Talk Title:

“Un-fare Advantage” - Hacking the MBTA CharlieCard from 2008 to Present

Abstract:

The CharlieCard is a contactless smart card used for transportation fare payment in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (aka MBTA or the T) and several regional public transport systems in the U.S. state of Massachusetts. Nearly 15 years after a group of MIT students first publicly disclosed security vulnerabilities in the CharlieCard, I am publicly disclosing at a major conference for the first time that it is possible using only an Android phone to:

• Repeatedly refill your own CharlieCard an unlimited number of times, without paying
• Have replacement CharlieCards delivered to a listed address, without paying
• Provision yourself new CharlieCards with funds, without paying
• Steal anyone’s CharlieCard with a single physical tap of the card

against an Android phone in a matter of seconds.

This talk will tell the complete, detailed story publicly of how I went about proving this set of vulnerabilities with the new Flipper Zero and an Android phone, how I leveraged this set of vulnerabilities into a proof of concept and actually took a free ride on the T (legal risk ensues), and how I worked with Harvard Law School’s Cyber Law Clinic to represent me in disclosing this to the MBTA and the subsequent public disclosure in the Boston Globe. Having now worked with the MBTA on a set of detection measures and limited public legal disclosure in the Boston Globe and on my personal blog, I now feel comfortable publicly diving into some of the more fun “hacker” details that this audience would care about - talking about my behind the scenes journey of securing legal safe harbor from the MBTA, the concerns that followed, and how I navigated this whirlwind of a process.

This talk will be more than just about a set of vulnerabilities and will discuss complex system design, how vulnerability likelihood and severity can change with rapid changes in technology, the importance of OSINT (Open-Source Intelligence) monitoring and threat intelligence, and the process of responsible vulnerability disclosure to a government agency without a Vulnerability Disclosure Program.

Speaker Bio:

Bobby Rauch is a Boston, Massachusetts, USA - based offensive security engineer and red teamer at a Fortune 500, security researcher, and co-host of The Cyber Idiots podcast. He has found high severity vulnerabilities in Fortune 500 companies including Microsoft, Apple, and Oracle. His research has been published by the Boston Globe, Brian Krebs, Bleeping Computer, and other major tech publications. His technical blog posts have been read by more than 60,000 readers, and he has spoken at offensive security conferences around the world including m0lecon Turin and Bsides London. Bobby also serves as a mentor on the website CyberMentorDojo.com, helping advise those who are trying to break into this industry. Bobby holds a Bachelor's Degree in Computer Science from MIT, as well as OSCP and OSWE certifications.