A federal judge granted the Massachusetts Bay Transit Authority’s (MBTA) motion for an injunction preventing three MIT students from giving a presentation about how they had hacked the fare card system used by the MBTA’s subway turnstiles. (source) The MBTA’s complaint is here.
The students were scheduled to give a presentation today at the Defcon hacker conference in Las Vegas on the multiple methods they used to hack into the CharlieCard, an RFID device that the MBTA uses to keep track of fares on the “T”. The presentation, available here, here, here, and here, seems to demonstrate some very simple security breaches that should prove to be quite embarrassing to the MBTA.
The MBTA apparently filed suit after the MIT students refused to provide them an advance copy of their full vulnerability report (discussed below).
U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide “program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.” Woodlock granted the MBTA’s request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday. (source)
However, as WIRED reports, “the restraining order would have little effect in suppressing the information at this point since the speakers’ slides were on the conference CD-ROM, which had already been distributed to conference attendees Friday morning.” (source)
To add to the irony, WIRED reports:
Among the documents the MBTA filed with its declaration to the court today is a vulnerability assessment report (.pdf) that the three students gave the MBTA about the flaws in its system. The document is dated August 8, the day the MBTA filed its lawsuit against the students, and is essentially the information the students declined to give the MBTA before it filed its lawsuit.
Ironically, the document reveals more about the vulnerability in the MBTA system than the slides that the restraining order sought to suppress contain. The vulnerability assessment report is now available for anyone to download from the Massachusetts court’s electronic records system. (source)
In defense of the MBTA, they did not ask for a permanent injunction, but just one that would survive until the MBTA could address the security flaws that the MIT students raised in their presentation and vulnerability report. On the other hand, the flaws seem to be quite basic, and some of them simply the result of laziness and/or bad employee behavior. This seems, to me, to be more about the MBTA trying to avoid being embarrassed than trying to avoid widespread destruction of the already crumbling Boston subway system. And that, dear readers, isn’t something a federal judge should support.
It seems kind of funny that the MBTA is so freaked out at this in the first place. It appears that you need quite a setup and quite a lot of pre-existing skills and knowledge to exploit this new RFID system. I have the presentation and the vulnerability report, and I doubt that it would be worth my time or effort to try and duplicate the MIT students’ findings.
On the other hand, when I was a kid and the MBTA used tokens, it was common knowledge that French 10 Centimes coins worked in all the subway turnstiles. I, like all my friends, came back from Europe with rolls of the coins, which were virtually worthless as currency, but worked just fine for subway trips. I wonder why the MBTA didn’t seek an injunction banning the importation of suspicious amounts of Dix Centimes coins?