The MIT students had intended to discuss the techniques they used to change the value on a MBTA CharlieTicket from $2 to $653.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 11, 2008

3 Min Read

On Saturday morning, Massachusetts District Judge Douglas P. Woodlock ordered three MIT students not to discuss the security vulnerabilities the trio found in the Massachusetts Bay Transit Authority's (MBTA) Boston fare cards, known as CharlieCard and CharlieTicket.

The MIT students, Zack Anderson, RJ Ryan, and Alessandro Chiesa, had been planning to present their findings at a 1 p.m. session on Sunday at the Defcon security conference in Las Vegas called "The Anatomy of a Subway Hack: Breaking Crypto RFID's & Magstripes of Ticketing Systems."

The MIT students had intended to discuss the techniques they used to change the value on a CharlieTicket from $2 to $653. But they were ordered not to reveal any information that could be used to defraud the MBTA's fare card system for 10 days.

Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which is representing the students, called the court order "an illegal prior restraint on legitimate academic research in violation of the First Amendment."

The court order also is of questionable effectiveness. The students' presentation materials are available online, hosted by The Tech, MIT's newspaper, and mirrored elsewhere. The materials include the students' confidential recommendations to the MBTA about how to fix the security issues, which were attached to a court document. Though the software used by the students to analyze the fare cards hasn't been made available, the presentation materials and security recommendations provide significant details about security failings throughout the Boston transit system.

The presentation reveals flawed network and physical security, social engineering weaknesses, and exposed information that could be used to compromise the Boston transit system. Among the images included in the presentation are gates left unchained, accessible turnstile control boxes, computer screens visible through windows, door keys left in open boxes, documents left in public view, and unattended surveillance stations. And that's to say nothing of the software and hardware vulnerabilities related to the fare cards.

The MBTA filed its complaint against the students Friday. It alleges that the MIT students traveled on MBTA lines without paying fares and have instructed others to do so.

According to MIT's The Tech, Anderson, in an e-mail to the paper, refuted the charge that he and his peers had ridden the transit system for free.

But in granting the gag order, the judge may have been swayed by a summary of the planned Defcon presentation that was cited in the MBTA's complaint. An early version of the announcement of the Defcon talk began, "Want free subway rides for life?" It also said, "We go over social engineering attacks we executed on employees..." And it promised, "We will release several open source tools to perform these attacks."

Following an Aug. 5 meeting that included MBTA officials, the MIT students, and MIT professor Ronald Rivest, the announcement copy was reworded to be less provocative. Nonetheless, the previous version of the announcement made it into the MBTA's complaint.

Just as unpublishing is problematic online, it's also difficult in court. And the judge may well have found MBTA's fears of widespread fraud more credible thanks to the initial version of the students' confrontational marketing copy.

The EFF, meanwhile, is seeking to reverse the gag order.

The MBTA complaint states that the agency is not seeking to silence the students forever. Rather, it's asking for "responsible disclosure," for the students to withhold their information until the MBTA can fix its security.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights