- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
In August 2021, a group of Boston high school students replicated a vulnerability in the city’s subway fare payment system that had originally been discovered by MIT students in 2008. Not only did they reproduce the old method, but they also developed a new approach for the current CharlieCard system, enabling free subway rides.
High School Hackers: Unearthing Subway Vulnerability
Matty Harris and Zachary Bertocchi revisited the 2008 vulnerability to check if it had been resolved. Despite the time that had passed and the attention it garnered, the vulnerability remained unpatched, surprising the duo.
Collaborating with two fellow hackers, the teenagers dedicated two years to their project. They unveiled their findings at the Defcon hacker conference in Las Vegas. Their innovation included a portable “vending machine” and an Android app capable of modifying a CharlieCard’s balance and settings.
In contrast to 2008, Boston’s authorities didn’t pursue legal action; instead, they welcomed the students to the transportation authority headquarters to discuss their discoveries. According to Joe Pesaturo, the director of communications for the city, the vulnerability wasn’t an immediate threat and would be addressed when a new toll system is introduced in 2025.
The students revealed that the transportation authority is attempting to counter their method by detecting and blocking altered cards. However, a significant number of these modified cards continue to operate without issue. When asked if they were using their technique to access free subway rides, the students chose not to provide a response.