[Infowarrior] - MIT studies Charlieticket vuln

[Richard Forno]

Public Documents Seem to Show Free T Fare
By Michael McGraw-Herdeg
EXECUTIVE EDITOR
August 14, 2008, 4:13 p.m.

http://www-tech.mit.edu/V128/N30/subwayvulnerabilities.html

Documents made public by an MBTA lawsuit against MIT undergraduates  
show how anyone can get free T fare by copying an existing  
CharlieTicket or by making their own.

The Massachusetts Bay Transportation Authority has asked for its  
temporary restraining order, protecting information about research by  
MIT students into the CharlieCard and CharlieTicket systems, to be  
changed to include only “non public” information. MBTA spokesman Joe  
Pesaturo characterized documents available online as “harmless  
information that is now public” in an e-mail.

But that public information shows how to get free rides with a  
CharlieTicket, leaving open the possibility that the MBTA suspects an  
even more serious compromise of its CharlieCard system.

Numerous ways to get unpaid-for T fare are clearly laid out in the DEF  
CON presentation, available online at http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf 
; in the report the students gave to the MBTA, available at http://www-tech.mit.edu/V128/N30/subway/10-declaration-henderson-vulnerability.pdf 
; and in prior research on similar systems.

Anyone with a magnetic card writer can repeatedly copy a CharlieTicket  
onto another card, never having to pay for a ticket again, if the  
students’ “Vulnerability Assessment Report” is accurate. In the T’s  
system, a CharlieTicket is worth as much as its magnetic stripe says  
it is, and no central computer tracks the tickets’ values, according  
to the report.

A single $25 ticket could be copied onto hundreds, if not thousands of  
blank cards, providing free travel forever.

A ticket’s identification number or value can also be easily changed,  
the report says. A $5 card can be made to say it is worth up to $655.36.

A thief could take a 5 cent CharlieTicket, rewrite it so that its  
value is $99, insert it into an MBTA ticketing kiosk along with a  
dollar, and receive $100 in T fares on a fresh card, purchased for  
$1.05, the report says. The ticket would have “$100.00” printed on the  
front and would appear identical to a legitimate CharlieTicket. The  
report suggests that an attacker might resell tickets.

(Three people arrested in New York are said to have exploited a  
vending machine bug to get $800,000 worth of Long Island Rail Road  
tickets and MetroCard fares for free, The New York Times reported  
Tuesday. They allegedly sold much of that fare.)

Magnetic card writers go for $173 on eBay, but they can be made for as  
little as $5 in parts, according to slides the students were to  
present at this weekend’s DEF CON hacker convention. Discarded  
CharlieTickets are available in many subway stations’ trash cans;  
other cards with magnetic stripes can also be found for less than a  
dollar online.

The information on the ticket includes a checksum, a six-bit number  
calculated from the rest of the information on the card, which is used  
to detect errors in the card’s data. There are only 64 six-bit  
numbers. If you do not know how the checksum is generated, you need  
only create 64 tickets, each with a different checksum value, and test  
each. One will work, according to the report.

The report does not say whether the students have successfully written  
software to generate forged CharlieTickets without having to try all  
the possible checksums. The final presentation in the spring 2008  
subject Computer and Network Security (6.857) was based on guessing  
the checksum value by making many cards, a “brute force” approach.  
That work was done by four students: Samuel G. McVeety G, who did not  
participate in the DEF CON presentation, along with the three students  
who did, Zackary M. Anderson ‘09, Russell J. Ryan ‘09, and Alessandro  
Chiesa ‘09. The project earned an A, according to the MBTA.

Students recommend system changes

A central system should store the current value of all tickets so that  
people cannot forge new CharlieTickets, the students’ confidential  
report recommends. An “auditing system” should also be used to detect  
copied or forged tickets, the report recommends.

The CharlieTicket and CharlieCard should both include additional  
encryption to make them hard to duplicate or forge, the report says.  
The report recommends an auditing system be installed to detect  
cloning of RFID cards. It also recommends that the CharlieTicket’s  
checksum be replaced with a cryptographically secure signature which  
would be harder to duplicate.

The DEF CON presentation highlighted fixable weaknesses in “physical  
security.” The presentation includes photos of unlocked doors into  
subway stations, pictures of open “turnstile control boxes” accessible  
“almost everywhere,” a picture of a “door key” found in an open box,  
and a photo of a computer screen in the MBTA’s operations center.  
(That picture was taken from an adjacent building with a telephoto  
lens, according to Tech photographer Eric Schmiedl, who gave a  
presentation on physical security at DEF CON.)

Charliecard may be insecure

The students’ report suggests that all CharlieCards may be protected  
against duplication by a single encryption key, but the report is  
unclear on whether they have decoded that key. If they have found this  
key, this could be what the MBTA’s restraining order seeks to protect.  
CNET reported on Thursday that the students gave the MBTA “particular  
information to complete the Charlie card hack which they say they had  
no intention of revealing in the Defcon discussion,” which could be  
this key.

The CharlieCard uses the MIFARE Classic system, which is also used in  
London’s transport system and in the Dutch transport system. That  
system is known to be vulnerable to a cloning attack -- by standing  
near someone, you can decrypt their card and copy its identity and  
value. The maker of that card, NXP Semiconductors, has unsuccesfully  
sued in Dutch courts to keep research details from being presented in  
public.

The students’ report discusses possible ways to decode the encryption  
key that protects CharlieCards. It also suggests that the key may be  
the same on every card, rather than differing from card to card --  
which could be a serious problem if true. But in a court filing,  
security consultant Eric Johanson said that the publicly available  
information about the students’ findings describes an “aspirational”  
attack on the key rather than a functional one.

The MIFARE Classic card has undergone worldwide security analysis.

In place of the students’ talk on Sunday, Dutch journalist Brenno de  
Winter gave a talk describing MIFARE Classic vulnerabilities and NXP’s  
unsuccessful lawsuit that sought to keep Dutch researchers from  
presenting those vulnerabilities. The research results to be published  
in October will show how the card can be cloned in a few seconds, he  
said. “If anyone in the room is using MIFARE Classic at this moment,  
this is your final wakeup call,” de Winter said. “This is your final  
heads-up. You’ve got two months left, and then you’re screwed.”

An NXP Semiconductors employee advised the MBTA on July 30 about the  
upcoming DEF CON presentation. “Of special concern is the announced  
intent to release open source tools required to perform the attacks,”  
wrote Manuel Albers, director of regional marketing for NXP. “Please  
let me know if we can support you in any way,” he wrote.