August 11, 2008
Students Banned From Exposing Subway Hack
A federal judge issued a temporary restraining order to three MIT students forbidding them to give a presentation of security flaws in the automated fare system used by Boston's subway at a computer hackers' conference on Sunday.
MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa were ordered by a U.S. district judge in Massachusetts not to give their demonstration at the Defcon conference in Las Vegas.
The students' activity was highlighted by the Massachusetts Bay Transportation Authority after it filed a complaint on Friday stating that the students offered to show others how to use the hacks before giving the transit system a chance to fix the flaws.
Jennifer Granick, civil liberties director of the Electronic Frontier Foundation said it plans to fight the order.
Granick claims that the MIT students were trying to share their research and planned to omit key information that would make things easier for anyone who actually wanted to hack the payment system.
The 87-slide presentation circulated on the Internet showed photographs of unlocked doors, turnstile control boxes and exposed computer monitors at subway stations.
One slide explains that the presentation would teach attendees how to generate fare cards, reverse engineer magnetic stripes on cards and hack radio frequency identification (RFID) cards.
The next slide says: "And this is very illegal! So the following material is for educational use only."
The presentation was distributed to conference attendees on CDs on Thursday, before the conference officially began and the transit system filed suit.
Gary Foster, chief technology officer for the transit system said the students' presentation would "inflict significant damage" if the Massachusetts Bay Transportation Authority did not have a chance to correct the flaws.
"It is extremely important to maintain the security and integrity of the Fare Media systems," Foster said in a court declaration. "With an insecure, compromised system, even basic revenue controls, to name one example, become significantly challenging."
Granick said ordering the students to not share their findings would be "dangerous," and have a chilling effect on legitimate researchers who want to point out flaws that lead to system improvements.
"If you prevent legitimate researchers from talking about their findings, it's not going to stop people from finding vulnerabilities. It's going to stop the good guys from talking about them and from learning from each other," Granick said. "The bad guys are still going to be looking for the vulnerabilities and still be finding them."
Image Caption: Fare gates and CharlieCard ticket machine at the MBTA World Trade Center Silver Line station in Boston. Courtesy Wikipedia
On the Net:
- Massachusetts Bay Transportation Authority
- Defcon conference
- Massachusetts Institute of Technology
- Electronics Frontier Foundation