Vulnerabilities / Threats
8/11/2008
03:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

MIT Students Ordered To Withhold Boston's MTA Hack Details

The MIT students had intended to discuss the techniques they used to change the value on a MBTA CharlieTicket from $2 to $653.

On Saturday morning, Massachusetts District Judge Douglas P. Woodlock ordered three MIT students not to discuss the security vulnerabilities the trio found in the Massachusetts Bay Transit Authority's (MBTA) Boston fare cards, known as CharlieCard and CharlieTicket.

The MIT students, Zack Anderson, RJ Ryan, and Alessandro Chiesa, had been planning to present their findings at a 1 p.m. session on Sunday at the Defcon security conference in Las Vegas called "The Anatomy of a Subway Hack: Breaking Crypto RFID's & Magstripes of Ticketing Systems."

The MIT students had intended to discuss the techniques they used to change the value on a CharlieTicket from $2 to $653. But they were ordered not to reveal any information that could be used to defraud the MBTA's fare card system for 10 days.

Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which is representing the students, called the court order "an illegal prior restraint on legitimate academic research in violation of the First Amendment."

The court order also is of questionable effectiveness. The students' presentation materials are available online, hosted by The Tech, MIT's newspaper, and mirrored elsewhere. The materials include the students' confidential recommendations to the MBTA about how to fix the security issues, which were attached to a court document. Though the software used by the students to analyze the fare cards hasn't been made available, the presentation materials and security recommendations provide significant details about security failings throughout the Boston transit system.

The presentation reveals flawed network and physical security, social engineering weaknesses, and exposed information that could be used to compromise the Boston transit system. Among the images included in the presentation are gates left unchained, accessible turnstile control boxes, computer screens visible through windows, door keys left in open boxes, documents left in public view, and unattended surveillance stations. And that's to say nothing of the software and hardware vulnerabilities related to the fare cards.

The MBTA filed its complaint against the students Friday. It alleges that the MIT students traveled on MBTA lines without paying fares and have instructed others to do so.

According to MIT's The Tech, Anderson, in an e-mail to the paper, refuted the charge that he and his peers had ridden the transit system for free.

But in granting the gag order, the judge may have been swayed by a summary of the planned Defcon presentation that was cited in the MBTA's complaint. An early version of the announcement of the Defcon talk began, "Want free subway rides for life?" It also said, "We go over social engineering attacks we executed on employees..." And it promised, "We will release several open source tools to perform these attacks."

Following an Aug. 5 meeting that included MBTA officials, the MIT students, and MIT professor Ronald Rivest, the announcement copy was reworded to be less provocative. Nonetheless, the previous version of the announcement made it into the MBTA's complaint.

Just as unpublishing is problematic online, it's also difficult in court. And the judge may well have found MBTA's fears of widespread fraud more credible thanks to the initial version of the students' confrontational marketing copy.

The EFF, meanwhile, is seeking to reverse the gag order.

The MBTA complaint states that the agency is not seeking to silence the students forever. Rather, it's asking for "responsible disclosure," for the students to withhold their information until the MBTA can fix its security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.