FLOPPY RISK
MBTA kiosks running outdated Windows XP vulnerable to hacks
As the MBTA’s plan to implement a new fare-collection system remains in limbo, some cybersecurity experts say that the T’s continued use of antiquated Microsoft Windows XP on their kiosks makes the transit authority more vulnerable to cyberattacks.
“If an attacker was able to get administrative privileges, they would have full access to that machine,” said Alina Oprea, an associate professor in the Khoury College of Computer Sciences at Northeastern University.
In April 2014, Windows announced that it was ending support for the 12-year-old operating system and told customers it was “critical to migrate now to a modern operating system.”
“This means that PCs running Windows XP will not be secure and will still be at risk for infection,” Windows Support said in a statement.
Despite the company’s announcement more than five years ago, MBTA spokesperson Joe Pesaturo told the Herald that the embedded version the T uses has been “patched” many times and the fact that the machines remain on a closed network protects commuters from having their information stolen.
“The machines are on a segregated network and do not communicate outside the Automated Fare Collection internal network with the MBTA,” Pesaturo said. “The MBTA also remains payment card industry-compliant for credit/debit card acceptance.”
However, while Oprea said keeping the kiosks on a closed internal network significantly helps with security, she added that if a hacker were able to gain administrative access to the network the presence of an outdated operating system would make it easier for them to get access to sensitive information.
“You could have cyberattacks, a ransomware attack, any attack that you read about in the news,” Oprea said.
The MBTA announced in May that what it calls AFC 2.0 — the new automated fare-collection system it says will be more efficient for riders and allow for more flexibility for the T — will be put on hold for an indeterminate amount of time as the T and the new system’s vendor hash out some new issues. The system was expected to fully roll out by summer 2021.
Matt Casale, a transportation advocate for MassPIRG, told the Herald that he’s not surprised the MBTA continues to run on an outdated operating system, but that he believes it exemplifies that the T needs to move forward with AFC 2.0.
“It’s becoming increasingly clear that we need to modernize our public transportation system,”
Casale said. “Whether it’s an example like this or an example like the Red Line derailment, this shows that we need to provide modern infrastructure and we are just not there yet.”
Pesaturo said T staff will provide an update on the transition to new fare collection equipment at next month’s board meeting.