Federal judge halts Defcon talk on subway card hacking
Barn door closed a little too late
Defcon A federal judge on Saturday gagged three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping holes in the electronic payment systems of one of the nation's biggest transit agencies.
US District Judge Douglas P. Woodlock issued the order at the request of the Massachusetts Bay Transit Authority, which sued the three students and MIT on Friday. It forbids Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, from "providing program, information, software code or command that would assist another in any material way to circumvent or otherwise attack the the security" of the MBTA's fare system.
Attorneys for the Electronic Frontier Foundation, which are representing the trio, said they directed the students to pull the talk, which had been scheduled for Sunday. They said the order constituted an "illegal prior restraint" on their clients' free-speech rights.
"It's a very dangerous precedent," EFF staff attorney Marcia Hofmann told reporters at the Defcon hacking conference in Las Vegas. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law. As far as I know, this is completely unprecedented and it has a tremendous chilling effect on sharing this sort of research."
Ironically, a plethora of details around their hack is already out there. Attorneys for the MBTA attached a detailed white paper (PDF) to one of their pleadings. What's more, a PDF containing slides of the talk was part of a CD distributed to all 7,000 to 8,000 people attending the conference. (The slides are also online here (PDF).)
The research delved deep into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.
"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."
Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.
An MIT spokeswoman declined to comment to The Tech, an MIT student newspaper. Representatives from the MBTA weren't available for comment.
The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). On Monday, a meeting at MIT was convened that included the students and their instructor, an MBTA official and a special agent from the Boston field office of the FBI's cyber crimes division.
"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson told El Reg earlier this week. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.
The 17-page complaint seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requested a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.
According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. During a press conference, the students said MBTA officials weren't contacted about their planned talk until July 30 or 31. Based on discussions at Monday's meeting, the students believed the controversy had been resolved. They didn't find out about the lawsuit until Friday, after it was filed, they said.
The complaint takes issue with a presentation description on Defcon's website that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."
The description was later changed to remove the first line.
Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.
Some of the presentation materials suggest the speakers planned to go beyond that limited scope. Slides included with the Defcon CD said the talk promised attendees would learn how to "generate stored-value fare cards," "reverse engineer magstripes," and "tap into the fare vending network."
Kurt Opsahl, a senior staff attorney for EFF, denied the students ever planned to provide detailed instructions for hacking the cards.
"Please understand that rhetoric aside, the intention was to provide an interesting and useful talk but not one that would enable people to defraud the Massachusetts Bay Transit system," he said.
This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took legal action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.
Opsahl said the EFF planned to appeal the decision, even though a ruling will not be issued in time to save the canceled talk. He said the judge reached a very, very wrong conclusion when using the Computer Fraud and Abuse Act as grounds for canceling the talk.
"The statute on its face appears to be discussing sending code, programs or similar types of information to a computer," Opsahl said. "It does not appear to contemplate somebody who's giving a talk to humans. ®