Feeds

Federal judge halts Defcon talk on subway card hacking

Barn door closed a little too late

High performance access to file storage

Defcon A federal judge on Saturday gagged three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping holes in the electronic payment systems of one of the nation's biggest transit agencies.

US District Judge Douglas P. Woodlock issued the order at the request of the Massachusetts Bay Transit Authority, which sued the three students and MIT on Friday. It forbids Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, from "providing program, information, software code or command that would assist another in any material way to circumvent or otherwise attack the the security" of the MBTA's fare system.

Attorneys for the Electronic Frontier Foundation, which are representing the trio, said they directed the students to pull the talk, which had been scheduled for Sunday. They said the order constituted an "illegal prior restraint" on their clients' free-speech rights.

"It's a very dangerous precedent," EFF staff attorney Marcia Hofmann told reporters at the Defcon hacking conference in Las Vegas. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law. As far as I know, this is completely unprecedented and it has a tremendous chilling effect on sharing this sort of research."

Ironically, a plethora of details around their hack is already out there. Attorneys for the MBTA attached a detailed white paper (PDF) to one of their pleadings. What's more, a PDF containing slides of the talk was part of a CD distributed to all 7,000 to 8,000 people attending the conference. (The slides are also online here (PDF).)

The research delved deep into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.

"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."

Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.

An MIT spokeswoman declined to comment to The Tech, an MIT student newspaper. Representatives from the MBTA weren't available for comment.

The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). On Monday, a meeting at MIT was convened that included the students and their instructor, an MBTA official and a special agent from the Boston field office of the FBI's cyber crimes division.

"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson told El Reg earlier this week. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.

The 17-page complaint seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requested a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.

According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. During a press conference, the students said MBTA officials weren't contacted about their planned talk until July 30 or 31. Based on discussions at Monday's meeting, the students believed the controversy had been resolved. They didn't find out about the lawsuit until Friday, after it was filed, they said.

The complaint takes issue with a presentation description on Defcon's website that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."

The description was later changed to remove the first line.

Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.

Some of the presentation materials suggest the speakers planned to go beyond that limited scope. Slides included with the Defcon CD said the talk promised attendees would learn how to "generate stored-value fare cards," "reverse engineer magstripes," and "tap into the fare vending network."

Kurt Opsahl, a senior staff attorney for EFF, denied the students ever planned to provide detailed instructions for hacking the cards.

"Please understand that rhetoric aside, the intention was to provide an interesting and useful talk but not one that would enable people to defraud the Massachusetts Bay Transit system," he said.

This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took legal action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.

Opsahl said the EFF planned to appeal the decision, even though a ruling will not be issued in time to save the canceled talk. He said the judge reached a very, very wrong conclusion when using the Computer Fraud and Abuse Act as grounds for canceling the talk.

"The statute on its face appears to be discussing sending code, programs or similar types of information to a computer," Opsahl said. "It does not appear to contemplate somebody who's giving a talk to humans. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.