Court halts subway hacker talk

A U.S. District Court judge ordered the cancellation of a Defcon conference talk scheduled for Sunday that would have detailed flaws in the Massachusetts Bay Transportation Authority electronic ticketing system.

The MBTA filed a lawsuit Friday seeking to stop three Massachusetts Institute of Technology students and MIT from giving the talk. Judge Douglas Woodlock of the United States District Court for the District of Massachusetts issued a court order in favor of the MBTA Saturday afternoon.

The Boston-area transportation authority argued that the presentation would cause "significant damage to the MBTA's transit system," according to an online posting of the lawsuit.

MIT students Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa had been scheduled to talk about "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" at the Defcon conference Sunday at 1 p.m. local time. The MIT students and an MBTA lawyer did not return calls and e-mail messages seeking comment.

After talking with their legal counsel, Jennifer Granick of the Electronic Frontier Foundation (EFF), the students decided not to fight the court order and cancel the talk, a spokeswoman for the Defcon conference said Saturday.

Though the students are barred by court order from providing information that would have helped others circumvent the talk, their presentation slides had already been included in a conference CD given to Defcon attendees. The MBTA itself put some details in the public record, by filing a confidential assessment of its security system with the court.

In the Defcon presentation slides, the students describe a variety of techniques that could be used to gain free access to Boston's transit system, some of which they admit are illegal. They say that the point of the talk is to show the results of a penetration test of the MBTA system, but they were clearly aware that it could have caused legal problems. One slide reads simply "What this talk is not: evidence in court (hopefully)".

The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.

The students discuss physical security problems they found with the system, such as unlocked gates and unattended surveillance booths. They say they were able to access fiber switches connecting fare vending machines to the unlocked network, and they also describe techniques to clone and reverse-engineer the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards.

In court filings, the MBTA says that 68 percent of its riders use the CharlieCard, which brings in about $475,000 to the transit authority each weekday.

An MBTA vendor tipped off the authority on July 30 that the talk was scheduled, the court filing states.

The CharlieCard is based on the same Mifare Classic RFID (radio frequency identification) technology used by many other transit systems around the world. Earlier this year, Mifare's producer, NXP, sued to prevent researchers from presenting research on how to crack this technology. A Dutch court rejected NXP's claims last month.

With an average weekday ridership of 1.4 million commuters, the MBTA is the nation's fifth-largest transit system, according to the lawsuit.

Lawsuits involving Defcon presentations have also occurred in the past. Security researcher Mike Lynn was sued in 2005 after he gave a controversial presentation disclosing flaws in Cisco's routers. In response, the EFF this year started a drop-in service, providing Defcon presenters free legal advice on how to respond to threats of legal action.

EFF will discuss the lawsuit against the MIT students at a Defcon panel discussion at 2 p.m. local time.

(More to follow, after the panel discussion.)

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies