THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING
Globe Editorial

Charlie's devils

August 20, 2008
  • Email|
  • Print|
  • Single Page|
  • |
Text size +

STRAPPED WITH an $8.1 billion debt, the MBTA can't afford expensive upgrades to its automated fare equipment. That may explain, in part, why the transit agency put such extraordinary legal pressure on three MIT students who claim to have found a way to hack into the transit system's $180 million automated fare system. But trotting out the lawyers didn't make the T less vulnerable to future hackers.

In 2006, the T adopted the MIFARE Classic wireless chip system produced by NXP Semiconductors, a Netherlands-based company. Riders store value on a smart card - dubbed the CharlieCard - and tap it on a target gate or fare box at subway stations and on buses. But 2006, it turned out, was also the year that radio frequency identification readers integral to the smart-card technology became commercially available. Such a device in the hands of a technologically savvy student at the University of Virginia revealed the vulnerabilities in MIFARE months before the MIT flap.

The MBTA's paper CharlieTicket, which employs magnetic strip technology, may be even less secure than the plastic CharlieCard. The MIT hackers contend that the paper ticket is vulnerable to both forgery and cloning.

The MBTA needs to find better ways to secure its revenues without sinking further into debt or stomping on the First Amendment rights of hackers. That probably leaves out purchasing an entirely upgraded MIFARE system that uses more advanced encryption standards but would cost about $6 per card, according to T officials - about 12 times the current cost.

While much of the public is focused on a courtroom where a federal judge yesterday lifted a gag order on the MIT hackers, there has been too little attention on what the T is doing to protect the public transit system.

The T erred by not seeking an independent analysis of MIFARE's security capacity during the purchase phase. But it is not standing still. General Manager Daniel Grabauskas says the agency is pressing NXP and its vendors to improve the current system. And new encryption features already have been added to the CharlieCard to frustrate hackers. "The next generation of protection is already in the works," says Grabauskas.

The question of additional cost, however, is still unresolved. Minimally, NXP should provide deeply discounted upgrades to compensate for MIFARE's security vulnerabilities. The problem will be solved with stronger design, not legal gag orders.

© Copyright 2008 Globe Newspaper Company.
  • Email
  • Email
  • Print
  • Print
  • Single page
  • Single page
  • Reprints
  • Reprints
  • Share
  • Share
  • Comment
  • Comment
 
  • Share on DiggShare on Digg
  • Tag with Del.icio.us Save this article
  • powered by Del.icio.us
Your Name Your e-mail address (for return address purposes) E-mail address of recipients (separate multiple addresses with commas) Name and both e-mail fields are required.
Message (optional)
Disclaimer: Boston.com does not share this information or keep it permanently, as it is for the sole purpose of sending this one time e-mail.