Vulnerabilities / Threats
8/11/2008
03:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

MIT Students Ordered To Withhold Boston's MTA Hack Details

The MIT students had intended to discuss the techniques they used to change the value on a MBTA CharlieTicket from $2 to $653.

On Saturday morning, Massachusetts District Judge Douglas P. Woodlock ordered three MIT students not to discuss the security vulnerabilities the trio found in the Massachusetts Bay Transit Authority's (MBTA) Boston fare cards, known as CharlieCard and CharlieTicket.

The MIT students, Zack Anderson, RJ Ryan, and Alessandro Chiesa, had been planning to present their findings at a 1 p.m. session on Sunday at the Defcon security conference in Las Vegas called "The Anatomy of a Subway Hack: Breaking Crypto RFID's & Magstripes of Ticketing Systems."

The MIT students had intended to discuss the techniques they used to change the value on a CharlieTicket from $2 to $653. But they were ordered not to reveal any information that could be used to defraud the MBTA's fare card system for 10 days.

Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which is representing the students, called the court order "an illegal prior restraint on legitimate academic research in violation of the First Amendment."

The court order also is of questionable effectiveness. The students' presentation materials are available online, hosted by The Tech, MIT's newspaper, and mirrored elsewhere. The materials include the students' confidential recommendations to the MBTA about how to fix the security issues, which were attached to a court document. Though the software used by the students to analyze the fare cards hasn't been made available, the presentation materials and security recommendations provide significant details about security failings throughout the Boston transit system.

The presentation reveals flawed network and physical security, social engineering weaknesses, and exposed information that could be used to compromise the Boston transit system. Among the images included in the presentation are gates left unchained, accessible turnstile control boxes, computer screens visible through windows, door keys left in open boxes, documents left in public view, and unattended surveillance stations. And that's to say nothing of the software and hardware vulnerabilities related to the fare cards.

The MBTA filed its complaint against the students Friday. It alleges that the MIT students traveled on MBTA lines without paying fares and have instructed others to do so.

According to MIT's The Tech, Anderson, in an e-mail to the paper, refuted the charge that he and his peers had ridden the transit system for free.

But in granting the gag order, the judge may have been swayed by a summary of the planned Defcon presentation that was cited in the MBTA's complaint. An early version of the announcement of the Defcon talk began, "Want free subway rides for life?" It also said, "We go over social engineering attacks we executed on employees..." And it promised, "We will release several open source tools to perform these attacks."

Following an Aug. 5 meeting that included MBTA officials, the MIT students, and MIT professor Ronald Rivest, the announcement copy was reworded to be less provocative. Nonetheless, the previous version of the announcement made it into the MBTA's complaint.

Just as unpublishing is problematic online, it's also difficult in court. And the judge may well have found MBTA's fears of widespread fraud more credible thanks to the initial version of the students' confrontational marketing copy.

The EFF, meanwhile, is seeking to reverse the gag order.

The MBTA complaint states that the agency is not seeking to silence the students forever. Rather, it's asking for "responsible disclosure," for the students to withhold their information until the MBTA can fix its security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio