Defcon A transit agency in New England has filed a federal lawsuit to stop three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping security holes in two of the agency's electronic payment systems.
The Massachusetts Bay Transit Authority (MBTA) also named MIT in the 17-page complaint, which seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requests a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.
The three speakers are Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, who on Sunday were scheduled to present research into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.
"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."
Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.
"It's pretty disappointing," Anderson told El Reg. "We initially called them to offer them our help in fixing these vulnerabilities. We have no intention of releasing details that would allow someone to replicate the attacks that can be done."
Representatives from the MBTA and MIT weren't available for comment.
The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). Earlier this week, a meeting at MIT was convened that included the students and their instructor, a MBTA official and a special agent from the FBI cyber crimes division.
"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson said. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.
According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. The MBTA is the fifth biggest US transit agency with a ridership of about 1.4 million per day. Average weekday revenue is about $700,000.
The complaint takes issue with a presentation description that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."
The description was later changed to remove the first line.
Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.
This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.
Sponsored: Webcast: Ransomware has gone nuclear