds like they just walked into the transit authority offices and said they
were there for a meeting if anyone questioned their presence.

------
mynameishere
Okay, this is evidentally about people stealing subway fares or some shit. I
nodded off about 3 slides in, so I could be wrong. Correct me if I'm wrong,
do.

Still, I'm glad to know what the best minds of my generation are up to:
utilizing their magnificent collective genius to steal the occasional nickel.
The occasional dime. Great work, guys. Here's a quarter. Einstein always held
out for the quarters...

Here's a tip: Just pay the goddamned fare and get some real work done. Thanks.

Seymour cray [iirc] had an algorithm for buying the best car:

1\. Enter dealership.

2\. Point at car.

3\. Purchase car.

...point is: Don't worry about the trivial parts of life.

~~~
gaius
You're missing the point. This is about demonstrating that it is a bad idea to
use this technology for anything other than limited low-value transactions.
The smartcard industry has been pushing "one card for everything" for years,
and this shows that it's still a long way off. I'll keep my credit card and my
travel pass separate, thanks.

