Get Smart about Business Spending
Judge orders halt to Defcon speech on subway card hacking
MIT students Alessandro Chiesa, R.J. Ryan, Zack Anderson, and Electronic Frontier Foundation staff attorney Kurt Opsahl speak at a panel turned press conference at Defcon.
(Credit: Declan McCullagh/CNET News)LAS VEGAS--A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.
The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.
The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.
U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.
EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."
EFF attorneys appeared with the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk is canceled, Defcon organizers hinted that there may be a related presentation on a similar topic.
First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.
The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.
But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not--we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.
EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.
The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."
Its suit asks a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.
That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.
Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)
Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)
Chiesa, Ryan, and Anderson at an Electronic Frontier Foundation panel.
(Credit: Declan McCullagh/CNET News)A representative of the Defcon convention, who asked that her name not be used, said that the students submitted their Powerpoint presentation at least a month ago. The presentation says--not-so-presciently--"what this talk is not: evidence in court (hopefully)." It also says: "THIS IS VERY ILLEGAL! So the following material is for educational use only."
In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.
Also released as part of the public record was a document marked "confidential" and written by the researchers (PDF) that explains exactly how the Charlie cards can be cloned and forged. "Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.
The document also discusses the lack of physical security at the MBTA. "Doors were left unlocked allowing free entry in many subways," the document says. "The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open."
One portion of the MBTA's legal complaint that drew jeers from the Defcon crowd came in its odd claim that "A CharlieTicket standing alone constitutes a 'computer'" under federal antihacking law.
This isn't the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them.
In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn hours after he gave a talk at Defcon on how attackers could take over Cisco routers. The case was ultimately settled. Four years earlier, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel one day after he gave a presentation at Defcon on insecurities in e-book security software.
Another excerpt from the presentation distributed to thousands of Defcon attendees on CDs.
Princeton University computer science professor Ed Felten and his co-authors received legal threats from the recording industry involving a planned talk at a Pittsburgh security conference--but pulled the paper from the event, even though no lawsuit materialized.
Research into flaws in the encryption that the Mifare Classic cards, used by the MBTA, landed Dutch researchers in court recently. NXP sued to block a Dutch University from publishing information about vulnerabilities in the encryption used in the RFID cards around the world. Last month, a court ruled that the university could publish the information.
Karsten Nohl, a University of Virginia graduate student who worked with others to break the Mifare Classic crypto algorithm last year, said MBTA should not have sued researchers who voluntarily discussed their findings with them.
"It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure," Nohl said. "MBTA made it clear that they are not interested in cooperating with researchers on identifying and fixing vulnerabilities, but their lawsuit will motivate more research into the security of Boston's public transport system."
MIT's student newspaper has posted a copy of the presentation that was distributed on Defcon CDs and the subject of the court order.
In the video clip below MIT student Zack Anderson tells reporters how he felt when he learned about the lawsuit filed by the MBTA. The lawsuit was filed a few days after he had met with the agency to discuss concerns about his talk at Defcon. He is with fellow MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann, who was advising the students about what they could say in lieu of the temporary restraining order against them.
(Credit: Elinor Mills)
CNET News.com's Elinor Mills contributed to this report.
[Note: This story was updated at 12:05 p.m. PDT to reflect that a temporary restraining order was issued. It was again updated at 1:30 p.m. PDT with more details from documents on how the hacks can be done, and at 4:30 p.m. with a report from the EFF press conference and 6:15 p.m. with video.]
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
Whether or not they present, this exploit is going to happen to the subway system.
That is what so many people don't seem to be able to grasp: Security through obscurity never works. If 1 person can find the flaw, then 1000 others can(for the slow folks-that means everyone can access and use this information). By making the problems public, then there is a real motivation to fix it. Otherwise few problems get fixed.
There is no way that this is a "threat to public health or safety". That is a ludicrous notion. What advantage does this give "evil doers" who want to disrupt public transportation or other bad purposes?
This is just another example of the government crying terrorist for their own ends, and not for the benefit of the public at large.
It the loss of revenue more than anything.
It probably doesn't, but that doesn't mean that they can't use that as the excuse.
Oh, and if these systems can be hacked so easily, then a few elected officials who were told of this system's weaknesses during the initial proposal evaluations might find themselves embarrassed ? and it's obvious to see how that could be interpreted as a threat to public safety and health.
I don't think the argument that if this is exploited the government loses its ability to invade your privacy is valid.
Someone needs to stand up, tell the public that they are being overly cautious and scared, and tell them what they are missing out on.
https://groups.google.com/group/n3td3v/browse_thread/thread/952a5bd20d0c7b41
As for the tracking on cards, who would use their own card ID if they could hack it!! THINK. They wouldn't want to get caught. If they "cloned" their card to another just to test it, thats another story. However that means they are using credits they PAID FOR.
Not knowing this systems manner of issuing ID's, I'm sure, as with computers, there is a "GOD ID" or "test/Service ID". It just takes time; a manual comes in handy (dumpster diving skills). City extensions are GREAT at throwing out valuable manuals and reference books (so are college buildings!).
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Mirrors:
http://www.evernote.com/pub/ssulistyo/InfoSecStuff#07ff6ce9-1aa9-45e9-8bd2-10ce0805e534
https://dl.getdropbox.com/u/77164/anatomy%20of%20a%20subway%20hack.pdf
Also, a vulnerability assessment report:
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
Originally meant to be presented to selected hackers, now the topic received more publicity and everyone else (including me) is reading the paper.
In memory of MBTA, I will keep a copy of this paper. (wink)
(Once they fix it :-) )
MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.
Since Massachusetts uses EDT right now, it'd be nice if they said 11 a.m. EDT on Saturday.
BTW "disingenuous" means not candid, which is presumably not what you intended to say -- the time reference is perfectly clear and candid, if not to your liking -- so probably something of a malapropism.
FRAUD is illegal... as is THEFT.
This information allows people to generate 'Free' Subway Cards, thereby STEALING 'Public Transportation'! Maybe some people CAN figure-out how to do this on their own, but they're still committing THEFT, and DEFRAUDING MBTA!
THEFT and FRAUD by any other names are STILL THEFT and FRAUD. The judge was absolutely right in granting this injunction! What a shame it is that people seem to have lost some 'Moral' values.
- by Vurk August 12, 2008 12:18 PM PDT
- If someone told a convention of locksmiths that a certain lock had a peculiarity that allowed it to be opened while "locked", wouldnt you prefer that the locksmiths know about it rather than criminals?
- Like this Reply to this comment
-
(24 Comments)Besides, this isnt about showing how to do it, merely that it has been done and can be done and should be fixed.
Or you can go on providing free fares for *real* criminals(as opposed to MIT students) and whining about stolen card value to the govt. Who wont believe that you were defrauded.