Cybersecurity expert finds CharlieCards hackable by Android phones


MBTA CharlieCard

By Maeve Lawler, Kasteel Well Bureau Chief

CharlieCards, used to pay for MBTA subway and bus rides, can be hacked using an Android phone, according to a Boston-based cybersecurity expert Bobby Rauch

The MBTA says that, for now, all it can do to address this potential threat is deactivate fraudulent cards. 

The algorithm that inscribes the data on CharlieCards is easy to hack, with the tools to do so accessible online, according to a Boston Globe article. Each card contains a near-field communication radio chip, also known as an NFC, which enables wireless communication between devices. The NFC tracks the CharlieCard’s value. A hacker can intercept the radio signal from one person’s CharlieCard to copy its data onto another. Both the original and the duplicate card would work. 

Rauch discovered that Android phones can easily copy data from CharlieCards because both Androids and CharlieCards contain NFC chips. This makes hacking much easier than in the past when such a hack required expensive equipment. 

Some Google Pixel phones containing the same NFC chip as Androids can also hack CharlieCards. A free app can be downloaded on the Google Play store that allows both Androids and Pixel phones to download data from an existing CharlieCard and copy it to a new one. Although Apple iPhones contain NFC chips, they aren’t conducive to this type of hacking. 

The data from a CharlieCard could be stolen by an Android hacker standing close enough to the user to catch the card’s radio signal, speculates Raunch in a Boston Globe article

William Kingkade, MBTA’s senior director of automated fare collection, told the Boston Globe he isn’t concerned many people will attempt to hack CharlieCards. The MBTA’s computer network can detect fake cards, which he estimates is about 10 per month. 

In 2008, MIT students detected a similar security issue with the cards. When the students planned to share this at a public computer hacking conference, the MBTA sued the students and a federal court issued a gag order. The students canceled their plans to share the information at the conference, but civil liberties groups resisted the MBTA’s action. The court reversed its gag order and later, the MBTA dropped the lawsuit, agreeing to speak with the students about the security issue. 

Marking a shift in its approach, the MBTA worked with Rauch to understand flaws in the CharlieCard system. 

The MBTA plans to upgrade its fare system to smartphone and contactless credit card payments in 2024.