Vulnerabilities / Threats
8/11/2008
03:11 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

MIT Students Ordered To Withhold Boston's MTA Hack Details

The MIT students had intended to discuss the techniques they used to change the value on a MBTA CharlieTicket from $2 to $653.

On Saturday morning, Massachusetts District Judge Douglas P. Woodlock ordered three MIT students not to discuss the security vulnerabilities the trio found in the Massachusetts Bay Transit Authority's (MBTA) Boston fare cards, known as CharlieCard and CharlieTicket.

The MIT students, Zack Anderson, RJ Ryan, and Alessandro Chiesa, had been planning to present their findings at a 1 p.m. session on Sunday at the Defcon security conference in Las Vegas called "The Anatomy of a Subway Hack: Breaking Crypto RFID's & Magstripes of Ticketing Systems."

The MIT students had intended to discuss the techniques they used to change the value on a CharlieTicket from $2 to $653. But they were ordered not to reveal any information that could be used to defraud the MBTA's fare card system for 10 days.

Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which is representing the students, called the court order "an illegal prior restraint on legitimate academic research in violation of the First Amendment."

The court order also is of questionable effectiveness. The students' presentation materials are available online, hosted by The Tech, MIT's newspaper, and mirrored elsewhere. The materials include the students' confidential recommendations to the MBTA about how to fix the security issues, which were attached to a court document. Though the software used by the students to analyze the fare cards hasn't been made available, the presentation materials and security recommendations provide significant details about security failings throughout the Boston transit system.

The presentation reveals flawed network and physical security, social engineering weaknesses, and exposed information that could be used to compromise the Boston transit system. Among the images included in the presentation are gates left unchained, accessible turnstile control boxes, computer screens visible through windows, door keys left in open boxes, documents left in public view, and unattended surveillance stations. And that's to say nothing of the software and hardware vulnerabilities related to the fare cards.

The MBTA filed its complaint against the students Friday. It alleges that the MIT students traveled on MBTA lines without paying fares and have instructed others to do so.

According to MIT's The Tech, Anderson, in an e-mail to the paper, refuted the charge that he and his peers had ridden the transit system for free.

But in granting the gag order, the judge may have been swayed by a summary of the planned Defcon presentation that was cited in the MBTA's complaint. An early version of the announcement of the Defcon talk began, "Want free subway rides for life?" It also said, "We go over social engineering attacks we executed on employees..." And it promised, "We will release several open source tools to perform these attacks."

Following an Aug. 5 meeting that included MBTA officials, the MIT students, and MIT professor Ronald Rivest, the announcement copy was reworded to be less provocative. Nonetheless, the previous version of the announcement made it into the MBTA's complaint.

Just as unpublishing is problematic online, it's also difficult in court. And the judge may well have found MBTA's fears of widespread fraud more credible thanks to the initial version of the students' confrontational marketing copy.

The EFF, meanwhile, is seeking to reverse the gag order.

The MBTA complaint states that the agency is not seeking to silence the students forever. Rather, it's asking for "responsible disclosure," for the students to withhold their information until the MBTA can fix its security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.