DefCon Presentation on Subway Hacking Exposes Critical Weaknesses

By PatB
Contributing Writer, [GAS]

A gag order prevented three MIT students from presenting their findings to a Defcon audience on a penetration test at Boston’s Subway system. The Massachusetts Bay Transportation Authority filed a lawsuit to stop the speech and a U.S. District Court granted the temporary injunction, which kept the vulnerabilities in the farecard systems and security violations discovered from becoming public.

The presentation that was going to accompany the speech, however, is located on this website here in PDF format.  It is very compelling proof that the smart cards the fare system uses can be forged, giving riders unlimited rides.

However, to me, the most shocking aspect of this research is that there is a transportation system that lacks any physical security and monitoring for tampering.  The PDF shows that gates are left unlocked, with the keys still in the lockboxes where they can be easily copied.  Rooms that housed the surveillance equipment were easily accessible, and the video monitors showing the operations of critical software could be easily seen through the windows.  The researchers must have appeared on video taped surveillance, however, either no one was reviewing the tapes or no one was watching the monitors.  The students roamed freely and were never stopped nor challenged for improper access.  They were even able to access the fiber lines that connected to the farecard systems, allowing them to tamper with the financial backbone of the business of operating a transit system.

If these college students could so easily access and manipulate the fare system, how vulnerable are the command and control systems of the trains themselves?  What if these college kids had been terrorists?

Seven years ago a majority of the hijackers that crashed into the twin towers originated from Boston, from an airport whose security was lax.  The entire impetus behind the department of Homeland Security, which requires security audits of transportation systems and the strengthening of critical infrastructure is because of the failures of security on 9/11.  And now, seven years later, the Boston Subway System is still wide open to exploit and attack?

Homeland Security should ask for the grant money back that they gave to the city of Boston.  All 93 Million Dollars of it.  That’s what this gag order on these college students is really about.  Its not to prevent word of how to hack farecards from being publicized.  Its to prevent the exposure of how utterly incompetent Boston is at managing their Homeland Security duties.