Boston Herald

FLOPPY RISK

MBTA kiosks running outdated Windows XP vulnerable to hacks

- By STEFAN GELLER

As the MBTA’s plan to implement a new fare-collection system remains in limbo, some cybersecur­ity experts say that the T’s continued use of antiquated Microsoft Windows XP on their kiosks makes the transit authority more vulnerable to cyberattac­ks.

“If an attacker was able to get administra­tive privileges, they would have full access to that machine,” said Alina Oprea, an associate professor in the Khoury College of Computer Sciences at Northeaste­rn University.

In April 2014, Windows announced that it was ending support for the 12-year-old operating system and told customers it was “critical to migrate now to a modern operating system.”

“This means that PCs running Windows XP will not be secure and will still be at risk for infection,” Windows Support said in a statement.

Despite the company’s announceme­nt more than five years ago, MBTA spokespers­on Joe Pesaturo told the Herald that the embedded version the T uses has been “patched” many times and the fact that the machines remain on a closed network protects commuters from having their informatio­n stolen.

“The machines are on a segregated network and do not communicat­e outside the Automated Fare Collection internal network with the MBTA,” Pesaturo said. “The MBTA also remains payment card industry-compliant for credit/debit card acceptance.”

However, while Oprea said keeping the kiosks on a closed internal network significan­tly helps with security, she added that if a hacker were able to gain administra­tive access to the network the presence of an outdated operating system would make it easier for them to get access to sensitive informatio­n.

“You could have cyberattac­ks, a ransomware attack, any attack that you read about in the news,” Oprea said.

The MBTA announced in May that what it calls AFC 2.0 — the new automated fare-collection system it says will be more efficient for riders and allow for more flexibilit­y for the T — will be put on hold for an indetermin­ate amount of time as the T and the new system’s vendor hash out some new issues. The system was expected to fully roll out by summer 2021.

Matt Casale, a transporta­tion advocate for MassPIRG, told the Herald that he’s not surprised the MBTA continues to run on an outdated operating system, but that he believes it exemplifie­s that the T needs to move forward with AFC 2.0.

“It’s becoming increasing­ly clear that we need to modernize our public transporta­tion system,”

Casale said. “Whether it’s an example like this or an example like the Red Line derailment, this shows that we need to provide modern infrastruc­ture and we are just not there yet.”

Pesaturo said T staff will provide an update on the transition to new fare collection equipment at next month’s board meeting.

?? ??
?? MATT STONE PHOTOS / HERALD STAFF ?? SOFTWARE BEWARE: A passenger checks his Charlie Card at a machine at the Government Center MBTA station on Friday. The ticket machines run Windows XP, which Microsoft stopped supporting several years ago.
MATT STONE PHOTOS / HERALD STAFF SOFTWARE BEWARE: A passenger checks his Charlie Card at a machine at the Government Center MBTA station on Friday. The ticket machines run Windows XP, which Microsoft stopped supporting several years ago.
?? ?? FARE GAME: Passengers walk by a Charlie Card machine at the Braintree MBTA station on Thursday. The Windows XP operating system in use by the MBTA in the ticketing system has been described as vulnerable to cyberattac­ks.
FARE GAME: Passengers walk by a Charlie Card machine at the Braintree MBTA station on Thursday. The Windows XP operating system in use by the MBTA in the ticketing system has been described as vulnerable to cyberattac­ks.

Newspapers in English

Newspapers from United States