Agency sues to stop Defcon speakers from revealing gaping holes
Defcon A transit agency in New England has filed a federal lawsuit to stop three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping security holes in two of the agency's electronic payment systems.
The Massachusetts Bay Transit Authority (MBTA) also named MIT in the 17-page complaint, which seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requests a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.
The three speakers are Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, who on Sunday were scheduled to present research into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.
"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."
Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.
"It's pretty disappointing," Anderson told El Reg. "We initially called them to offer them our help in fixing these vulnerabilities. We have no intention of releasing details that would allow someone to replicate the attacks that can be done."
Representatives from the MBTA and MIT weren't available for comment.
The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). Earlier this week, a meeting at MIT was convened that included the students and their instructor, a MBTA official and a special agent from the FBI cyber crimes division.
"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson said. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.
According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. The MBTA is the fifth biggest US transit agency with a ridership of about 1.4 million per day. Average weekday revenue is about $700,000.
The complaint takes issue with a presentation description that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."
The description was later changed to remove the first line.
Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.
This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.
I support the MIT Students!
I support the MIT students, and if there is a legal defense fund for them, I will contribute. Massachusetts Bay Transit Authority (MBTA) is an ostrich with their heads stuck up their asses. It is a state government organization being most likely union run and mafia-infected, so this approach of hiding the truth is a no surprise.
Look at their "About MBTA" (www.mbta.com) and access their financials. It states the following: "The documents contained in this section make "forward looking statements" by using forward-looking words such as "may", "will", "should", "expects", "believes", "anticipates", "estimates" or others. You are cautioned that forward-looking statements are subject to a variety of uncertainties that could cause actual results to differ from the projected results. Those risks and uncertainties include general economic and business conditions, receipt of funding grants, and various other factors that are beyond our control. Because we cannot predict all factors that may affect future decisions, actions, events, or financial circumstances, what actually happens may be different from what we include in forward-looking statements."
You think that means a forward-thing organization that wants to do things correctly? No. The only forward thing is covering their butts legally and intimidate through the courts.
"Don't see cartards directly paying for the use of the roads."
Umm, the Mass Turnpike? It's a *TOLL ROAD*. Where, the "cartards", ohh... you know... *directly pay for the use of the roads*. Wanker.
@Mark C. Ridership's a bad word, but it's used frequently in the US. Along with the horrible habit of big businesses telling us what they really think by referring to their customers as "consumers".
These guys should not be intimidated. They do have the right to free speech, they should fully disclose this security vulnerability. I recommend they don't comment "OK, now use it to get free rides!", but it's the transit authorities problem if they use insecure setups. These card vendors have had stronger cards all along, but "Oh no, they cost like $1.50 a card instead of $1" (versus the huge amounts of cash actually passing through these cards.)
Clearly, this will end in tears...
...for the MBTA (known locally simply as “the T”) anyway.
In light of the Mifare incident, there's a good argument that much of information they're likely to present is already public knowledge. Then there's that pesky first amendment to the US constitution - you know, the one that guarantees freedom of speech – that the T's lawyers will have to somehow argue their way around. They'll have to argue that security by obscurity trumps freedom of speech. However, that dog doesn't hunt unless that speech can create a situation that puts public safety at risk. The classic example of this is yelling 'fire!' in a crowded theatre or nightclub. I doubt that they can come anywhere near that standard here.
I wouldn't be too worried about MIT and it's undergrads here. The suit is *alll* about pin headed high level transit authority bureaucrats – who, not coincidentally, are appointed by the Governor in that state – trying to cover their collective backsides.
As for the T being any kind of a business, it's not. It's a state authority, created by an act of the legislature of the Commonwealth of Massachusetts, and is subsidized by state taxes, as well as by levies paid by the taxpayers of the cities and towns it serves. To my knowledge, its revenues have never exceeded its operating costs. Any “losses” they might incur from the dissemination of this type of information would simply be made up by Massachusetts' taxpayers - who will, quite reasonably, ask “WTF did you tw@ts implement a system with security holes big enough to drive a bus through!??” Or a close approximation of that, in tone and meaning.
As for you MIT students: polish up your resumes guys! The T will be letting a consultancy contract on this stuff very soon. People will be calling you waving money. Be sure to ask for an outrageous sum - you only get one chance per contract - and you don't want the regret of having asked for too little.
This should be fun to watch.