About 15 years ago, three MIT undergrads found themselves in legal trouble for speaking out about security vulnerabilities in the MBTA payment system. By hacking the Charlie Ticket magstripe paper cards, the three students were planning on presenting their findings to a hacker conference with an enticing question: Want free subway rides for life?
Though the MIT students' talk was canceled, the slides were published online. 15 years later, four high schoolers — Matty Harris, Scott Campbell, Noah Gibson and Zack Bertocchi — decided to pick up where the MIT students left off to see if the transit system fixed those exposed vulnerabilities. Spoiler alert: they didn't.
Two of the students, Harris and Campbell, joined All Things Considered host Arun Rath to explain their findings. What follows is a lightly edited transcript.
Arun Rath: So the original hacking incident was in 2008. You guys were basically babies at that time, right?
Matty Harris: Yep. Pretty much like two, I think.
Rath: So when did you first hear about this, and when did the story kind of catch your imagination?
Harris: Well, so I first heard about it almost exactly two years ago. I was reading about Charlie Cards — I was actually taking a look at the Wikipedia article for Charlie Card — and you know that there's a section about security concerns. And they mentioned these MIT students and what they did.
I read a couple articles about them, and I found it really interesting because it was a whole mess of lawsuits. I mean, fortunately, they won their lawsuit. It was very interesting work that they did.
And I actually told one of our coconspirators — our partners in crime, Zack Bertocchi. We were sitting on the train together, and I told him about that, and from there, we did some more research, and that's kind of how it all began. We wanted at first to replicate their findings, but it kind of took off from there.
Rath: Right. I mean, it was a fairly landmark case. I think that was the first time people were familiar with the term 'white hat hacker' for people who are not exploiting vulnerabilities so much as exposing them, right?
Harris: Yeah, exactly. Things have definitely changed since then, right? I think white hat hacking is a lot more acceptable now, but at the time, yeah, it was a landmark case. It kind of protected security researchers and that was a big deal. That made us feel a little bit less terrified.
Rath: And Scott, talk about how you dug into this problem. How did you guys figure out how to finesse the system this time around?
Scott Campbell: So I had received a student card, and I figured maybe I could figure out a way to clone it so I could share it with my friends. And I mentioned it in passing to Matty, and then he was like, "Boy, do I have a project to show you."
So we started going into that project, and we started by trying to figure out where the data was. So what we would do is we would get a binary dump of one card, add a little bit of money to it, and then save the dump again and then look at what the differences are and try to figure out which sequence of ones and zeroes is the money — it was the first thing we looked for. We quickly realized that we needed to figure out how to change the data to be able to really figure anything out.
So we moved on to trying to crack something called a checksum; at the end of each line of data, there's a thing called the checksum, which is basically a mathematical operation. They run the data and then get an output, and they know that if you change the data, when they run it on that same data, if the checksum at the end is different, then they can tell that something's gone wrong.
Usually, that's just like natural errors where something broke in the chip, but it could also be someone trying to mess with it. So most of the project was trying to figure out how to make it so that the checksum lines up with the new data we put on the card.
Harris: We started out just attempting to replicate the findings that the MIT students found of forging Charlie tickets, you know, putting custom values on it. We started out by cloning Charlie Cards, and then once we were able to clone cards and in doing so, we demonstrated that they still store value directly on the card rather than in a central database somewhere, which would be more secure. They're trusting the cards to be accurate.
And so, in doing all of our stuff with the checksum, we were able to exploit that and actually edit the values. We spent a lot of time just staring at data. We actually spent many hours sitting directly at a train station — spent a lot of time at Wellington and North Station, just kind of sitting there, changing stuff, tapping cards, experimenting and refining our findings until we were eventually able to figure out how to change the variable that contains the money so we can have a card with any amount of money we want up to like $300.
Rath: You know, I'm certainly no Internet security expert, but the way you described it, that sounds like a pretty wide open door you were able to get through. Is that the case? And were you surprised that it was so wide open still?
Harris: Yeah, I'd say we're definitely quite surprised because before we tried doing the cloning stuff, we just assumed that they had developed a new system and that they still weren't storing values on the card. We didn't know any details of how it worked because we just assumed that they'd fixed it. But once we were able to clone cards, we realized, "Okay, yeah, they haven't fixed anything." It's kind of exactly the same way it was 15 years ago.
It's a lot — it's quite wide open. I think there's the reason why more people haven't really gone out and exploited it is probably just because of how much of a pain it is to do that. But yeah, if you're dedicated, you can definitely figure it out.
Rath: As we mentioned at the top, the three MIT students 15 years ago found themselves in trouble and in federal court. Is there any sense of legal danger this time around? Have things really changed?
Campbell: As an industry, really in cybersecurity, the focus has come a lot more on trying to help security researchers rather than attack them. As we mentioned before, the MIT case was a very large piece of case law, and there's a lot of legal precedent that protects us. It's still a gray area, but it's a lot less of a gray area than it used to be.
It's also in the best interest of the MBTA to help us out and work with us because it was a PR disaster when they sued the MIT students, and we're able to try to help them fix the problems rather than just publicizing them further.
Harris: That said, it was still — there was still a good bit of uncertainty when we first started doing this. If you remember, in December of last year, there was an article in the Boston Globe that highlighted the research from a guy named Bobby Rauch, who figured out a similar thing of cloning cards. He came up with some theories of how, you know, how the fare system could be exploited.
He went through — I think he was definitely a lot more fearful of the MBTA because at that point, you know, they had a proven track record of suing researchers. And so he actually hired a lawyer, and he took a lot more precautions. We actually reached out to him, and he was able to share his experience of working with the T.
We found that the T has come a long way since 15 years ago. And like what Scott said, they are much more interested in working with researchers rather than antagonizing them and going after them and causing a lot of mayhem.
Campbell: A lot of the changes in the way that they have handled security researchers came from their new chief information security officer, Scott Margolis, who was extremely nice to us and handled the situation really, really well.
Rath: That's awesome. It's such a turnaround from the way things were 15, 20 years ago. It's awesome to hear about it.