Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

The MIFARE Classic Card is Hacked, 2008

advertisement 
Audit of the Charlie Ticketing System
For the Massachusetts Bay Transportation Authority
Team China Consulting
Luke, Dylan, Scott, and Craig.
The Incident
• Three MIT students explored the obvious weaknesses at the
MBTA.
• The MBTA’s fare-collection system named the CharlieCard was
“hacked” to show false values.
• The entire MBTA facility was shown to be lacking security in
general.
What Happened?
• The students got into the building through unlocked doors.
• Many locks were unlocked on rooms, phone boxes, and
networking systems.
• They also found a key and other physical identification that
should not have been laying around.
• They also eventually hacked the CharlieCard mag-stripe value
• They also Hacked the MIFARE cards RFID security encryption
allowing cards to be cloned.
• They documented their entire experience with photos and
assembled a slideshow. Link Here
Recommendations
• Risk Assessment (Internal & Third-party)
• Improve Physical Security
– Access Control Hardware & Software
– Visitor Management System
• Improved Ticketing Hardware
– CharlieTicket
– CharlieCard
Risk Assessment
•
•
•
•
Regularly scheduled (Internal & Third-party)
Management, Security and end-user involvement
Reports to identify risk areas and levels
CounterMeasures® – Risk Analysis Software $14,500
(CounterMeasures®, n.d.)
• RFP’s to be reviewed for vendor selection
Physical Security
• Access Control Hardware & Software
– Increase security by eliminating keys
– Provide management, audit tracking and incident response
– Typical installations $1500 - $2500 per door (Access
control, n.d.)
– RFP’s to be reviewed for vendor selection
Physical Security
• Visitor Management System – Lobby Track™
– Increased control and security of visitors in MBTA
facilities
– Security desk, on-line or self-registration kiosk
check-in available
• $1800 per location (Edition Comparison, n.d.)
CharlieTicket
• Improved Card security
• Use a md5 checksum
• Implement central server to track card value
• Implement an exchange program to remove
insecure cards from being used
• Cost
– $0.60 each card (Standard HoloMark, n.d.)
– $5,000 for each new server (Dell PowerEdge, n.d.)
CharlieCard
• Original CharlieCards are “Classic MIFARE”
• MIFARE Plus = Improved security over regular
“MIFARE”
– Better encryption
• AES-128 bit keys instead of 48 bit encryption (The MIFARE
Classic Card is Hacked, 2008)
– Harder to crack
• $6.00 per card (Charlie's Devils, 2008)
Thank You
Team China Consulting
Luke, Dylan, Scott, and Craig.
References
Access Control System Pricing. (n.d.). Retrieved May 6, 2010, from BuyerZone:
http://www.buyerzone.com/security/access_control/buyers_guide6.html
Ahlers, M. M., & Quijano, E. (2009, May 20). National Archives loses hard drive with Clinton era records. Retrieved March 10, 2010, from
CNN Politics:http://www.cnn.com/2009/POLITICS/05/20/lost.hard.drive.clinton/
Baxter, C. (2008, August 12). MIT students' report makes security recommendations to T. Retrieved April 20, 2010, from The Boston
Globe:http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/
B., B. (2008). CRACKING THE CHARLIE CARD. CSO Magazine, 7(8), 17. Retrieved from Risk Management Reference Center database.
COBIT Student Book. (2004). COBIT in Academia. Rolling Measows, IL: IT Governance Institude.
http://alarcos.inf-cr.uclm.es/doc/Auditoria/Cobit_Student_Book.pdf
CounterMeasures®Enterprise Platform 8.1. (n.d.). Retrieved May 10, 2010, from CounterMeasures Risk Analysis Software:
http://www.countermeasures.com/enterprise_platform_product.htm
Dell PowerEdge R510. (n.d.). Retrieved May 17, 2010, from
Dell: http://configure.us.dell.com/dellstore/config.aspx?c=us&cs=555&l=en&oc=MLB1197&s=biz
Edition Comparison. (n.d.). Retrieved May 10, 2010, from Jolly Lobby Track:
http://www.jollytech.com/products/lobby_track/systems/edition_comparison.php
McGraw-Herdeg, M. (2008, August 14). Public Documents Seem to Show Free T Fare. Retrieved March 10, 2010, from The Tech, Online
Edition:http://tech.mit.edu/V128/N30/subwayvulnerabilities.html
References Cntd.
McNamara, P. (2008, 8 11). Exclusive: 'MBTA vs. MIT' lawsuit really about Charlie, not CharlieCard. Retrieved April 6, 2010, from Network
World:http://www.networkworld.com/community/node/30940
Mills, E. (2008, Decemer 23). MIT students to help Boston secure subway fare system. Retrieved March 10, 2010, from CNET
News:http://news.cnet.com/8301-1009_3-10128632-83.html?tag=mncol;title
National Archives Offers Reward of Up to $50,000 for Return of a Missing Clinton Administration Hard Drive. (2009, May 29). Retrieved March 10,
2010, from The National Archives:http://www.archives.gov/press/press-releases/2009/nr09-89.html
Russell, R., Zack, A., & Alessandro, C. (2008, August 8). Anaomy of a Subway Hack. Retrieved March 10, 2010,
from http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Standard HoloMark Card Silver (On UltraCard III w/ High-Coercivity Magnetic Stri. (n.d.). Retrieved May 17, 2010, from
Alvio inc: http://www.alvio.com/product_view.aspx?product_ID=374049&source_ID=froogle
The MIFARE Classic Card is Hacked. (2008, March 19). Retrieved May 12, 2010, from Burton
Group Blogs: http://identityblog.burtongroup.com/bgidps/2008/03/the-mifare-clas.html
Related documents
InfoConnectWorldReso..
InfoConnectWorldReso..
ICRL 2015 Guidelines for Paper Submission 1st Author (full name of
ICRL 2015 Guidelines for Paper Submission 1st Author (full name of
DOC - Handout - The Career Center
DOC - Handout - The Career Center
The American Revolution: Political Cartoons Primary Source Analysis
The American Revolution: Political Cartoons Primary Source Analysis
How to Cite a Website in APA April 2014
How to Cite a Website in APA April 2014
Download
advertisement