Teens hacked Subway Cards to Get Infinite Free Rides

IN EARLY AUGUST of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters earlier this year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability [and] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the Boston Globe about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”