Smart-card hackers expose dumb flaws

College students crack a relatively simple code in frequently used access technology to expose major security weakness.

By Jenni Spinner August 26, 2008

Three Massachusetts Institute of Technology (MIT) students hacked into Boston’s mass transit system earlier this year. Once in the system, they cracked the flimsy code guarding the data, enabling users to add money to fare cards without paying a penny. The act adds up to more than a prank—it exposes the inherent weakness in a security technology used in door-swipe badges, fare cards, and other security and access systems worldwide.

In 2006, the Massachusetts Bay Transportation Authority (MBTA) spent nearly $200 million upgrading its fare collection system. Because the Mifare Classic chip the new system uses a quickly crackable cipher (as demonstrated by the MIT students), MBTA officials are faced with the possibility of having to scrap that system and spend yet more revenue on a new, better-guarded technology.

Other departments have responded to the exposed security flaw. In the United Kingdom, London Underground officials installed a stopgap measure to secure the system while a permanent upgrade is being developed. In the Netherlands, government officials have placed security guards at doorways once guarded only by smart cards.