Share this story
Close X
Switch to Desktop Site

Not so smart cards easily hacked

MIT students hack into Boston's transit system, highlighting security flaws in mass-transit cards.

Cheating the turnstile: Commuters heading home piled into a MBTA subway train in Boston on June 2. Security flaws in MBTA's smart card could let people hack into the system.

Mary Knox Merrill – staff/file

About these ads

The recent hacking into Boston's mass transit system by three local university students underscores a much broader problem: More than a billion mass-transit fare cards and door-swipe badges worldwide have a security weakness.

That's due to a flaw revealed in a smart chip's design earlier this year. Other agencies that use the chip – from the London Tube to the Dutch government – have scrambled to adopt temporary countermeasures, says Karsten Nohl, the researcher who first uncovered the trouble. All their smart cards, he says, need to be shored up or replaced.

Three Massachusetts Institute of Technology students drove home this and other weaknesses in Boston's transit system when they claimed to have found a way to add money onto fare cards free of charge.

For now, a restraining order taken out by the Massachusetts Bay Transportation Authority (MBTA) stops the students from publicizing their work. But details are already leaking out. And their exploits come less than a year after Mr. Nohl's research had already pointed down one path to hacking such systems.

That's leaving some security experts to question the MBTA's efforts to maintain security through secrecy. "I'll predict for you that within a couple of months someone will reproduce the attack, whether or not the details were released," says Mike Davis, a senior security consultant with IOActive in San Francisco. "What these new hard-core attacks are starting to show us is that the obscurity we relied on to protect these systems are just assumptions people have made."


Page 1 of 4

Follow Stories Like This
Get the Monitor stories you care about delivered to your inbox.