December 12, 2022

CharlieCards, utilized to wage for MBTA subway and autobus rides, tin beryllium hacked utilizing an Android phone, according to a Boston-based cybersecurity adept Bobby Rauch. 

The MBTA says that, for now, each it tin bash to code this imaginable menace is deactivate fraudulent cards. 

The algorithm that inscribes the information connected CharlieCards is casual to hack, with the tools to bash truthful accessible online, according to a Boston Globe article. Each paper contains a near-field connection vigor chip, besides known arsenic an NFC, which enables wireless connection betwixt devices. The NFC tracks the CharlieCard’s value. A hacker tin intercept the vigor awesome from 1 person’s CharlieCard to transcript its information onto another. Both the archetypal and the duplicate paper would work. 

Rauch discovered that Android phones tin easy transcript information from CharlieCards due to the fact that some Androids and CharlieCards incorporate NFC chips. This makes hacking overmuch easier than successful the past erstwhile specified a hack required costly equipment. 

Some Google Pixel phones containing the aforesaid NFC spot arsenic Androids tin besides hack CharlieCards. A escaped app tin beryllium downloaded connected the Google Play store that allows some Androids and Pixel phones to download information from an existing CharlieCard and transcript it to a caller one. Although Apple iPhones incorporate NFC chips, they aren’t conducive to this benignant of hacking. 

The information from a CharlieCard could beryllium stolen by an Android hacker lasting adjacent capable to the idiosyncratic to drawback the card’s vigor signal, speculates Raunch successful a Boston Globe article. 

William Kingkade, MBTA’s elder manager of automated fare collection, told the Boston Globe helium isn’t acrophobic galore radical volition effort to hack CharlieCards. The MBTA’s machine web tin observe fake cards, which helium estimates is astir 10 per month. 

In 2008, MIT students detected a akin information contented with the cards. When the students planned to stock this astatine a nationalist machine hacking conference, the MBTA sued the students and a national tribunal issued a gag order. The students canceled their plans to stock the accusation astatine the conference, but civilian liberties groups resisted the MBTA’s action. The tribunal reversed its gag bid and later, the MBTA dropped the lawsuit, agreeing to talk with the students astir the information issue. 

Marking a displacement successful its approach, the MBTA worked with Rauch to recognize flaws successful the CharlieCard system. 

The MBTA plans to upgrade its fare system to smartphone and contactless recognition paper payments successful 2024.