 this is like an incredible honor to be here I have I had no idea there would be this many people this is amazing we're incredibly honored excited and absolutely terrified to be here right now so as I think he alluded to earlier I'm gonna start off with a quick question how many of you guys like taking public transportation okay all right all right now how many of you how many of those same people enjoy paying for public transportation I see I see a couple hands okay well for those of you with your hands up it's good an opportunity to avert your eyes if you want but for everybody else I actually have a little bit of bad news to start off with because as our local transit agencies lawyers have instructed us to say and put on our title slide the M.E.T.A. does not endorse or encourage a type of contact with debating affairs and hacking the M.E.T.A. affairs is illegal and the M.E.T.A. takes these matters seriously anyone cotton gating this type of behavior will be referred to appropriate law enforcement agency M.E.T.A. is employment mitigation measures address some of these concerns okay so now we can begin so actually are any of these no these aren't even up here should should the slide should be appearing right I think we're having trouble okay we're on it good yeah so I would just explain who we are so we don't actually have any real like qualifications or anything we don't work at any fancy cybersecurity companies not yet anyway we're vocational high school students from Medford Massachusetts we call ourselves amateur miscreants we really like to make stuff we also like to break stuff and we don't really like being told what to do and we're also part of an underwater robotics team at our school called sunk robotics to spate in the competition called the mate ROV competition a lot of fun and it's brought the four of us a lot closer together so let's see helpful yeah okay so I have pictures up here of us but you'll just have to take a look at us here so it's me Zach Scott and Noah so you might be wondering what you're actually gonna get out of this talk well if you live in Boston and you're paying attention you'll get free rise on the MBTA you also if you don't you can get lessons on how to reverse engineer a transit card and more generally some lessons on reverse engineering you also get a lesson on how to talk to a government agency and how to not end up in handcuffs when you do so and if nothing else to hopefully at least get a fun story so and I should mention as I just did that this is illegal don't do it or if you do just like don't tell us about it okay so let's see we kind of yeah we'll figure out okay brief introduction this wouldn't be Defcon without computer glitches is it seen the second display we'll just get you back hey sorry about the in the whole thing you found from last bit meet the T the Massachusetts Bay Transportation Authority is the public transit agency in Boston they manage all the buses in the subways it's also the oldest transit system in the country we have a picture of the T's logo and the subway map here but these are the slides sorry so sounds great how can you hop on option one you have traditional fare evasion which is like hopping the gates or forcing them open or even just waving your hand over the sensor to make them open paying also works subway fare is two dollars and forty cents and bus fare is a dollar and seventy cents but there's some problems with these strategies traditional fare vision it's too easy it's really boring and you also might get caught paying is way too legal it's also way too boring and importantly it costs money so what do you do you hack the fare system so how many of you enjoy reading random Wikipedia articles in your spare time all right okay very good I certainly do as well and this whole project started by me actually reading a Wikipedia article a Charlie card Wikipedia article and I went down to the criticism section as best part of any article and I saw a nice security concerns and a couple things took out to me one Defcon MIT students and federal lawsuit we'll see if anyone here remembers that and and that can tell you a little bit more about some of these security concerns so just to get a feel for things does anybody remember that he does okay so around 15 years ago back when dinosaurs roam the earth and we were two years old the MIT students figured out how to hack the Charlie cards or more specifically the Charlie tickets the mag stripe tickets and add values up to $600 on them so they had the same ambition as us and wanted to come here to present the MIT or the MBTA did not like that so they put out a restraining order against these kids from MIT so they couldn't come here and present so if the slides were working we'd have our comically timed gavel and a picture of their restraining order but you know they got sued so we we actually were inspired by them a little bit and when they got sued their slides all their research was just put straight into public domain which allowed people like us to get our grimy hands on them so let's try to be like them maybe minus the lawsuit part so step one go for the low hanging fruit Charlie tickets they have awful security and the MIT students they found out how to clone and reverse engineering so seems easy enough free rides for life so step two choose your weapon if the slides were working you'd be seeing a picture of a mag stripe reader on eBay it was $88 little pricey but it's an investment writing the subway is also pricey and an investment so we're thinking do we buy a mag stripe reader the answer is no so around the time when we started this project about two years ago the MBTA actually phased out mag stripe tickets so any disposable paper tickets were out and actually actually tapable which renders amused list to us so it's time for a new plan yeah so now that Charlie tickets were out of the question and the new tapable tickets that replace them seemed like they actually might have had some decent security we decided to move on to the Charlie cards so if you're not familiar there would be a picture up here but the Charlie cards a contactless smart card it was introduced in 2004 before any of us were born you just add money at vending machines and you tap cards at fair gates there you go but how does that actually work well when we first started doing our research about two years ago we weren't 100% sure it wasn't very much published researched about it we kind of assume that it would use NFC or RFID how else would you be able to tap it but we didn't know much more than that until we took a look at the MIT students and their slides and they described that it used my fair classic and so what is my fair so I had to read another Wikipedia article and I can tell you that it's a standard for data storage and communication it's made by a company called NXP there's a lot of different flavors of it my fair plus ultralight does fire that all serve different purposes but the most famous or rather infamous flavor is my fair classic and that's the one they use in the Charlie cards it's the oldest flavor and it has NXP's homegrown encryption algorithm called crypto one and fortunately for us it's proprietary 48 bit and relies on security through obscurity now if you don't actually like know anything about crypto which I'm sure most of you do that might sound like a good thing because you know proprietary formulas are touted as like good or something 48 is a big number but any secure any encryption algorithm worth its salt is going to have millions of eyes looking on looking for ways to improve it and 48 bit encryption can be cracked in like an hour so unsurprisingly some researchers found some holes in it and they tried to publish it and they got met with a whole mess of lawsuits around it so now that we know what kind of technology we're dealing with how do we actually talk to these cards well first step and I would have a picture here was grabbing an NFC reader I found one on Amazon like 40 bucks it has had a convenient usb interface and there was software out there for it I then set out trying to figure out how to use that software called lib NFC but I then sent it right back because I couldn't figure out how to use it it's too complicated for me so I had to buy another one this one's called the proxmark three I don't know how many of you are familiar with it but it's kind of like before the slipper zero came around like Swiss Army knife it was 40 80 bucks although some of the really expensive ones make three or $400 it has some really nice software that's really easy to use the only problem I had is that it didn't work it came to my doorstep and I could like I opened it up I could connect to it but I couldn't really do that whole you know reading and writing cards thing that was supposed to do so I had to buy another one about 40 bucks this time from Ali express I'm sure that's not going to be an issue at all and it wasn't it worked just fine I could read and write to cards I had a blast with it until and also a picture for this but the USB the micro USB header came clean off and I tried soldering it back on to the board and I couldn't do that so guess what I bought another reader this one's PN 532 it's a nice small red thing it's about nine bucks and which might be concerning given that we got burned by the last two $40 readers but if you are familiar with it you'll know why it's nine bucks as no USB doesn't even come pre-soldered and it also only works with the Raspberry Pi but it does like actually work this time like not just break when you turn your back on it and what I thought would have been as simple as just buying one NFC reader from Amazon and calling it a day turned into like a two to three month ordeal where I can say that I did at least learn a lot about NFC and NFC readers and maybe a little more than I would have liked to now that we have an NFC reader we can actually start trying to talk to cards but before we do that we need to get the encryption keys unlike regular encryption that just has like one key or two keys my fair classic has 32 keys in total so you actually need to go out and find them and while we've established that the encryption they use is pretty terrible it's still like encryption so you actually need to get the keys if you want to have any fun so how do we do that well I found a slide show from black hat called hacking my fair classic cards I thought it'd be kind of promising and I took a look and I describe two different attacks nested in dark side attack and it describes some software that implemented that so I figured all right let's give them a go so the first tool I tried was called M Fock implements that nested attack and it does some fancy magic that I don't really understand to get a card's keys and I gave it a go and it didn't work because you need an initial key so how do we get that well we can try implementing the dark side attack fortunately there's some software called M F Cuck that gets the keys kind of cool I don't know how it works and I gave it a try and it didn't work I left it running for like 24 hours and I got nothing out of it and by this point I was thinking am I really going to have to buy my third proxmark and try an attack where I put it in between the card and the turn style and try to sniff the keys but then I thought you know it'd be kind of nice if they if the T just kind of left the back door open and use like default keys so I made a quick Google search for a product go search for my fair classic default keys and I found a pretty awesome repository of like a thousand different keys in it and I fed them into M Fock which can take a key list as an input and there they were right there all 16 of them A and B right there in that list and I was like holy shit this is awesome so now that we have the keys we can actually start reading and writing the cards so we can grab a binary dump I here I would have a picture of a hex editor where you can see the binary data but obviously you can't see that so now that we have a binary dump we can actually try attempt to implement a similar attack that the MIT students did with their cloning and before you do that you need yet and more special equipment you can't use any old regular my fair card you have to use these special Chinese backdoor magic cards that let you edit the UID for copying and I had fortunately accumulated a bunch of them with all the like bajillion different NFC readers I had bought so what I did was I took a dump from a Charlie card took that hex dump put it on put on a magic card we're going to get this fixed real quick all right we're going to use some hand waving magic to make the slides change so yeah you know classic Defconn fashion so keep telling stories okay so what I did was I took a dump from a Charlie card put that on and put it on a magic card and I tapped it on a reader and sure enough it actually worked I would have a picture of it and we might in a second but we'll probably be on beyond that but I have a nice white card tapped on a reader it's very obviously not a Charlie card but crucially the reader seems to believe it was and I noticed that when I went to tap the Charlie that clone card on a reader it worked it deducted money but the card that I copied it from still had its initial value so if you're kind of paying attention here you'll know you'll notice that means that the source of truth isn't in some database somewhere it's actually right on the car and the T is trusting people to just not change it but can't trust us so we figured okay that means we can actually change it so let's see I'm trying to remember what I normally have the slides up in front of me but yeah that means we can actually attempt to change that and but before I did any of that I wrote a little program that we call Charlie clone written in C I spent a long time making a little progress bar for it but it just copies cards pretty efficiently and we use that for any any future cloning endeavors and one of the issues with cloning cards well it feels kind of like we found the infinite money glitch because you can just copy cards there are a couple of issues namely that you if you want a $50 card all right this is great it's gonna be a lot easier now so we need to go go on next need to change the next slide okay all right so let's see there are a couple of issues mainly that you need an upfront investment if you want a $50 card you're gonna need to spend $50 to do so and you know it might set off some fraud alarms here and there because they can detect clone cards we've actually gotten a couple disabled but let's see okay yeah so there's a couple issues yeah they can detect it and when the cards do get disabled you have to spend yet another 50 50 bucks okay nice okay here we go this is what I just described all right now we're in business is great okay so as you can tell couple issues with cloning cards right so what's better than that forging cards actually trying to put our own data on there and have some fun so if we want to forge cars that means that we actually have to reverse engineer the cards and figure out how they're storing data and figure out what the what the hell they're doing so where do we start for that well it makes sense to look at the hex dump after all the money is stored on the card so it must be in here somewhere I looked around for a couple things that stood out I know it's a serial number when you convert the first four bytes that's a UID into decimal they match the number printed on the card I then tried to change some data just you know I put in some random data and just tried to see what happened and the reader seemed to disagree a little bit as you can see it says cannot read your card or ticket and then I remembered something that the Charlie tickets the old ones had a check some in them it was pretty terrible but there was still some attempt to avoid people just tampering with it or accidental tampering so I quickly realized that the data that the last two bytes that I've highlighted up here in yellow they might be a check some because if you take a look at the red lines that are just zeros they still have some of those two weird bytes at the end and I thought to myself okay well check some that's not too bad right I mean maybe they're just using some standard algorithm and we can just pop the data into the checks of algorithm and have a blast so I tried some common algorithms and you can see a couple pictures of them up here I tried like 20 or 30 of them and sure enough none of them worked so at this point I didn't really know much about checks of algorithms or much of anything and I thought okay this checks um a little bit evil I don't know what they're doing they're probably having their own algorithm and it's kind of both my pay grade of like zero dollars to try to figure that out so I figured okay cloning cards you know there's some issues but it's just all right I'll take them and just put this whole project to rest until I met Scott. So I had received a student card in Boston area if you live far enough away from your school they'll give you a Charlie card that gives you free transit within a given area which happens to be where I live and um I wanted to clone these cards and maybe sharing with my friends we all get free rides yay uh and in passing I mentioned that idea to Maddie at robotics club uh we didn't really know each other that well at the time but that started a lifelong friendship didn't it Maddie? I gotta really press it all right so um he'd already figured out how to clone the cards so we wanted to maybe take the project a little bit further so a reasonable step seemed to be let's find where the money is kind of get our bearings from the data uh so we looked at some hex data together for many hours and hours what we were trying to do is um figure out where the money is we would take a dump of one card save it add a bit of money take another dump and then compare them in a program called the bin death and look at the differences uh but then like we're trying to figure out which one of these bytes is the money uh there's another accurate 3D rindler and about 2000 years later after much trial and tribulation we found nothing so here's a screenshot from that MIT's DEF CON slide presentation we were talking about earlier uh and how do you reverse engineer things again? Oh wait you gotta change it so we had to figure out how to do that but that pesky checksums in the way so let's try to crack the checksum um so if you look at these two uh screenshots of binary dumps uh there's do you see in the yellow that's where the checksum is uh and then there's all those zeros leading up to those two checksums. Those are on two different cards but even though all the data is the same uh the checksum is different so that's something that's kind of weird and it probably means they're adding cryptographic salt and for those of you who don't know cryptographic salt is a little bit of extra data that you mix in just to make it a little bit harder to go backwards. You do it when you're storing passwords and most of you are probably familiar with that. So we tried those off the shelf checksum calculators again but with a bit of salt and none of them worked. Uh I spent a little bit of time in my English class doing this and by a little bit of time I mean three straight weeks of all day but I still manage to pass. So that brings us to our first breakthrough. Uh up until this point uh we've been replicating earlier research but now we want to try to do something new. Uh so if you take those two checksums at the end of the line with all those zeros we thought maybe there's a mathematical relationship between the checksums between the two cards. So we tried a bunch of operations on them um addition, subtraction, multiplication, division and eventually we landed on the bitwise operation XOR. Uh for those of you who don't know what XOR is it's kind of like it's just like addition or subtraction but for binary. So uh if you look at this uh these two hex dump screenshots you take the checksums. If you XOR those checksums together you get a value. Uh that's not surprising but if you take two different lines that are identical data from two different cards and you XOR those together you get the same value. So that's kind of interesting maybe it's something we can work with. Uh so how do we use it? Uh the first step to our process is you find two identical lines. So go back to all those zeros uh and then you find a checksum modifier. That's what we call the value you get when you XOR the two checksums together and we can use it to transfer uh lines from one card to another card. So you copy any line from those two cards you copy the whole line over uh checksum and all. Then you XOR the checksum um that you copied over with the checksum modifier and you get a new checksum and you write that into the checksum slot and boom the lines copied. So just to recap uh hear your instructions if you wanted to replicate this which don't it's bad. But you start with two cards uh you find two identical lines XOR the two different checksums to get a checksum modifier. Find a line that you want to move copy that line onto the other card XOR the old checksum by the checksum modifier and profit but don't profit. So what can we do with this? I might be thinking how is any better than cloning? But remember how those cards get disabled sometimes when you clone them? Now if your card gets disabled say you put $50 on the card you were cloning uh it gets disabled those $50 are gone. But we can copy that money line from the old card to the new card and we can also edit data so it's easier to move from here in reverse engineering. So that moves on to the next step of trial and error. So up to this point we had been just copying data from card to card. But we still haven't been able to actually fine tune and edit values so if you want a $50 card you still have to spend that initial $50. So uh we had also been mostly just sitting at home staring at hex data. And eventually if you want to get things done you got to go to the re you got to go to some readers and tap them. And where you do that? At a subway station. So if you want to have your own subway station adventure the first thing you need is an NFC reader and a portable one. We didn't have any portable ones at this point we had all of them like died on us. So we had to make our own. We took the PN532 which works with the Raspberry Pi. Here's a picture if you hadn't been able to see that. Hook it up to a battery bank and then toss that full contraption into your backpack and refrain from boarding in the airplanes. Next step is to spend hours or better yet days just sitting at a train station trying to um just kind of reverse engineer stuff and more about the next slide. You can see some of the benches we sat at at those stations. And we got quite familiar with the smell of subway stations. And while we were sitting there we tried to make a lot of um random or better yet educated guess based changes to try to figure out mainly how the checksum was working. How it was translating data into those two bytes at the end. Uh we would mostly try changing some data seeing what happens or just try changing the checksum directly. Um and what we do is we take all the changes, flash them on to some magic cards, run up to the reader, tap them, they'd make a lot and then we'd run back to our seats, whip out our laptops and do that like 20 times. Otherwise we try to like hide the cards in our hands to make it like not obvious even though we're still running up to reader tapping and running back and whipping out our laptops. But we never got stopped. No one so much as even asked us what we were doing. And so eventually after doing this for long enough we made a bit of a breakthrough in terms of figuring out where the money is. So we knew that the money is stored on the card and so that means if you take the same card with different uh different amounts of money we know that the money must have changed so we can take a look at some of the binary differences. This program right here highlights the data in red that's different. And I stumbled upon the bytes that are highlighted in yellow. And I noticed something about them when you convert them from hex and decimal that you get these numbers here. And it don't quite look like anything but if you divide by two now they start to look a little bit familiar. And upon trying this with other cards we quickly realized that this is where that those yellow bytes are where the money is stored. And it's also like in half pennies for some reason. We also found that there's two transaction registers one of the current and last values and that Charlie cards are just kind of weird. So now that we know where the money is why don't we try to change it. So I'm going to go a little bit into the weeds here so either get your weed wacker ready or just tell the person next to wake you up when I'm done. So the first step when you're trying to figure something out like this is isolate variables. As you can see here the only data that's different between these two lines is the stuff I read. That's the money on the left and the checks on the right. And we tried X soaring the two values together between the different versions. And we chose X or because that seemed to be the key between copying data between cards so we figured it might be the key for copying data within a card. Or editing data within a card. And we X or the two money values together and we got a value highlighting green that we call the data modifier. We then X or that you check some together and got a value highlighting red that we call the checks on modifier. We call modifiers because if you kind of shift your perspective in terms of how we change the top line to get to the bottom line you X or them by the modifiers. And that's a valid way to change data within this line. Now of course there's a lot of valid ways to change data between any two lines. But what we wanted to see is if this would work with other data. So we took a card with nothing on it. $0, 0 and we X or the data by the data modifier and the checks on by the checks on modifier. And we got this new line here. And we weren't sure if it worked. But when we went to tap it, it sure did. And so while this isn't anything crazy, it's not even enough to ride the subway. It's still our own homegrown value right here. The next step is to add a quarter. It's a little bit of confusing. So if you don't fully understand it, just trust us. But you need to add a quarter because this method replies on X oring things together. And with X or you can only like if you get saturated with one, as you can see with the example with 15, there's no way you can keep X oring it to get higher and higher. So you have to add an external value to get another bit and then you can keep increasing that. So what we did was we added a quarter and we got a card with $2.60. And then we did the same thing by X oring the values to get a data modifier, X oring the checksums to get a checksum modifier. And then we applied the strategy we did earlier by taking a card with zero, X oring the money by the data modifier and the checksum by the checksum modifier. And we got a new line with $4.95 on it. And we went to tap that. That worked as well. So it means that we have a repeatable strategy that we can just rinse and repeat and try as many times to see how high we can get. And we did just that. And we got up to $163.84. And as you can see, the buttons are grayed out because past $100, you can't even add any more money. I noted by writing down the data and checksum modifier and seeing how they grow, I saw like a pattern that basically we're doubling. And I tried that again one more time. And I got up to $327.67. Which if you're good with your powers of two, you know that's a signed 16-bit integer limit. And no, we tried. You can't have a negative Charlie card. So we eventually refined this process so we don't actually have to add quarters every time by writing down all the modifiers and building a big table of them. But we got it down to a process like this. You buy a card for a quarter, you just casually set the value to $327. And then your profit. We chose to open all the fair gates because we're so nice. But if you were a little less scrupulous than us, you could use them for your own personal use or you could sell them and make the tea very mad at you. So how does this actually work? So part of me, if I go a little bit fast, we only got 10 minutes left. So we wanted to, that's how we did it, but we wanted to have a more refined version to use in writing programs so we can do this more automatically. So here's the vocabulary you need to know. The existing data is what's there. Target data is what we want to be. The data modifier is what you get when you XOR the target data and existing data. The existing checksum is what's there, like the checksum is already on the card. Target checksum is what we need to make the target data valid. The checksum modifier is what, I'm just going to skip part of this down to this slide. So this is our process. You XOR the existing data with the target data get data modifier. Plug the data modifier and the column the data is in into our lookup table. Our lookup table is a super secret black box. META specifically requested that we did not share this. But what that really means is come after maybe ten bucks and we'll talk. And that spits out a checksum modifier. Finally, you XOR the existing checksum with a checksum modifier to get a target checksum. So there's an example of steps three really fast. And a few more station adventures later, we were able to use this to reverse engineer a lot quicker because we can just edit data and see what it does. Here's the unabated Charlie card. The coolest parts in my opinion are the money and the card type. The money allows us to make a three hundred dollar Charlie card that's cool obviously. And the card type allows make employee cards which are our favorite. Blind cards, senior student cards, whatever we want. We can make it now pretty much. So. Okay, we're on a time crunch here. So what button is it? Okay. Fun gadgets. We did all this stuff but we need to prove that we can do it. That's me. I thought about it. Built a machine. Version one. Bad. Version two. Bad. Version three. Horrible. Four. Little better. Getting there. Version five. The first one. The first version that we showed to the MBTA. The screen's upside down and I broke it. Version six. I broke it on the way here. But it worked. It did everything. Changed the data such as the expiration date, money, and it looks cool. So ingredients. Just read blood, sweat, tears. Don't do it. So we're going to go pretty fast here. Vagamachine. We chose tarry. Let's do background computation and front end computation separates them. We had, we had a program that reads NFC and my favorite cards on the back end and sends it to a web, basically a web design front end. We also have an Android app. It was slapped together in like two nights and super ugly. May react native. It's very slow too but it does the job. Part five. Cool. We're here today. We didn't end up in handcuffs. So do we go to jail or do we not go to jail? We could have published this, given it to you guys, come to Boston, you know, no more MBTA, no more paying for it at least. But we decided to go to them. So here's an article about Bobby Rausch. He actually found out how to clone the cards, went to the MBTA, wrote this nice article about him. So we say, hey Bobby, talk to us man. How do we do this? How do we get in touch? So this is a complaint form for the MBTA. They don't really have a we hacked your transit card form. So we filled it out under question. Topic others said, hey we did something. So we thought they were going to react like this, chew us away. But they responded. Not quite like this though. That's an email inviting us to their headquarters. So there you are. We went to the meeting. They brought in a bunch of execs. We talked to them about what we've been working on, how we did it, and how they could prevent us from doing it next time. So that's a real picture of us. Just kidding. They didn't allow us to take pictures in there. So post meeting fun, quickly picture, picture. The cops got called on us. Whole story. Ask us afterwards. Come on. Demo. What's our time? Do we got time to play it? Four minutes. Do we do it? Okay, can they do it over there? Can they play the video for us? It's on the laptop. Come on. This is their laptop. Check files maybe? Not quite. You see it? Okay. Maybe that other tab of files. There's two. Yeah, there you go. Yeah. Alright. Wrong one. Wrong one. No, the other video. Yeah, there I am. Okay, I don't even know if you're gonna be able to hear it. We're just gonna roll. This is me buying a Charlie card. I bought it. Blah, blah, blah. There's, you know, audio. 25 cents for Cheapskates. One use of money on the cards, 25 cents. Expiration date, January 14th, 2033, and it has no passes on it. So, let's say we want to add the money value. Just click some numbers. $251.53. So, let's press edit. Let's tap it on the reader. Then press your little edit button here. And give it another second. Let's check if that did anything. The value has changed. How about the card? Let's change it to an employee because, you know, why not? So, we click employee, put it on the reader, press the little button. So, see the card type, employee with pass back. Again, number of uses won, money on card, $251.53. So, one more thing we can do is test the expiration date. So, that's our time. Thank you guys for being here. Thin, stand up. Give it up for this guy. These guys, thank you guys so much.