MBTA Security Analysis


In 2008, I worked with three other MIT students (Sam McVeety, Zack Anderson, and Alessandro Chiesa) to analyze the operational and cryptographic security of the Massachusetts Bay Transportation Authority’s farecard media: the CharlieTicket (magnetic strip) and CharlieCard (RFID card). We discovered significant issues with the magnetic card media, the RFID fare cards, and the physical security of the system.

Our work became something of a spectacle when the MBTA decided to sue us before we presented it (sans many crucial details needed to replicate our work) at the DEFCON security conference. We received a temporary restraining order — unfortunately the slides to our talk had already been distributed to conference attendees. To add to the comedy of errors, the MBTA filed a confidential document we had provided to them containing the crucial details we had withheld from our talk as evidence in our lawsuit, thus making it public.

The Electronic Frontier Foundation and American Civil Liberties Union came to our side to defend us in our right to publish academic research. The temporary restraining order and the lawsuit were both dropped.

See also: Zack’s writeup and cryptome.