Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/11/2008
03:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

MIT Students Ordered To Withhold Boston's MTA Hack Details

The MIT students had intended to discuss the techniques they used to change the value on a MBTA CharlieTicket from $2 to $653.

On Saturday morning, Massachusetts District Judge Douglas P. Woodlock ordered three MIT students not to discuss the security vulnerabilities the trio found in the Massachusetts Bay Transit Authority's (MBTA) Boston fare cards, known as CharlieCard and CharlieTicket.

The MIT students, Zack Anderson, RJ Ryan, and Alessandro Chiesa, had been planning to present their findings at a 1 p.m. session on Sunday at the Defcon security conference in Las Vegas called "The Anatomy of a Subway Hack: Breaking Crypto RFID's & Magstripes of Ticketing Systems."

The MIT students had intended to discuss the techniques they used to change the value on a CharlieTicket from $2 to $653. But they were ordered not to reveal any information that could be used to defraud the MBTA's fare card system for 10 days.

Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which is representing the students, called the court order "an illegal prior restraint on legitimate academic research in violation of the First Amendment."

The court order also is of questionable effectiveness. The students' presentation materials are available online, hosted by The Tech, MIT's newspaper, and mirrored elsewhere. The materials include the students' confidential recommendations to the MBTA about how to fix the security issues, which were attached to a court document. Though the software used by the students to analyze the fare cards hasn't been made available, the presentation materials and security recommendations provide significant details about security failings throughout the Boston transit system.

The presentation reveals flawed network and physical security, social engineering weaknesses, and exposed information that could be used to compromise the Boston transit system. Among the images included in the presentation are gates left unchained, accessible turnstile control boxes, computer screens visible through windows, door keys left in open boxes, documents left in public view, and unattended surveillance stations. And that's to say nothing of the software and hardware vulnerabilities related to the fare cards.

The MBTA filed its complaint against the students Friday. It alleges that the MIT students traveled on MBTA lines without paying fares and have instructed others to do so.

According to MIT's The Tech, Anderson, in an e-mail to the paper, refuted the charge that he and his peers had ridden the transit system for free.

But in granting the gag order, the judge may have been swayed by a summary of the planned Defcon presentation that was cited in the MBTA's complaint. An early version of the announcement of the Defcon talk began, "Want free subway rides for life?" It also said, "We go over social engineering attacks we executed on employees..." And it promised, "We will release several open source tools to perform these attacks."

Following an Aug. 5 meeting that included MBTA officials, the MIT students, and MIT professor Ronald Rivest, the announcement copy was reworded to be less provocative. Nonetheless, the previous version of the announcement made it into the MBTA's complaint.

Just as unpublishing is problematic online, it's also difficult in court. And the judge may well have found MBTA's fears of widespread fraud more credible thanks to the initial version of the students' confrontational marketing copy.

The EFF, meanwhile, is seeking to reverse the gag order.

The MBTA complaint states that the agency is not seeking to silence the students forever. Rather, it's asking for "responsible disclosure," for the students to withhold their information until the MBTA can fix its security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.