[Infowarrior] - Interview with MIT Subway Hacker Zack Anderson

[Richard Forno]

Exclusive Interview with MIT Subway Hacker Zack Anderson
By Chris Ladd
Published on: August 21, 2008

http://www.popularmechanics.com/technology/industry/4278892.html

Its rare that a hacker convention makes national news, but three MIT  
students caused a whole lot of controversy when they planned a  
presentation about security holes in Boston's subway system for DefCon  
in Las Vegas earlier this month. They were forced to cancel the talk  
at the last minute by a 10-day federal restraining order, requested by  
Boston's Massachusetts Bay Transit Authority (MBTA). On Tuesday, a  
judge denied motions by the MBTA to issue a preliminary injunction  
aimed at keeping the students quiet for a further five months. Now, in  
his most extensive interview to date, MIT subway hacker Zack Anderson  
talks with PM about what's wrong with the Charlie Card, what happened  
at DefCon, and what it's like to tango with the FBI and the MBTA.

Popular Mechanics: All this started as a class project at MIT—is that  
right?
Zack Anderson: For Computer Network Security class, and it was  
basically the final project.

We wanted to look at some system which might have some  
vulnerabilities, figure out what they were, and how some of those  
problems could be fixed if they existed. So we thought about fare  
collection systems for the subway, and we looked at the MBTA. It's  
local, so we could take a pretty extensive analysis.

What did you find?
We found quite a few things. Some significant physical security  
problems were present—not technology related, just things that are  
very easily overlooked. People could hit a button in an open box and  
all the turnstiles would open. I mean, why resort to some high-tech  
hack when you could just hit a button?

We also looked at the Charlie Ticket, which is a magnetic card.  
Actually, the MIT Tech [the university's daily newspaper] has a good  
article that basically went over everything that was made public—some  
of which came out through MBTA filings, not through anything we  
released.

But the Charlie Ticket is [vulnerable to] cloning and forgery attacks.  
The cloning attack means that you can, say, take a $5 card and make  
two $5 cards. The forgery attack means you change the data on the  
cards to actually represent a new value. Both attacks are possible.

What about the RFID Charlie Card?
Yes, the Charlie Card is an RFID [radio-frequency identification] card  
which has weak encryption. And because of that weak encryption, there  
are ways to recover the key on the card, and the key allows you to  
read from and write to the card.

So you could walk through a subway station without contact and kind of  
rub your briefcase with a little antenna in it against someone's  
pocket and grab their card's key. And then you could use that until  
it's depleted or deactivated or whatnot. That's always the danger with  
RFID cards—you don't even need contact to read it.

So you wrote your report and gave your final presentation at MIT. How  
was it received?
It was very well received. People were pretty impressed and surprised  
that these vulnerabilities existed. This was toward the end of class.  
It might have been the very last day.

And you immediately start thinking about DefCon?
We'd been to DefCon before, and thought it would be pretty interesting  
to give a talk. And we thought it was very applicable—there's a lot of  
subway systems, a lot of them might be suffering from the same  
vulnerabilities, and it's really an important issue that needed to be  
addressed. And we thought DefCon would be an interesting venue.

So DefCon accepts your application, you start booking plane tickets  
and hotel rooms. What happens next?
A bit of time passed and around mid-July we e-mailed our professor,  
Ron Rivest, and asked if he could contact MBTA for us and tell them  
that we did this security analysis, this is what we found, and here's  
some ways to fix each of the problems. And also, you know, tell them  
we're giving this talk at DefCon, this is what we're going to discuss  
and also, this is a key point, that we were going to be withholding a  
few key details. We were not going to go over the full process to  
replicate the system, so people would not be able to replicate these  
attacks.

What was the reaction?
When Ron Rivest got back to us, he said, "You know, we have a serious  
problem." And we asked him what happened, and he said "The MBTA does  
not want to talk to me. They already know about the talk, and they  
said the FBI has been involved."

When you hear "FBI," that's got to be a bit chilling.
I couldn't believe it. I was like, "What have we done? The FBI? Why?"  
We were completely surprised. So we said, you know, we need to resolve  
this quickly. We need to call them back and set up a meeting to make  
sure there's trust here, to make sure they see what we've done, to  
make sure they see what we're planning on presenting so they have  
peace of mind. And also, our initial point was that MBTA needs to fix  
some of these problems, because they do exist.

You set up a meeting with the MBTA, I understand.
That's right. So at that meeting what was planned was an MBTA official  
to be present there, and we were going to have it at MIT's campus. So  
in walks someone from the MBTA [a detective], and behind him was a  
special agent from the FBI.

It was like, "This is a bit more serious." Because, you know, the MBTA  
told us "The FBI is investigating," but we didn't know how truthful  
that was. Certainly we thought there was some truth, like they'd  
contacted the FBI, but submitting some Web form is different from a  
full-on investigation.

Having the FBI agent there made it more real. But after about a  
minute, I calmed down and realized that we needed to just show them  
that this is not a big deal, this is not a problem. There's no reason  
for the FBI to be concerned here. There's no reason for the MBTA to be  
concerned. Let's just lay out what it is we're doing, and what we  
found, and clear things up.

How did the meeting end?
It ended on a very good note. [The MBTA detective] said that he didn't  
see any reason why we shouldn't proceed with the talk. He said he  
would e-mail his supervisor and tell him that he met with us, and  
things are fine, and there's no problem. The FBI agent said,  
basically, this is not going to be an investigation. We don't have  
anything here. Don't worry about it.

So we told them we'd provide them a vulnerability report, going over  
what we found, and also methods that could fix these problems, and  
they said we could get that to them within two weeks. We had actually  
planned on getting it to them within the week, before business hours  
ended on Friday, so they'd have this in their hands before we gave the  
talk. We felt this was a courtesy we should give them.

This report was not going over what we were speaking about at DefCon,  
that wasn't the point. Some other people at MBTA have claimed that it  
was, but the point of the report was to go over the vulnerabilities,  
and go over ways that they could fix them. That's what we provided  
them, and we got it to them that Friday.

So at the end of the week you get on a plane and fly to Las Vegas and  
go to DefCon?
Yes. Friday was the first day of the conference and we went to a talk  
in the morning and we were having lunch when I got a call from an  
attorney from MIT, saying that the MBTA is in court right now and  
they're suing us and MIT. They're filing a lawsuit right now,  
basically, and nobody's in court for us—just MBTA lawyers—and we don't  
fully know what's going on.

CONTINUED >>>


RELATED STORIES
• PLUS: Air Force Pulls Plug on Cyber Command Force—For Now
• EARLIER: Inside NSA Red Team Secret Ops With Government's Top Hackers
• OLYMPICS: Homeland's Concerns Over Gadget Surveillance in China


A Red Line train rolls into South Station in downtown Boston, Mass.  
(Photo by Darren McCollester/Getty Images)

What did you do?
I don't remember exactly what happened in the rest of the  
conversation. I think it was just trying to figure out any  
information, what [MIT counsel] knew. I think he recommended at that  
point that, guys, we really need to get legal counsel.

We went to the booth of the Electronic Frontier Foundation (EFF), and  
it was a little more hectic than, "Let's sit down." It was a little  
more like "Oh, God!" But yeah, all day Friday was really trying to get  
information about what was happening. We were communicating with the  
MBTA, their legal counsel. We got the paperwork from the federal docket.

Did they hire someone back in Boston right away?
They tried, but this was Friday and there was an emergency hearing  
scheduled for the next morning. So we were desperately trying to find  
someone in Boston that could help us, but in that time frame we  
weren't able to.

Did you have additional contact with the MBTA?
There was a little bit of contact. There was kind of a back-and-forth.  
I'd called some of the attorneys from the MBTA. I briefly spoke with  
kind of their only technical guy, who runs security on the fare  
systems. And at that point, we tried the best we could to show them  
that this is kind of out of line, and it's probably going to be  
counterproductive. Because if there's one thing that people at DefCon  
don't like, it's a squelched talk. What they were hoping for was to  
not make this a big deal, and for us not to reveal details that would  
allow people to defraud the system, the latter of which we'd always  
maintained that we were not going to do.

Saturday is the hearing. We were up all night preparing and we made a  
telephonic appearance in Boston court on Saturday morning. We didn't  
have anybody representing us in court, just on the phone, and MIT was  
present as well.

At the end, the judge basically ruled in favor of MBTA and their  
motion, which was a temporary restraining order which basically  
blocked us from talking about anything that could possibly assist in  
any way someone circumventing the fare collection system. It became  
obvious that we had to cancel the talk. Then, it just really exploded  
from a media perspective. We answered what we could. But, the talk was  
clearly over. There was no way to appeal the decision in that time  
frame. It was not possible, really. The problem was that they filed  
their paperwork in the last few minutes the court was open on Friday.  
We had this ruling when the courts were closed.

At this point there's nothing you can do until Monday morning.
We had been going on for 30-plus hours without sleep, and the fact was  
that it was kind of over. While we were very disappointed, it was a  
little bit ... it gave us a chance to breathe and sleep and stuff.

And you guys basically turned into DefCon celebrities.
It was definitely a pretty big issue. A lot of people were talking  
about it. A lot of people were coming up to us and were interested,  
but we really couldn't talk about much to anyone.

And the media takes a much larger interest as well, I'm sure.
There was a lot of disinformation, and really we saw that Monday when  
some of the national newspapers and stuff picked it up. There was a  
lot of misinformation that the MBTA was claiming about the content of  
the talk, saying that we were going to allow people free subway rides  
for life. If you look at, if any technical person looks at the slides,  
they'll understand that there isn't enough information to do that.

So I just tried to clear it up. I guess when people see the word  
"hacker," it has a nefarious stigma to the general public, which is  
unfortunate because a lot of people consider themselves hackers when  
the average person would never say "That's a hacker." Most people hear  
hacker and they think it's some horrible person breaking into the  
system and causing havoc and damage.

So Sunday rolls around and the conference is over.
On Sunday, after Vegas was behind me, I kind of felt like "Oh my God,  
what happened this week?" because it was pretty shocking. My first  
weekend in Vegas after turning 21. Who would've thought that this was  
going to be the excitement? A federal lawsuit?

Then, Tuesday was the really big court hearing where some of my  
attorneys flew out to Boston, a couple local attorneys were there, and  
the rest of us listened in on the telephone. It was probably about an  
hour and a half long, both sides presented their case, and at the end  
the judge spoke about how he saw the law, how he interpreted the case,  
and kind of went over the conflicting interests. So for the first 10  
minutes he was kind of not really siding with one side, showing both  
sides. And then it started to get exciting when he started saying how  
the MBTA didn't really have a claim under the Computer Fraud and Abuse  
Act for several reason. There are several things that need to be met  
under the act and a multiple of them did not apply in this case.

What was your reaction?
I actually muted the phone during the entire hearing, just in case  
there was any sound that I didn't want to blast through the courtroom.  
But, yeah, it was pretty exciting listening in as the judge started to  
slant our way. And in the end, when he both lifted the TRO [temporary  
restraining order] and lifted the previous judge's order, and he threw  
out the MBTA's motion for a preliminary injunction that would last  
five months, it was really relieving. It was really satisfying that  
the court interpreted the law correctly.

What happens next? There's still a lawsuit from the MBTA, right?
Probably the next thing is, hopefully at this point we'll be able to  
settle this and make it go away. If not, we're going to have to file a  
motion to dismiss the case, but I think, and I definitely hope, that  
things are kind of over now. We didn't give the talk, which was I  
think a primary aim that they had. That was effective on their part.

And, you know, we still maintain that we never planned on releasing  
all of the details. Even though now we're allowed to, we're still not  
going to.

What do you think the legal implications of the case will be in the  
future?
I think that's a question best posed to the EFF, but definitely this  
was one of the first cases where the Computer Fraud and Abuse Act was  
tested in such a way that the MBTA tried to apply to speech, and the  
judge threw it out. So there was some uncharted territory that was  
tested here. Certainly if the court had ruled the other way, that  
would have set a very problematic precedent for the security research  
community in general.

You're heading back to MIT soon. You guys are going to be something  
like celebrities on campus.
One blog called us "veritable hacking heroes." I don't know if it's  
justified to be "heroes" or something. Again, I feel this turned into  
this huge production when really, it wasn't a huge issue to start  
with. To be a hero, you need to have done something absolutely amazing  
on its own merits.

I think we did a very thorough security research project, and the  
presentation that we were going to give and the work was very good. We  
stood up there and we got through this, but I think that really, the  
true heroes in this case are our lawyers because they're the ones that  
fought this case, and they're the ones that won at least this first  
motion to throw out the restraining order and throw out the  
preliminary injunction. If anyone's a hero in this case, I'd say it's  
our attorneys.