During the Spring of 2008 I worked with three other students to analyze the security of the Boston Subway fare collection system. The research was conducted in the MIT Computer and Network Security course 6.857. After several weeks of reverse-engineering, trail-and-error, software development, and testing, we found several gaping security holes in the MBTA (the Boston transit agency) fare collection system. We discovered significant issues with the magnetic card media, the RFID fare cards, and the physical security of the system. We developed several exploits that allowed us to generate arbitrary value fare cards for zero cost. In addition, we developed several solutions to fix the security holes for the MBTA. Our initial offer to assist the transit agency in fixing the security holes was poorly received, but since October 2008 we have been working with the MBTA to fix the vulnerabilities we discovered.
Analyzing Magnetic Media
We discovered that instead of using an account system with value stored in a central location, the fare collection system stores value on the actual fare card. To reverse engineer the data format on the cards, we purchased several hundred dollars worth of magnetic fare cards to look for patterns in the data. Looking at binary data, these patterns were extremely difficult to see without help, so we wrote a Python toolkit called Bitstir that assisted us in comparing cards, visually analyzing data, testing hypotheses, and performing mathematical transformations.
With our large body of data (many purchased magnetic fare cards) and powerful reverse-engineering software (Bitstir), we were able to successfully decode the layout of the magnetic media, called the CharlieTicket. The figure below illustrates the layout of data on the card. With the data location, encoding, and security mechanisms known, we were able to craft arbitrary fare cards worth hundreds of dollars.
Working with RFID
Once we discovered how to compromise the magnetic media system, we investigated to see if the RFID payment system was also vulnerable. The RFID payment card, called the CharlieCard, is based on the Mifare Classic standard. Building on top of the research conducted by Karsten Nohl, et al, we uncovered several ways to discover the secret key that allows reading and writing of the CharlieCard. With the secret key known, cards can be read and remotely cloned from someone's pocket without their knowledge.
Since we needed to conduct low-level analysis of the RFID card transmission, we used a software radio hardware platform called the USRP along with the open-source software radio toolkit GNU Radio. After bandpass filtering for the correct upstream and downstream frequencies, the signals we read are seen in the figure below.
The data is encoded and transmitted on a sinusoidal carrier. In order to convert this wave into the challenge/response pairs from the Mifare card and the subsequent encrypted transmission, we wrote a plugin for GNU Radio to read Mifare RFID cards. The figure below demonstrates the blocks to this plugin that are required before valid data comes out. Using this custom toolchain, we were able to read the data transmission between the payment card and turnstile, and then analyze the data.
There are several attacks that can be executed on the Mifare card. An excellent overview on these attacks and how the encryption algorithm used by the Mifare card (Crypto-1) works can be found in this paper. The attacks exploit weaknesses in the Crypto-1 cipher, and allow the 48-bit key space to be reduced. We designed and wrote a Verilog FPGA implementation of a generalized known-plaintext attack brute-forcing utility that supports several cryptography algorithm plugins. Using the Crypto-1 plugin, it can quickly brute force a sniffed transaction to recover the secret key. The figure below demonstrates the Kwickbreak FPGA brute forcing framework we wrote. The second figure shows the user-friendly interface and the attachment to a USB FPGA board. For our investigation, we used a board made by Opal Kelly.
Our research made international media in both academic and general publications. Here are a few of the domestic publications and television networks that covered our findings: