[Infowarrior] - Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability

Richard Forno rforno at infowarrior.org
Sat Aug 9 14:57:03 UTC 2008 

(Here we go again....cluelessness + Streissand effect, indeed. --rf)

Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability
By Kim Zetter EmailAugust 08, 2008 | 2:45:00 AMCategories: DefCon

http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html

LAS VEGAS -- The Massachusetts Bay Transportation Authority filed a  
suit in federal court on Friday seeking a temporary restraining order  
to prevent three undergraduate students from the Massachusetts  
Institute of Technology from presenting a talk at the DefCon hacker  
conference this weekend about security vulnerabilities in payment  
systems used in the Massachusetts mass transit system.

The transit authority, known as the MBTA, is seeking to prevent the  
students from "publicly stating or indicating" that electronic  
passenger tickets used on the transit system have been compromised  
until the MBTA can fix security flaws in the system. It further seeks  
to bar the students from releasing any tools or providing any  
information that would allow someone to hack the transit system and  
obtain free rides.

The MBTA says disclosure of the flaws, before it has a chance to fix  
them, will cause irreparable harm to the transit system.

The three student researchers, Zack Anderson, R.J. Ryan and Alessandro  
Chiesa, are scheduled to give a talk Sunday afternoon entitled "The  
Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of  
Ticketing Systems."

According to a description of the talk posted on the conference web  
site, the students plan to discuss vulnerabilities in the fare  
collection system of Boston's T subway system and to demonstrate how  
they reverse engineered the mag stripe on paper passenger tickets  
known as the CharlieTicket as well as how they cracked the smartcard  
tickets known as the CharlieCard. They also plan to release several  
open source tools that they created in the course of their transit  
card research.

The MBTA, which oversees the T subway, operates the fifth largest  
transit system in the United States, servicing 175 towns and cities.  
It uses both the CharlieTicket and the CharlieCard in its passenger  
payment system. The CharlieCard, which was first used in January 2007,  
provides the MBTA with nearly $500,000 in revenue per weekday,  
according to the court documents. More than 68 percent of passengers  
use it to pay their fare.

The CharlieCard is a MiFare Classic card, which was the subject of  
much controversy earlier this year after Dutch researchers showed how  
they were able to hack the cards. But the MBTA says in the court  
papers that it has substantially enhanced the security of its MiFare  
cards with proprietary encryption, making previously reported flaws  
with the MiFare Classic card irrelevant to the CharlieCard.

The MBTA filed its suit in the U.S. District Court in Massachusetts  
against the three students and their university, stating that the  
students violated the Computer Crime and Fraud Act in accessing  
protected MBTA computers without authorization to conduct their  
research. The MBTA also asserts that MIT and the student's supervisor,  
computer science professor Ron Rivest, failed to properly supervise  
the students to prevent them from attacking and harming the transit  
system.

The MBTA first became aware of the researchers' talk on July 30 when  
one of its vendors pointed it to the DefCon web site where the talk  
was listed on the conference schedule. A description of the talk began  
with the provocative line, "Want free subway rides for life?" and  
discussed how the researchers social engineered transit employees to  
accomplish their hack of the transit cards.

On August 5th, the court documents reveal, a detective with the  
transit police and an FBI agent met with the MIT students, Rivest, and  
an MIT lawyer to discuss their concerns and inquire about what the  
students would disclose in their talk. But the students would not  
provide the MBTA with a copy of the materials they planned to present  
in their talk or information about the security flaws they found in  
the transit system.

After that meeting, however, the MBTA says the description of the talk  
on the conference web site was altered to delete the reference to  
"free subway rides for life" and alter the comment about social  
engineering transit employees. (The image below right, taken from the  
court document, shows changes made to the description of the talk.  
Text with a line through it indicates deletions; underlined words  
indicate additions. The original description still appears in the  
printed version of the schedule that is being handed out to conference  
attendees.)

The MBTA asserted in the court filing that it sought the restraining  
order on Friday after again requesting, and failing to receive from  
the students, a copy of their presentation materials.

Efforts to reach the three students and the MBTA for comment were  
unsuccessful.

A spokeswoman for the DefCon conference said she was aware that the  
MBTA had met with the students to discuss the talk but thought the  
meeting had satisfied the MBTA's concerns. She was not aware that the  
MBTA had gone to court to halt the talk.

More information about the Infowarrior mailing list