NOTE: This weblog, and especially this post is of my own opinion and had nothing to do with my employer.
If you’ve been paying attention to the usual DEFCON brouhaha this weekend, you’ll note that my fine public transportation system decided to file an injunction against 3 MIT students who tested the MBTA’s security and successfully reversed engineering the Charlie Card. Too bad the presentation deck had already been released. Whoopsie!
As a surly information security engineer and a regular MBTA rider, I feel that I can more-or-less discuss with some authority the issues discussed in the presentation deck.
First, the physical security issues they discuss are spot on. As any regular rider of the MBTA knows, there are near constant issues with “exit only” doors unlocked or left wide open and people zipping through open gates when someone is exiting. The MBTA “customer service agents” either ignore it or flat out don’t care. On the Green Line (Which are trolleys, for you non-Bostonian folk.) people regularly get on via a rear door completely bypassing the fare collection system up front. Hell, even the MBTA Police seem to not want to deal with it. As someone who drops $250/month on the MBTA, I am the one who ends up getting screwed.
Social engineering the employees is always one of the biggest issues and the hardest to protect from. As shown in the deck, one can hit up eBay and make oneself into a true blue MBTA employee. I’ve seen first hand (badly) forged MBCR (MBTA’s commuter rail contractor) credentials being used by people to scam free rides. The MBTA spends big bucks on their Anti-Terrorism education campaigns, perhaps that would be better spent in educating their employees to do the same and teach them to start securing their infrastructure. They should also start classifying their information and at least try to keep “non-public” information somewhat private.
The Charlie Card issues are trivial. I long suspected that the stored value cards were similar to the New York Metro Card and would be vulnerable to a cloning attack or could be easily reversed engineered. These guys sat down and did it. From what I can glean regarding the RFID attack, the encryption key is trivial to crack and can be brute forced rather quickly. Had the MBTA opted to go with a more secure RFID system, this would be a lot harder to break, and from the sounds of it, more secure fare collection systems exist.
In my not so humble opinion, the MBTA is 100% in the wrong on this. The judge should not have issued the gag order and the presentation should have gone forward. By doing so, the MBTA squashed discussion on its security, and has made itself even less secure in the process.