Feeds

Federal judge halts Defcon talk on subway card hacking

Barn door closed a little too late

Internet Security Threat Report 2014

Defcon A federal judge on Saturday gagged three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping holes in the electronic payment systems of one of the nation's biggest transit agencies.

US District Judge Douglas P. Woodlock issued the order at the request of the Massachusetts Bay Transit Authority, which sued the three students and MIT on Friday. It forbids Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, from "providing program, information, software code or command that would assist another in any material way to circumvent or otherwise attack the the security" of the MBTA's fare system.

Attorneys for the Electronic Frontier Foundation, which are representing the trio, said they directed the students to pull the talk, which had been scheduled for Sunday. They said the order constituted an "illegal prior restraint" on their clients' free-speech rights.

"It's a very dangerous precedent," EFF staff attorney Marcia Hofmann told reporters at the Defcon hacking conference in Las Vegas. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law. As far as I know, this is completely unprecedented and it has a tremendous chilling effect on sharing this sort of research."

Ironically, a plethora of details around their hack is already out there. Attorneys for the MBTA attached a detailed white paper (PDF) to one of their pleadings. What's more, a PDF containing slides of the talk was part of a CD distributed to all 7,000 to 8,000 people attending the conference. (The slides are also online here (PDF).)

The research delved deep into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.

"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."

Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.

An MIT spokeswoman declined to comment to The Tech, an MIT student newspaper. Representatives from the MBTA weren't available for comment.

The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). On Monday, a meeting at MIT was convened that included the students and their instructor, an MBTA official and a special agent from the Boston field office of the FBI's cyber crimes division.

"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson told El Reg earlier this week. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.

The 17-page complaint seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requested a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.

According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. During a press conference, the students said MBTA officials weren't contacted about their planned talk until July 30 or 31. Based on discussions at Monday's meeting, the students believed the controversy had been resolved. They didn't find out about the lawsuit until Friday, after it was filed, they said.

The complaint takes issue with a presentation description on Defcon's website that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."

The description was later changed to remove the first line.

Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.

Some of the presentation materials suggest the speakers planned to go beyond that limited scope. Slides included with the Defcon CD said the talk promised attendees would learn how to "generate stored-value fare cards," "reverse engineer magstripes," and "tap into the fare vending network."

Kurt Opsahl, a senior staff attorney for EFF, denied the students ever planned to provide detailed instructions for hacking the cards.

"Please understand that rhetoric aside, the intention was to provide an interesting and useful talk but not one that would enable people to defraud the Massachusetts Bay Transit system," he said.

This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took legal action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.

Opsahl said the EFF planned to appeal the decision, even though a ruling will not be issued in time to save the canceled talk. He said the judge reached a very, very wrong conclusion when using the Computer Fraud and Abuse Act as grounds for canceling the talk.

"The statute on its face appears to be discussing sending code, programs or similar types of information to a computer," Opsahl said. "It does not appear to contemplate somebody who's giving a talk to humans. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.