Boston Teens Hack Subway CharlieCards, Inspired by 2008 Defcon Attack
Back in 2008, Boston’s public transit authority went to court to stop hackers from the Massachusetts Institute of Technology (MIT) from presenting at Defcon about how to ride the subway for free. Now, 15 years later, four teenagers have continued that research and finally presented at Defcon on how to hack the CharlieCard transit cards.
As Wired recalls, the 2008 Defcon conference was the center of one of the biggest scandals in its history. A group of MIT students planned to give a talk about a method they’d found to ride Boston’s subway for free. But just before the event, the Massachusetts Bay Transit Authority (MBTA) sued and obtained a court order to block the presentation. Despite this, the slides from their talk soon leaked online.
In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read mentioning the canceled Defcon talk. The two, students at Medford Vocational Technical High School in Boston, decided to try to replicate the MIT hackers’ work and learn how to ride the subway for free themselves.
“We assumed it would be impossible, since it’s been over a decade, it got a lot of attention, and they surely fixed [the problem],” Harris said. But Bertocchi noted that the authorities hadn’t actually done so.
After two years of work, the pair, along with friends Noah Gibson and Scott Campbell, presented their findings at Defcon in Las Vegas.
Pictured left to right: Scott Campbell (16), Noah Gibson (17), Matty Harris (17), and Zachary Bertocchi (17).
The teens not only replicated the MIT hackers’ 2008 work but went even further. In 2008, the MIT group hacked the paper Charlie Tickets with magnetic stripes, learning to copy them, change their value, and get free rides. Those cards were discontinued in 2021, just after Harris and Bertocchi began their research, and replaced by CharlieCards—contactless RFID smart cards now used by the MBTA.
The teens managed to compromise the new CharlieCards, learning how to add any amount of money to a card or make it appear as a discounted student card, senior card, or even an MBTA employee card, which allows unlimited free rides.
After months of trial and error with various RFID readers, the teens succeeded in dumping the contents of a CharlieCard and began decoding it.
Unlike credit or debit cards, which track balances in external databases, about a kilobyte of data—including the balance—is stored directly on the CharlieCard itself. To prevent tampering, each data line on the card includes a checksum—a string of characters calculated using MBTA’s own algorithm.
By comparing identical data lines and their checksums across different cards, the researchers began to figure out how the checksums were generated. Eventually, they developed a method to change the card’s balance and update the checksum so that the reader would accept the altered CharlieCard as valid. The teens calculated a long list of checksums for every value, allowing them to change the card’s balance at will. At MBTA’s request, they have not published this table or the details of their reverse engineering of the checksums.
To demonstrate their work, the teens even built a portable “ticket vending machine”—a small device with a touchscreen and RFID sensor. This device can add any amount to a CharlieCard or change its settings. They also built the same functionality into an Android app that lets users “top up” a card with a single tap.
This time, the MBTA did not threaten to sue or try to block the teens from presenting at Defcon. Instead, earlier this year, the young researchers were invited to MBTA headquarters to give a presentation about their findings to 12 executives. MBTA then politely asked them not to disclose details of the vulnerability for 90 days and to withhold some methods to make it harder for others to replicate the hack.
However, the hackers say the MBTA has not fixed the vulnerabilities they found and appears to be waiting for a new fare payment system, scheduled for rollout in 2025.
“It’s important to note that the vulnerability discovered by the high school students does not pose an immediate security threat, [cannot be used for] system disruption or data leaks,” MBTA communications chief Joe Pesaturo told reporters. “The MBTA fraud detection team has increased monitoring for this vulnerability and does not expect any significant financial impact. The vulnerability will disappear once the new fare system is implemented.”
The teens claim the transit authority is trying to counter their attacks by detecting and blocking altered cards, but only a small portion of the cards they added money to have been caught.
“Their protections aren’t really a patch that closes the vulnerability. Instead, they’re playing a game of whack-a-mole with cards as they appear,” the teens said. “Some of our cards were disabled, but most passed [the checks].”
Photo: Wired