An Android phone may be used to hack CharlieCards, which are used to pay for MBTA bus and subway rides, claims Bobby Rauch, a cybersecurity expert in Boston.
The MBTA claims that the only thing it can currently do to counter this possible threat is to deactivate phoney cards.
According to a Boston Globe report, the technique used to encode the data on CharlieCards is simple to hack and the necessary tools are readily available online. Each card has an NFC radio chip, also known as a near-field communication radio chip, which facilitates wireless communication between devices. The CharlieCard’s value is tracked via the NFC. A hacker has the ability to replicate data from one CharlieCard onto another by intercepting the radio transmission. The original card and the copied card are both functional.
Rauch found that since both Android phones and CharlieCards include NFC chips, it is simple for Android phones to copy data from CharlieCards. As a result, hacking is now lot simpler than it was in the past, when it required expensive equipment.
According to Raunch in a Boston Globe article, an Android hacker who is close enough to the user to pick up the card’s radio signal might get data from a CharlieCard.
CharlieCards can also be hacked on some Google Pixel phones that have the same NFC chip as Android devices. On the Google Play store, a free app can be downloaded that enables Android and Pixel phones to download information from an existing CharlieCard and copy it to a new one. Despite having NFC chips, Apple iPhones are not amenable to this kind of attack.
According to William Kingkade, senior director of automated fare collection for the MBTA, few people will attempt to hack CharlieCards, he told the Boston Globe. The computer network of the MBTA is capable of spotting phoney cards, which he calculates to be roughly 10 per month.
Students from MIT discovered a related security flaw with the cards in 2008. The MBTA sued the students when they intended to disclose this at a public computer hacking conference, and a federal court issued a gag order. Civil liberties organisations opposed the MBTA’s move, notwithstanding the students’ decision to cancel their intentions to present the information at the conference. The MBTA later abandoned the lawsuit and agreed to communicate with the kids about the security concern after the court overturned its gag order.
The MBTA changed its strategy and partnered with Rauch to comprehend CharlieCard system problems. In 2024, the MBTA intends to modernise its fare system to accept payments via contactless credit cards and smartphones.