They've improved on a 15-year-old vulnerability.
In August 2021, four high school students from Boston reproduced the vulnerability of the city's subway fare system, discovered by students at the Massachusetts Institute of Technology (MIT) back in 2008. Teenagers not only reproduced the old method, but also developed a new one for the current CharlieCard system, using which you can use the metro for free.
Matty Harris and Zachary Bertocchi found out about the vulnerability in 2008 and decided to check if it was fixed. "We assumed that it should be eliminated, given that more than a decade has passed and it has received a lot of publicity," says Harris. It turned out that the vulnerability remained.
The teenagers spent two years working on hacking together with two hacker friends and presented their research at the Defcon hacker conference in Las Vegas. They have created a portable "vending machine" and a mobile app for Android that can add any amount to the CharlieCard or change the card settings.
Unlike in 2008, the Boston authorities did not sue, but invited schoolchildren to the headquarters of the transport department, where they told about the vulnerabilities found. Joe Pesaturo, the city's director of public relations, said the vulnerability does not pose an immediate threat and will be addressed with the introduction of the new payment system in 2025.
The teenagers said that at the moment the transport department is trying to resist their method by detecting and blocking changed cards, but most of these cards still pass. The answer to the question of whether they use their own equipment for free travel on the Boston subway, they left without comment.
In August 2021, four high school students from Boston reproduced the vulnerability of the city's subway fare system, discovered by students at the Massachusetts Institute of Technology (MIT) back in 2008. Teenagers not only reproduced the old method, but also developed a new one for the current CharlieCard system, using which you can use the metro for free.
Matty Harris and Zachary Bertocchi found out about the vulnerability in 2008 and decided to check if it was fixed. "We assumed that it should be eliminated, given that more than a decade has passed and it has received a lot of publicity," says Harris. It turned out that the vulnerability remained.
The teenagers spent two years working on hacking together with two hacker friends and presented their research at the Defcon hacker conference in Las Vegas. They have created a portable "vending machine" and a mobile app for Android that can add any amount to the CharlieCard or change the card settings.
Unlike in 2008, the Boston authorities did not sue, but invited schoolchildren to the headquarters of the transport department, where they told about the vulnerabilities found. Joe Pesaturo, the city's director of public relations, said the vulnerability does not pose an immediate threat and will be addressed with the introduction of the new payment system in 2025.
The teenagers said that at the moment the transport department is trying to resist their method by detecting and blocking changed cards, but most of these cards still pass. The answer to the question of whether they use their own equipment for free travel on the Boston subway, they left without comment.
