Honestly for developers it is just the best advice to never trust the users of your products and don't be dumb and store an id in card instead of all the details
The reason to store ID and value on a card would be so that it'd still work if the network behind it would be offline. Anyway, if you use 2-3 private/public key pairs and a hard coded salt, it wouldn't be difficult to catch compromised/reprogrammed cards. While still being useful while the network is down.
The current system was introduced in 2006, when having a reliable low-latency internet connection on every bus and trolly just wasn't feasible. The new system will be identical to NYC's, the company behind it just put off working on Boston's system until they were done in New York.
That is not at all what it is, go watch their blackhat talk it was a cryptography algorithm that was for some reason proprietary and they managed to reverse engineer it. It was very complex...
They didn't just clone it, the reversed the data on the cards and see what bits need to be changed and stuff to get a certain "role", amount of credits,... Check their defcon presentation
I saw the defcon breakdown of this hack, it’s well worth the watch, even if you know nothing about this topic they explain it very eloquently in a way anyone can comprehend.
It's hard to get a staff card to duplicate it. Also there's the danger the staff member could be identified and get fired. This students reverse engeneerd the card data and modified it. That's the safe way to responsible disclosure.
This is the bad NXP MiFare card system, mass peoduced and sold to travel systems worldwide, years after being proven insecure . Ticket system operators can't afford upgrading everything to better chips, forcing them to keep using and buying these bad chips .
In my country, we went from a commuter card to just using paper tickets with QR code. I dont know if it is related to this hack but its weird that they went backward. So.. maybe? Scanning the qr code will get you an encrypted code (idk I'm not a programmer), the commuter code name, the location its departing, the location its going, date, date.
@user-28qhfk65 No, it's not. The QR code is created on an external server and the code just has rider info if valid, which corresponds to the external list. Here they were loading the info onto the card.
@@danielmorton9956Did you actually read what he said? His country switched to using paper tickets with QR codes and he was wondering if the fact they switched had something to do with the fact the non-paper cards could be hacked.
It is so easy to replicate or inject all sorts of data into an RFID Card, i'm surprised that the identification/verification information is contained within the card itself. They should have just take its UID to do verification process on their backend service. Would be cool to try out this hack and definitely not exploit it 😂
They still use the paper cards, they're just disposable single use/2 way/one day cards that can't be reloaded. They've had the reloadable charlie cards for years.
Here in Finland we have a mobile ticket app that is a carbon copy of the original ticket app, you can buy what ticket you ever want and ride on trams and busses, but if ticket checker comes, you are screwed.
I was visiting my school robotics shop when these kids got the invitation to DEFCON lol. They were excited but almost nonchalant about it, they’re definitely gonna go places
A high school code academy kid could have told you that. If you store the value on the card itself with no handshake from the server upon authorizing, obviously someone can just edit the data. It would be like banks storing your account balance on your debit card.
I go to school with these guys, they didn’t face any charges for this, they just turned over their findings to the MBTA in exchange for not getting sued
I'm guessing the manuals were posted online in pdf format with the default admin user name and password in them... The machines in production never had their default creds updated and the machines ended up getting exploited...
Because what they do they do not cross reference the booking system with the QR code that they use to get into the airport lounge so the airport lounges access system is totally separate from the Airlines reservation system it's broken
Usually, the currency is added in the Backend. The Card merely bears a Unique ID. But if you can duplicate an Employee's ID, then you can get lifetime free rides.
Uh well in my country they use customized version of debit cards. It is actually connected to bank and you can even manage it through online banking or atms. It is rather pretty cool feature. It employs same security measures as normal cards so good luck with that.
As a British viewer, I can definitely tell you that being found in possession of a _Charlie Card_ on this side of the Atlantic might result in some *very* uncomfortable interactions with the Police... 🇬🇧💥😉
In the late 1990s we just scanned movie tickets and printed them out on the same card stock. Photoshop skills were good enough we could match the font plenty well for whatever show and time. Even used a utility knife for the preferation for the stub😂
This was done by mexican students for years. In the National pollitechnic Institute, it became so big that the Mexico city govt had to create a law against this. I learned about it in 2014, but I don't know since when this started.
So they in fact didn't hack the subway themselves, they just used an older write up and pretty much rode the wave somebody else created before them. To be honest, that could be done by anybody with some little coding skills and good searching skills.
They'll lose more money patching it than just letting the few people hacking the system slip through. It's like walmart and retail theft vs auto-checkout. That's their justification, at least. Really, they're just lazy and/or incompetent.
It's insane the developers thought storing the balance on the card itself was a good idea. Storing secrets on the client side is literally one of the cardinal sins of cybersecurity lol. smh
Having a system like this function independent of the internet working flawlessly on each terminal has it's merits. But I don't see why there can't be occasional backend checks available.
There are backend checks on the TFL Oyster system, of a card gets flagged more than a few times then it'll stop working, it also allows you to view your journey history online and for revenue protection to notice any suspicious activity. Noting that if there is any discrepancy between what value is on a card and what the system knows has been added there must be something amiss. Also any "high value" card (such as an employee card, senior card or child's card) brings up a different light on the ticket gate which can make things like wrongly using an age restr8cted free pass easily noticeable.
I heard MIT students published how the Charlie Card machines loaded dates, time and amount were programmed onto it with its 256 Mg Htz CPUs, 20 year old Tech on day one, so easy to hack
Should've just used the cards for identification of the person, which then checks the system for the amount on that person's account. Putting the amount on the cards is so stupid.
It's almost certainly cheaper to let a few people ride for free than to hire someone competent to fix an outdated system that's already being replaced. Enjoy it while it lasts. Modern RFID tags can solve this by using rolling key systems, like car key fobs do.
What the hell? The actual balance is written to the card? Those cards are at most supposed to store an account ID, and that's it. Everything else would be behind an (hopefully) strong authentication layer and looked up on a database. Make them go live faster by giving out hundreds of thousands of dollars of free rides.
This isn't very impressive, you can buy RFID replication tech fairly easily and cheaply. This tech has been around for as long as RFID emitters have been around. I prefer the old-school hack by hopping the gate.
So, showing vulnerabilities in a system: good. However, after showing a proof of concept, _using_ the concept will drop into somewhere between fare evasion and fraud territory. Of course these kids would never use this hack for personal gain…Right?? Did the transport company threaten to, or worse, actually sue them? That would be extremely petty and fully expected, especially if they proudly displayed their results.
Who thought it was a good idea to have the balance on the card? Your card should only be giving a serial number, and the computer system. Tell them the balance. Something's not right.
hack the card top up kiosk as well. Reverse the process so it takes money off the card and refunds it onto your bank card. effectively creating money out of thin air.
Honestly for developers it is just the best advice to never trust the users of your products and don't be dumb and store an id in card instead of all the details
And sign it, otherwise they could try and spoof another ID.
@@hockduduCould you explain what you mean by sign it?
@@reyariassLook up "Code Signing" on Wikipedia, in short it's a way to tell if code is authentic or modified
@@reyariass make a signature using a private key, everyone knowing the public key can verify it.
The reason to store ID and value on a card would be so that it'd still work if the network behind it would be offline.
Anyway, if you use 2-3 private/public key pairs and a hard coded salt, it wouldn't be difficult to catch compromised/reprogrammed cards. While still being useful while the network is down.
The fact that the money loaded is not done on the backend(like nyc MetroCards) is just straight up incompetence.
frr
I agree. But what else can you expect from a government agency?
The current system was introduced in 2006, when having a reliable low-latency internet connection on every bus and trolly just wasn't feasible.
The new system will be identical to NYC's, the company behind it just put off working on Boston's system until they were done in New York.
That's because there a little bit of decency around here
@@SIETETIZ is the decency before or after they stab their victims 😂
These kids presented this at defcon in 2023, it was a pretty good presentation.
I'm taking us to defcon 1
Just a simple RFID replication 😂, I used to do that to get access to a workshop at my job
That is not at all what it is, go watch their blackhat talk it was a cryptography algorithm that was for some reason proprietary and they managed to reverse engineer it. It was very complex...
Ik right
They didn't just clone it, the reversed the data on the cards and see what bits need to be changed and stuff to get a certain "role", amount of credits,... Check their defcon presentation
@@thearchitect9757easy
In the presentation they actually revealed there were cloning counter-measures in the system. Highly recommend the presentation, it was a fun watch.
wait until the mbta devs find out about just having a database and only storing an id on the card
Hard to do that when you’re ripping the government off 100x and only spending 5k for software development
Pretty sure they're storing the cash value on the cards. And without any kind of checksum.
@@HoloScopepeople ripping off the government has got to be my favorite type of hacking stories lol
MIT students did the original hack and I'm pretty sure they were sued. Even after they gave up all their information to the MBTA
what grand mind thought storing the balance locally on the card was a good idea in the first place?
The lowest bidder company that was hired.
To solve this "problem" Spain made local public transport free of charge.
"How did they do it? They figured it out."
Works the same in The Netherlands, lots of people go in public transport for free, just dont put to much on it.
No, it doesn't anymore. Only the old generation of cards had that issue. Lots of free rides either way tho
"Leaked presentation"
Bruh the presentation wasn't leaked, it was posted publicly
This is probably the same RFID issue we had in the Netherlands 10+ years ago. People were also just copying the transit card and putting money on it.
I saw the defcon breakdown of this hack, it’s well worth the watch, even if you know nothing about this topic they explain it very eloquently in a way anyone can comprehend.
you can also duplicate a staff card when it changes
It's hard to get a staff card to duplicate it. Also there's the danger the staff member could be identified and get fired.
This students reverse engeneerd the card data and modified it. That's the safe way to responsible disclosure.
@@popupdestroyerthere are crackers the size of the very microchip inside of them that can find them out…
i was just pointing out how insecure some smart cards are @@popupdestroyer
also they can be read from around a meter away when walking past@@popupdestroyer
@@popupdestroyer its an RFID card, with a good directional antenna and an LNA, you only need to stand close to anyone with a card in its pocket.
"By the way, they haven't fixed it yet. "
The end
LoL
I swear, every few months I hear something else about the flaws of the Boston subway
This is the bad NXP MiFare card system, mass peoduced and sold to travel systems worldwide, years after being proven insecure . Ticket system operators can't afford upgrading everything to better chips, forcing them to keep using and buying these bad chips .
In my country, we went from a commuter card to just using paper tickets with QR code. I dont know if it is related to this hack but its weird that they went backward. So.. maybe?
Scanning the qr code will get you an encrypted code (idk I'm not a programmer), the commuter code name, the location its departing, the location its going, date, date.
@user-28qhfk65 No, it's not. The QR code is created on an external server and the code just has rider info if valid, which corresponds to the external list. Here they were loading the info onto the card.
Though that's what was done on London Transport, the old Mifare system was replaced with a newer system and the old cards no longer work.
@@danielmorton9956Did you actually read what he said? His country switched to using paper tickets with QR codes and he was wondering if the fact they switched had something to do with the fact the non-paper cards could be hacked.
It is so easy to replicate or inject all sorts of data into an RFID Card, i'm surprised that the identification/verification information is contained within the card itself.
They should have just take its UID to do verification process on their backend service.
Would be cool to try out this hack and definitely not exploit it 😂
That is how they do it where I live
They still use the paper cards, they're just disposable single use/2 way/one day cards that can't be reloaded. They've had the reloadable charlie cards for years.
Here in Finland we have a mobile ticket app that is a carbon copy of the original ticket app, you can buy what ticket you ever want and ride on trams and busses, but if ticket checker comes, you are screwed.
How to ride the Boston metro for free: _shows the London tube_
It’s also called the T in Boston
These kids are based, and maybe if they made public transit more accessible and affordable, people wouldn't need to hack them for free rides.
I was visiting my school robotics shop when these kids got the invitation to DEFCON lol. They were excited but almost nonchalant about it, they’re definitely gonna go places
The super funny thing about this is they use the default encryption key for mifare ultra cards
Did exactly the same in my city, still works 5 years later
Not me with my student Charlie card from the school 😂
A high school code academy kid could have told you that. If you store the value on the card itself with no handshake from the server upon authorizing, obviously someone can just edit the data. It would be like banks storing your account balance on your debit card.
They also did a talk on this too.
These kids defeated our best tech blocks. Put them in school, not jail.
Fr. Sneakers even had a character that was caught as a hacker.
If these were your "best tech blokes", you are doomed.
I go to school with these guys, they didn’t face any charges for this, they just turned over their findings to the MBTA in exchange for not getting sued
What’s the difference?
I'm guessing the manuals were posted online in pdf format with the default admin user name and password in them... The machines in production never had their default creds updated and the machines ended up getting exploited...
more than likely just cloned the rfid data off the card and found which strings did what, allowing them to edit at will
I hacked the shit out of the Vancouver skytrain and did a prestation at defcon about it.
I also ride for free on public transport with the same method. Won't mention the company obviously
Because what they do they do not cross reference the booking system with the QR code that they use to get into the airport lounge so the airport lounges access system is totally separate from the Airlines reservation system it's broken
Here, you forgot some of these
....,,,,,
You should watch their presentation on this.
As a person who lives in MA and near Boston, I can confirm that this seems something that I should learn to do LMAO
Usually, the currency is added in the Backend. The Card merely bears a Unique ID. But if you can duplicate an Employee's ID, then you can get lifetime free rides.
Bruh just walk in behind somebody
Uh well in my country they use customized version of debit cards. It is actually connected to bank and you can even manage it through online banking or atms. It is rather pretty cool feature.
It employs same security measures as normal cards so good luck with that.
If they don't have competition, make them one. The best way for modernization is to have competition.
Better than hopping the turnstile ⬆️
Boston native here, the MBTA is nothing more than a cash cow for the hacks.
As a British viewer, I can definitely tell you that being found in possession of a _Charlie Card_ on this side of the Atlantic might result in some *very* uncomfortable interactions with the Police... 🇬🇧💥😉
For real though, the MBTA is like almost bankrupt. Pay for your ticket lol.
In the late 1990s we just scanned movie tickets and printed them out on the same card stock. Photoshop skills were good enough we could match the font plenty well for whatever show and time. Even used a utility knife for the preferation for the stub😂
The T has issues? Who possibly could have seen that one coming? Is the red line still actively falling apart?
Not so smart if they WILLINGLY admit to a crime they already got away with....
This was done by mexican students for years. In the National pollitechnic Institute, it became so big that the Mexico city govt had to create a law against this.
I learned about it in 2014, but I don't know since when this started.
So they in fact didn't hack the subway themselves, they just used an older write up and pretty much rode the wave somebody else created before them. To be honest, that could be done by anybody with some little coding skills and good searching skills.
😆 crazy when you're butt hurt because some teenagers are getting attention instead of you
@@Itsashnicoletbf the short says "leaked hacker's presentation" when it was intentionally made freely available. the whole short is sensationalised.
Actually, it says in the video they couldn't use the old hack, as paper tickets were scrapped. So they've hacked the new implied card instead.
I guess nobody ever told him that most hacking is just as simple...
They'll lose more money patching it than just letting the few people hacking the system slip through. It's like walmart and retail theft vs auto-checkout. That's their justification, at least. Really, they're just lazy and/or incompetent.
Lmao Los Angeles does the money value on the back end. That would never work here.
I know a group of students that did the same in Denmark as their exam project
It's insane the developers thought storing the balance on the card itself was a good idea. Storing secrets on the client side is literally one of the cardinal sins of cybersecurity lol. smh
“Charlie Cards” who else gets it. Oh no he’ll never return
Having a system like this function independent of the internet working flawlessly on each terminal has it's merits.
But I don't see why there can't be occasional backend checks available.
There are backend checks on the TFL Oyster system, of a card gets flagged more than a few times then it'll stop working, it also allows you to view your journey history online and for revenue protection to notice any suspicious activity. Noting that if there is any discrepancy between what value is on a card and what the system knows has been added there must be something amiss.
Also any "high value" card (such as an employee card, senior card or child's card) brings up a different light on the ticket gate which can make things like wrongly using an age restr8cted free pass easily noticeable.
I heard MIT students published how the Charlie Card machines loaded dates, time and amount were programmed onto it with its 256 Mg Htz CPUs, 20 year old Tech on day one, so easy to hack
Should've just used the cards for identification of the person, which then checks the system for the amount on that person's account. Putting the amount on the cards is so stupid.
Public transport should be free either way
These are the people who should be designing a new system. If they know how to defy it then they should know how to protect it.
Not necessarily. This was a simple hack. But it tells a lot about the level of people who were trusted to create the previous system.
Theft is theft kids. Especially if you didn’t come up with the exploit.
The MBTA is a joke. Honestly Boston has one of the worst public transport systems in the north east.
Love the black hoodie AI-generated kid holding gibberish tickets standing in a NYC subway station 5sec into the video
Boston subway is in its own league tbh
Technically, this is theft of service. It's a crime.
It's almost certainly cheaper to let a few people ride for free than to hire someone competent to fix an outdated system that's already being replaced. Enjoy it while it lasts. Modern RFID tags can solve this by using rolling key systems, like car key fobs do.
FREE. You would have to pay me to ride the Boston subway.
They used cheat engine irl to edit their money
Script kiddies
Public transportation should be free
You need to pay to ride the subway in US? That’s not what I see in NYC 🤣🤣🤣
What the hell?
The actual balance is written to the card?
Those cards are at most supposed to store an account ID, and that's it.
Everything else would be behind an (hopefully) strong authentication layer and looked up on a database.
Make them go live faster by giving out hundreds of thousands of dollars of free rides.
I redeemed all mine to attend a Foghat concert.
I guess they get some kind of an award for that don’t they?
I don’t appreciate these thieves
Opal cards are an easy solution 😮😮😮😮
NSW gang
They could at least use digital signatures to verify that the amount.
MEDFORD HS young sheldon?
I dont live in Boston and i have no need for this card...but now i want one 😂
I need this for my laundry card its expensive paying 3-4 dollar per one machine
This isn't very impressive, you can buy RFID replication tech fairly easily and cheaply. This tech has been around for as long as RFID emitters have been around.
I prefer the old-school hack by hopping the gate.
Other people are paying for their so called "Free Ride".
So, showing vulnerabilities in a system: good.
However, after showing a proof of concept, _using_ the concept will drop into somewhere between fare evasion and fraud territory. Of course these kids would never use this hack for personal gain…Right??
Did the transport company threaten to, or worse, actually sue them? That would be extremely petty and fully expected, especially if they proudly displayed their results.
I find it funny that thy use a raspberry pi but under power it so there is a symbol on the top right
At least they did not rip the subway and make money out of this.
That is the definition of not reinventing the wheel
Okay so not that I don't appreciate your efforts but did you just watch defcon and polish it with graphics
old school hacking... using hex editor. The good old days editing the saved games.
It’s crazy how they don’t have a more secure system. I feel like this would be a pretty easy fix
paper tickets were still in use in 2018
Who thought it was a good idea to have the balance on the card? Your card should only be giving a serial number, and the computer system. Tell them the balance. Something's not right.
not a hacker, just exploited an extremely obvious weakpoint. Cant even call it a backdoor.
ELLIOT HARDMAN IN THE WILD
Why bother fixing it when You can make bank off of it?😂😂
Boston subway
Casually shows the nyc subway
They probably just bought a flipper zero lol
Why did you randomly show Hatchi????
The only thing that comes to my mind is young Sheldon because of Medford
was expecting Sheldon's name in the first three comments.. but glad tht it eventually popped up
Flipper Zero to the rescue!
it seems it could be monetized by selling 200 credits for smaller amounts of money
hack the card top up kiosk as well. Reverse the process so it takes money off the card and refunds it onto your bank card. effectively creating money out of thin air.
And end up in jail.
They been loading up cards and selling them on marketplace?. For some extra stolen cash.
Stop telling on yourself when you got it going good 😢😢