IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

A Quiz on Hacking Transportation Cards

Contributed by Joanne C. Kelleher

My household is starting to think about back to school, so here is a quiz for you:

Students/researchers at ______(a)_______ hacked the ______(b)____ transportation card. These researchers planned to share results at _______(c)_________. The _____(d)______ Transportation Authority filed an injunction to prevent presentation, claiming that disclosing the details would inflict damage.

Depending on when you take this quiz the answers may vary.

The latest answers are:
(a) Massachusetts Institute of Technology (MIT)
(b) Boston’s CharlieCard
(c) DEFCON 16, an annual hackers conference in Las Vegas
(d) Massachusetts Bay Transportation Authority (MBTA)

This past weekend, the MBTA was successful in obtaining a temporary 10 day injunction against three MIT students preventing them from giving the planned presentation at DEFCON about how they hacked the CharlieCard which is based on the Mifare Classic card from NXP.

A copy of the presentation, which was distributed to all DEF CON attendees prior to the lawsuit, has these sections:

  • Attack physical security – with photos of unlocked doors and open turnstiles
  • Attack the Magcard about reverse engineering the card
  • Attack the RFID Using the reverse engineered work done by Karsten Nohl against the Crypto-1 algorithm used on the Mifare classic card.
  • Attack the Network

A similar injunction requested by NXP against publication of the Mifare hacking report by researchers at Radboud University in Nijmegen was denied. See veridify.com/nxp-injunction-against-mifare-hacking-report-is-denied.

The Electronic Frontier Foundation, which is representing the three MIT students, is appealing the ruling and, in the process, obtaining more press for the MIT students. If the MBTA hadn’t filed the injunction, this would have been just another hacker presentation instead of news covered by the Boston Globe, CNet, Wall Street Journal Blogs, Computer World and the AP. 

We will see what happens with the appeal and when the 10 day injunction period is over.

For an article in the MIT paper which includes links to court documents and a copy of the presentation, see http://www-tech.mit.edu/V128/N30/subway.html.