Patrick J. Sweeney II | August 25, 2008
There’s a popular tune at Boston bars close to closing time, called Charlie on the MTA (Mass. Transit Authority). It’s a 1940’s political promo for Walter O’Brien running as someone who wouldn’t raise fares to ride the subway – or the “T”as it’s called in Beantown. The latest controversy on the MTA isn’t about raising fares, but rather fare cards called CharlieCards. The MTA is using High Frequency (HF or 13.56 MHz) RFID enabled cards to carry value for frequent users of the T, and several MIT students have hacked into the RFID cards and published how others could do the same thing.
The MIT students are claiming they did the MTA a favor pointing out the security flaws– a common claim by grey hat hackers (those not malicious like black hats, but not pure enough to be considered white hats since they are publishing how they did it for others to replicate). A complex court battle has ensued in which an initial restraining order was in effect and was just repealed.
I spent the earlier part of my career running a secure data hosting company and understand the need for independent audits of systems, and think RFID needs to be held to the highest security standard however the MIT students clearly went too far by offering, on Defcon’s website, “Want free subway rides for life?”
The best way to show the world how secure RFID can be is to implement properly designed systems (the MTA system puts value on the RFID card itself instead of a secure database) and create a standard encryption process and certification for RFID in absence of being able to use existing ones. The US Government is looking for input to help (?) the industry get there: https://secure.commentworks.com/ftc-TransatlanticRFID/
There are about a dozen subway systems using this NXP MiFare card –the MIT presentation for Defcon (which I’ve seen) lists at least ten of those. All of those municipalities should be calling an RFID expert to learn how to lock down their system and then press charges on anyone who is caught hacking in – the memory of Kevin Mitnick and the time he served seems to be fading.
The MIT students are claiming they did the MTA a favor pointing out the security flaws– a common claim by grey hat hackers (those not malicious like black hats, but not pure enough to be considered white hats since they are publishing how they did it for others to replicate). A complex court battle has ensued in which an initial restraining order was in effect and was just repealed.
I spent the earlier part of my career running a secure data hosting company and understand the need for independent audits of systems, and think RFID needs to be held to the highest security standard however the MIT students clearly went too far by offering, on Defcon’s website, “Want free subway rides for life?”
The best way to show the world how secure RFID can be is to implement properly designed systems (the MTA system puts value on the RFID card itself instead of a secure database) and create a standard encryption process and certification for RFID in absence of being able to use existing ones. The US Government is looking for input to help (?) the industry get there: https://secure.commentworks.com/ftc-TransatlanticRFID/
There are about a dozen subway systems using this NXP MiFare card –the MIT presentation for Defcon (which I’ve seen) lists at least ten of those. All of those municipalities should be calling an RFID expert to learn how to lock down their system and then press charges on anyone who is caught hacking in – the memory of Kevin Mitnick and the time he served seems to be fading.
