Some Medford kids figured out how to hack CharlieCards to get free rides
By adamg on Fri, 08/11/2023 - 9:34am
Wired reports that a couple of students at Medford Vocational-Technical High School (note to Wired: It's in Medford, not Boston) read about how back in 2008, some MIT students figured out how to hack CharlieTickets, and that intrigued them, and they looked into it.
They discovered that while the T sued the MIT students to keep them from discussing the hack, they didn't fix the security hole involved in the hack, so the adventurous kids, and a couple of hacker friends, figured out how to replicate it with CharlieCards.
This time, though, the T didn't sue - they met with the students and a couple of their hacker pals to discuss the exploit.
Topics:
Free tagging:
Ad:
Comments
Bug bounty
A bug bounty program is invaluable for many large companies but I don't think the MBTA has any goal of fixing the exploit. There are already plenty of actual bugs like roaches who call the T station their home.
I'd say
I'd say their vendor would be more interested since this was a boxed product that was customized for the MBTA (as are most fare collection systems).
I think the vendor went belly up tho.
I am sure this is something that would be fixed with a patch. But if the software vendor went belly up, and considering that every time the MBTA breaths on this system it costs them an arm and a leg to do, I doubt they want to fix this.
The amount of money that would be lost in the time frame between now and the time Cubic rolls out would not exceed the amount that would be needed to get said software patch.
I think it's more likely to be a design error
in the software, if indeed you can change a card's properties by changing byte values at a set location.
is it
is this a bug or a feature? :-)
Bold of you to assume that
Bold of you to assume that Cubic will ever finish the "Fare Transformation".
The MBTA has a fraud detection team?
How does Joe P keep a straight face when he is called upon to explain the latest MBTA fiasco. Could someone ask Joe P why the Transit Police or the fraud detection squad no longer issue citations for fare jumping?
Because
Joe P is the best poker player. That's why.
(also if you met Joe, like I have, you quickly realize that poker face he does.. well that's just Joe P and how he is, there's nothing special about it)
Meaning, that face is probably why he's the spokesperson. Because he can do that.
Also, for the love of Cheddar Cheese..
Why don't you ask the Media Director at Verizon and ask them why your Verizon Wireless mobile phone isn't working?
I bet you'd get the same very generic response of "let me check into that" and it would be crickets
Point: It's a stupid question that would get deferred. I don't like fare jumpers but let's try to stay on topic.
Why would any fare evader
Why would any fare evader even need a CharlieCard when they can just stick something through the fare gate gap or piggyback?
They call it "Ghosting"
That piggybacking thing is called "Ghosting" by the hep kids. Why Ghosting I have no idea? A rather loud alarm happens every time someone uses the technique. My biggest fear on the T is being "ghosted" and then involved in some kind of fare evasion scheme if the T Police ever try to stop it.
if the MBTA were smart
theyd go beyond the easier-handed approach this time and really involve these yutes now for the long term to improve the system, fast track them for jobs, etc..
or, just make the whole thing free and not have to worry about any of this kind of thing ever again.
the blue line experience never been so efficient, from station entry to exit, and lets not even get into the massive waste perpetrated at the north station fare gate gauntlet.
North Station fare gate
It's both massive fiscal and human waste!
None of this would be a problem...
None of this would be a problem if we did the economically rational thing, ditched fare collection altogether, paid for T operations out of general funds, and spent the billion dollars (literally!) of capital costs of the new fare collection system, and the tens of millions (literally!) of operating expenses currently spent on fare collections, on, you know, actually running buses and subways instead.
Sure Bob
Any idea where the T will get a couple hundred million dollars a year to make up for the lost fares?
I'm still waiting for Michelle Wu's answer, so I've got time for you to get your answer.
I'm all for free transit
Trust me, I'd love to see fare collection go away, it would solve many many problems.
But when it comes down to it.. its about dollars and cents.
But it's never going to happen here, not when the T is 'born broke' and will never get out of its debt hole its in. Until the state fixes the T's finances so they can have a balanced budget (HAHAHAHA) this will never happen.
You'd have better luck trying to catch a moon beam in your hand than think the T will go fare-ess.
Just to be clear, are we concern trolling re:Wu and the T?
Or just being intellectually dishonest again?
I'm merely noting
That much like the mayor, Bob seems to have embraced this whole "things can be free and there will be no consequences" thing.
But speaking of people (you) trolling, unlike your bike riding self, this Orange Line using commuter could personally benefit from not having to fork out $90 for a Link Pass. That is, until the T starts offering half hourly service on the line when the cut service to match the new fiscal reality.
Do I drone on about Wu's pipe dream of "freeing the T?" I do it as much as she mentions it without discussing how the City will pay for it. She's had at least 6 years to think of an answer, but much like Trump's "infrastructure weeks," it's good press until we see there is no plan.
Ah so it's intellectual dishonesty
Bold of you to assume I don't take the T, it's that damned purity test again!
What intellectual dishonesty?
Unless you’re talking about the intellectual laziness on the part of the Harvard educated politician who made “free the T” her rallying cry.
Me, I have intellectual curiosity, so I’m just curious as to how the proposal will be financed. On one level, it’s a simple question.
Feel like Ari made some good points below
And Bob gave a decent breakdown that you dodged and went for the lazy attack on why Michelle Wu, mayor of Boston, has not shown how the State could manage a fare-less T.
Actual legislation showing the plan is what you're asking for and absent of that of course, you have an easy strawman to knock over. It's a convenient axe to grind!
But no you're right, spending a billion on a new fare collection system is a better use of funds.
Free buses != free transit
Without getting into whether it is a good idea (jury most certainly out) …
Free transit and free buses are not the same thing, fare-wise.
Based on pre-pandemic data (more recent data probably tracks, but is lower), the T collected about $660 million in annual fare revenue. About 5% of that comes from local bus-only fares, somewhere in the $30 to $40 million-per-year range. Most people have passes, or make bus-subway transfers, so bus, or bus-bus transfers, or bus-only passes, make up a small portion. This is based on the T's documentation for the 2019 fare increase (here) with some reasonable assumptions on "fare pass multiples" (see here).
Bus fares yield minimal revenue and are the costliest fares to collect, because every bus needs fare collection (and in the future, fare collection at each door), or every stop needs fare collection, or some combination. That's expensive! And unlike Commuter Rail or Rapid Transit, collecting fares slows down the operation of buses, which costs money (and means fewer riders, even those who are then going to pay a rapid transit fare). And leads to operator assaults (which costs he T money). So you're investing a lot of money in a fare system in order to collect a marginally small amount.
There's even a strategy where you could require people to pay a fare at major transfer points (Harvard, Forest Hills, Andrew, Nubian, etc) where you could concentrate fare collection equipment to bring this margin down more, although that would also bring about enforcement challenges. Make the stations fare-paid zones where you have to tap when you get off the bus or visit a fare machine. But again, that would probably mostly be for show.
Anyway, a reasonable fare policy would be one where the T optimized for collecting the highest amount of fare revenue with the smallest amount of fare collection equipment. The marginal cost to collect the first 80-90% of fare revenue is quite low (people are honest/already have a pass/etc). The last 10-20% gets harder and harder to collect until the marginal cost to collect the last fare (or the last 1 or 2% of fares) is infinite. No matter what you do, there will always be scofflaws bent on getting around paying fares. Rather than spending billions to make it impossible for them not to pay fares, spend millions to make it easy for everyone else.
There's a corollary with MassDOT's All Electronic Tolling (AET) on the Pike (and harbor bridge/tunnels). With toll booths, pretty much everyone had to pay a toll (unless you went through the exact change line or paid with Canadian pennies or whatever), but it cost a lot of money dealing with cash and labor and infrastructure. FastLane-and-then-EZPass made it much easier to pay tolls, but there is always the potential to lose out on some toll revenue. AET replaced all of the tolling infrastructure for about $100 million, when rebuilding all of the toll booths would have probably cost three or four times as much, plus paying Toll Booth Willie to collect his quarters. Instead, the State is willing to accept some amount of "leakage" in order to have a system which is faster, safer and easier for everyone, and costs a lot less to operate. Imagine if the same idea was afforded to people taking transit?
Interestingly, a bunch of states are not doing this. New Hampshire studied AET vs "open road tolling" (basically, EZPass lanes in the middle and toll booths on the side) and found that AET was significantly less expensive in the long run when taking into account capital costs. Yet there (and in Maine, and in Ohio) they're building new toll booths in order to give the perception that they are forcing people to pay tolls (there's really no difference between driving through an AET and an ORT without a valid transponder; in both cases you get a photo taken and get a bill in the mail). The Maine Turnpike director said that if they got rid of cash, they would have to double the cash toll in order to make up for lost revenue. Which makes exactly zero sense, especially since 70% of tolls are already paid by transponder. But Maine is out there building new, $40 million toll booths (1/3 of the cost of removing toll collection from the entire Turnpike in Massachusetts) and then paying more to operate it.
On the Turnpike, leakage accounts for about 5% of tolls ($122 million over 6 years, versus about $400 million in annual revenue) and the state has been dragging its feet on collecting on a lot of that, mostly since revenues increased on the Turnpike so they were kind of fine with it (which is infuriating logic in its own right). But imagine if the T went out and said "yeah, we're fine with not collecting 5% of fare revenue like the Turnpike does." That is what not collecting bus fares would do.
One more thing: If you skip out on tolls in Massachusetts, you can't renew your license or registration until you pay them. They have reciprocity agreements with most of New England, plus New York. They should probably have reciprocity with the rest of the EZPass states (basically everyone south to Virginia and west to Illinois) and work with Connecticut and Vermont (call up the DOT and say "give us reciprocity and we'll cut you a check for 5% of what we get from scofflaws" or something). 41% of unpaid tolls are from out of state. Meanwhile, if bus fares weren't collected, 50% of bus-fare-only riders are low income and 50% are people of color. So while non-toll-payers are often people from out-of-state who can likely afford the toll, the people who would not be paying bus fares nearly all low-income residents who could use that $1.70
TL;DR: the T should go to the Turnpike people at 10 Park Plaza and ask them how AET has gone even if there are some people who are skipping out on tolls.
Thank you for coming to my Ted talk.
collecting bus fares takes time
After moving to the area, I noticed that MBTA bus drivers prioritize keeping the buses moving over collecting fares. Sometimes that's a driver waving one or two people on when the traffic light turns green, and sometimes it looks like policy:
The fare box needs rebooting? OK, everyone rides free for the first few stops. Or the fare box is broken, but the MBTA leaves the bus in service, and everyone rides free. Or "free," because as Ari O. noted, a lot of people have monthly passes, or are transferring from another bus or from the subway.
This may be the only thing that the MBTA is doing better than other systems: the purpose of a bus is to carry passengers, not to collect fares. Other cities' transit systems don't seem to agree with that.
The fare machines are a disaster.
Drivers aren't going to make everyone else wait while someone keeps getting a bill rejected or has to struggle with the must-have-never-been-tested user interface.
And if you really want to bond with your bus driver, just say something like "whoever made those things should be shot." The drivers hate the machines even more than we do.
I hardly ride the T
I don’t even ride the T more than a couple of times a month, and I’d be delighted to pay enough more in taxes that everyone could have free public transportation. Because I believe that we should have nice things, including great infrastructure, and I’m willing to pay for it.
Maybe one of these Medford ethical hackers
Is a future technology Michael Bloomberg
So his parents
will get a building named after them?
What building?
If it is the Medford Public Library, it would likely have been named for Charlotte Bloomberg regardless of her son's fate or fortune or investment. The woman was the freaking soul of that library for decades, and part of the building committee for the former building.
It has been happening like
It has been happening like this for a while. My husband used to hack into the phone system to make free calls when he was a teen in the 80s.
Those 550 & 900 numbers of the 80s ...
Had occasional free time slots that you could find codes for in Bay Windows or the Phoenix. No hacking necessary hehe
He would do it from the
He would do it from the neighborhood phone boxes. He lived in CT.
Believe it or not…
Believe it or not, that's how Apple (then called Apple Computer, if I remember correctly) got its start! The two Steves (Jobs & Woz) used to make "blue boxes" to help people make free long distance phone calls (yes, they used to cost extra $$). I don't recall their ever being prosecuted for this, though; not sure why.
Me too
My friends and I were hacking into the phone system to make free calls when I was a college student in the 1960s.
A straightened-out paper clip, and a suitably hacked pay phone, could get you lots of free calls. Never mind the higher tech stuff like the "blue boxes".
Oh man.
Finding the checksum for "unlimited access", and its location, and changing the stored checksum value without having to know the password:
"By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. "
That is really, really awful security for the MBTA to still be using in 2023. I learned that trick forty years ago, from a MIT student!
Windows Server 2003
This all runs on top of Windows Server 2003. (No not at typo) An OS that isn't even supported by Microsoft anymore and should have been sunsetted about 10 years ago when support ended. (fwiw, Microsoft just pulled support for Server 2012, two versions newer than Server 2003).
Most station has two servers inside the old fare collection booth + comms gear back to Park Plaza.(Green Line above ground stations are slightly different except they home-run back to various points along the line where those servers exist).. and considering the licensing costs along with hardware upgrades, it would cost far too much to upgrade.
So yeah I don't think they care, it would be too costly to fix. And the few who could actually have the technology and skill level to build one of these machines to create the cards.. I don't think that cost would exceed the millions to fix a 20+ year old system.
This is what gets me about anytime technology is used in the public sector (The T, Schools, Court System, DUA, etc), there's always money to build out new shiney systems with lots of bells and whistles. But there's never any money to support continuable upgrades that these systems will need to be secure and functional. Its more cost effective to incorporate upgrades into your yearly budget than to blow a large chunk of change on a new system because the old one became antiquated.
The MBTA just let the card system rot until it was too far gone to fix it. Much like they did to the previous token and card system that was built IN THE 1960s. Most transit systems upgraded their card systems in the 80s when better technology existed. Not the MBTA tho!
I knew the farecard readers were running 2000 OSes
because every so often I'd see a vintage error message, so, sadly this doesn't surprise me :-(
Yeah
The gates initially ran Windows 2000 Embedded and were upgraded at some point to Windows XP Embedded.
If you are there when a service tech is fixing the gates, you can watch the Windows XP start up screen show on the display on the top of the gate. Then the Windows XP desktop loads, then the fare gate front end software.
If I recall my old POS (point of sale, not piece of sht) work, upgrading from Win2k Embedded to Windows XP Embedded was a free upgrade (you just had to upgrade the clients). But going to Embedded 2007 (the Windows 7 version of Embedded), would cost you. (and most likely require new client hardware)
I only know this much about this fare system because I was
a) TAP card holder at the time and beta tested the gate system
b) Was very nosing when they were upgrading the stations and watched what the technicians were doing. Many times they left the converted fare collection booth gone server closet door open, and very clearly in there was a half rack, with 3 servers and a display that had Windows Server 2003 on its display)
c) I've gone on enough IT related interviews at the MBTA to know and discuss what the gate system is all about (for a while they were hiring technicians to service those, and I was called to apply)
d) I spent many years support Micros registers, which uses the same client/server topology and technologies. This included writing front ends for them and deploying them. (you think the T is bad, try doing this at your favorite chain restaurant. its awful!)
?question?
Was that the bill gates? (Double pun alert!)
And let me guess,
the MBTA is using Access as its database.
I wonder if the kids tried setting the card values to over $32768 (or over $65536) to see what would happen.
Nah
Microsoft SQL Server 2000 or 2003.
Which is not much better than access. You can just have multiple tables.
Token-and-card?
The token system goes back to when fares were 15¢ in 1950ish (before that it was a nickel or dime and the turnstiles just accepted those). When fares were a quarter, turnstiles accepted quarters. When Dime Time was a thing (midday discounts) they didn't reconfigure turnstiles, dimes were just accepted at fare boxes.
The first passes were created for select employers in 1974 (now relying on Boston in Transit) for annual travel, and they were made available to the general public in 1978. These were "flash passes" and shown to operators or fare collectors (except for the Berkeley entrance at Arlington, where mag stripe readers were installed, since John Hancock was an early adopter). Magnetic stripes came in the early 1980s but it wasn't until the early 1990s that magnetic fare boxes became standard. (At least one of the old mechanical fare boxes was fashioned into a lamp and given to Fred Salvucci.)
But the cards started in the 1960s and weren't fully integrated until about 1990. That system was fully replaced in 2006. So, yes, it's time for a new one.