Tuesday, December 23, 2008

MBTA not teh stupid after all

L'affair Charley Card has gotten more interesting. Both my regular readers will remember how the Boston subway system (MBTA) sued to stop some MIT researchers from talking about how the security in their new electronic "Charley Card" was teh broken.

Now it seems that the MBTA folks are taking a plausibly sensible approach to the security problem:
The Massachusetts Bay Transit Authority (MBTA) said it would work with Zack Anderson, RJ Ryan, and Alessandro Chiesa to make improvements to the agency's fare collection system "that will be as straightforward and inexpensive to address as possible." In August, the MBTA obtained a court order gagging the trio just hours before they were scheduled to speak about the gaping holes at the Defcon hacker conference in Las Vegas.
Now I'm not a fan of hiring hackers to help your security, but that's not what's happening here. The MBTA chose a system with lousy security, and then sued researchers who were going to discuss it (can you say "prior restraint"). The researchers aren't hackers under any workable definition of the term.

That said, seeing what the transit authority can learn to correct the weaknesses is The Right Thing to do. So well done, MBTA.

UPDATE 23 December 2008 7:50: Interesting discussion over at Slashdot, especially this comment:

Except the MBTA system isn't fixable. It's just full of fail.

For starters, the card's balance is stored ON THE CARD and nowhere else.

Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.

This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.

Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.

So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.

Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.

Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.

So it's progress, but not as cut and dried. The Charley Card system is still fundamentally broken, and an investigation of the company who makes the technology would have shown this.

1 comment:

TOTWTYTR said...

Sounds like the MBTA system at work. Or maybe it's just low bid at work. The T is also building a multi million dollar radio system that is essentially incompatible with the radio systems of the public safety agencies that will have to respond to T facilities in case of an emergency. They could have used the same Motorola technology that everyone else uses, but didn't.

As to the glue, the truth is that the original design called for 16 bolts per panel, but as a cost savings measure someone decided to cut that down to 4 bolts per panel.

Duh.