Home page logo

interesting-people logo Interesting People mailing list archives

Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability
From: David Farber <dave () farber net>
Date: Sat, 9 Aug 2008 11:07:38 -0400

Yes here we go again. I hope MIT does not cave  djf

Begin forwarded message:

From: Richard Forno <rforno () infowarrior org>
Date: August 9, 2008 10:57:03 AM EDT
To: Undisclosed-recipients: <>;
Cc: Dave Farber <dave () farber net>
Subject: Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability

(Here we go again....cluelessness + Streissand effect, indeed. --rf)

Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability
By Kim Zetter EmailAugust 08, 2008 | 2:45:00 AMCategories: DefCon


LAS VEGAS -- The Massachusetts Bay Transportation Authority filed a suit in federal court on Friday seeking a temporary restraining order to prevent three undergraduate students from the Massachusetts Institute of Technology from presenting a talk at the DefCon hacker conference this weekend about security vulnerabilities in payment systems used in the Massachusetts mass transit system.

The transit authority, known as the MBTA, is seeking to prevent the students from "publicly stating or indicating" that electronic passenger tickets used on the transit system have been compromised until the MBTA can fix security flaws in the system. It further seeks to bar the students from releasing any tools or providing any information that would allow someone to hack the transit system and obtain free rides.

The MBTA says disclosure of the flaws, before it has a chance to fix them, will cause irreparable harm to the transit system.

The three student researchers, Zack Anderson, R.J. Ryan and Alessandro Chiesa, are scheduled to give a talk Sunday afternoon entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems."

According to a description of the talk posted on the conference web site, the students plan to discuss vulnerabilities in the fare collection system of Boston's T subway system and to demonstrate how they reverse engineered the mag stripe on paper passenger tickets known as the CharlieTicket as well as how they cracked the smartcard tickets known as the CharlieCard. They also plan to release several open source tools that they created in the course of their transit card research.

The MBTA, which oversees the T subway, operates the fifth largest transit system in the United States, servicing 175 towns and cities. It uses both the CharlieTicket and the CharlieCard in its passenger payment system. The CharlieCard, which was first used in January 2007, provides the MBTA with nearly $500,000 in revenue per weekday, according to the court documents. More than 68 percent of passengers use it to pay their fare.

The CharlieCard is a MiFare Classic card, which was the subject of much controversy earlier this year after Dutch researchers showed how they were able to hack the cards. But the MBTA says in the court papers that it has substantially enhanced the security of its MiFare cards with proprietary encryption, making previously reported flaws with the MiFare Classic card irrelevant to the CharlieCard.

The MBTA filed its suit in the U.S. District Court in Massachusetts against the three students and their university, stating that the students violated the Computer Crime and Fraud Act in accessing protected MBTA computers without authorization to conduct their research. The MBTA also asserts that MIT and the student's supervisor, computer science professor Ron Rivest, failed to properly supervise the students to prevent them from attacking and harming the transit system.

The MBTA first became aware of the researchers' talk on July 30 when one of its vendors pointed it to the DefCon web site where the talk was listed on the conference schedule. A description of the talk began with the provocative line, "Want free subway rides for life?" and discussed how the researchers social engineered transit employees to accomplish their hack of the transit cards.

On August 5th, the court documents reveal, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about what the students would disclose in their talk. But the students would not provide the MBTA with a copy of the materials they planned to present in their talk or information about the security flaws they found in the transit system.

After that meeting, however, the MBTA says the description of the talk on the conference web site was altered to delete the reference to "free subway rides for life" and alter the comment about social engineering transit employees. (The image below right, taken from the court document, shows changes made to the description of the talk. Text with a line through it indicates deletions; underlined words indicate additions. The original description still appears in the printed version of the schedule that is being handed out to conference attendees.)

The MBTA asserted in the court filing that it sought the restraining order on Friday after again requesting, and failing to receive from the students, a copy of their presentation materials.

Efforts to reach the three students and the MBTA for comment were unsuccessful.

A spokeswoman for the DefCon conference said she was aware that the MBTA had met with the students to discuss the talk but thought the meeting had satisfied the MBTA's concerns. She was not aware that the MBTA had gone to court to halt the talk.

Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

  By Date           By Thread  

Current thread:
  • Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability David Farber (Aug 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]