Feeds

Agency sues to stop Defcon speakers from revealing gaping holes

Sorry, Charlie

Using blade systems to cut costs and sharpen efficiencies

Defcon A transit agency in New England has filed a federal lawsuit to stop three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping security holes in two of the agency's electronic payment systems.

The Massachusetts Bay Transit Authority (MBTA) also named MIT in the 17-page complaint, which seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requests a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.

The three speakers are Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, who on Sunday were scheduled to present research into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.

"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."

Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.

"It's pretty disappointing," Anderson told El Reg. "We initially called them to offer them our help in fixing these vulnerabilities. We have no intention of releasing details that would allow someone to replicate the attacks that can be done."

Representatives from the MBTA and MIT weren't available for comment.

The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). Earlier this week, a meeting at MIT was convened that included the students and their instructor, a MBTA official and a special agent from the FBI cyber crimes division.

"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson said. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.

According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. The MBTA is the fifth biggest US transit agency with a ridership of about 1.4 million per day. Average weekday revenue is about $700,000.

The complaint takes issue with a presentation description that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."

The description was later changed to remove the first line.

Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.

This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.