Massachusetts Transit Agency Sues to Stop Hacker Talk
The Massachusetts Bay Transportation Authority has sued three students and their school, the Massachusetts Institute of Technology, hoping to stop them from disclosing flaws in the MBTA's electronic ticketing system.
The lawsuit claims that the presentation would cause "significant damage to the MBTA's transit system," according to an online posting of the suit, filed Friday with the U.S. District Court for the District of Massachusetts.
It names students Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa, who are scheduled to talk about "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" at the Defcon conference on Sunday at 1 p.m. local time. The MIT students and an MBTA lawyer did not return calls and e-mail messages seeking comment.
In a presentation distributed to Defcon attendees, the students describe a variety of techniques that could be used to gain free access to Boston's transit system, some of which they admit are illegal. They say that the point of the talk is to show the results of a penetration test of the MBTA system, but they were clearly aware that it could have caused legal problems. One slide reads simply "What this talk is not: evidence in court (hopefully)".
The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.
The students discuss physical security problems they found with the system, such as unlocked gates and unattended surveillance booths. They say they were able to access fiber switches connecting fare vending machines to the unlocked network, and they also describe techniques to clone and reverse-engineer the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards.
In court filings, the MBTA says that 68 percent of its riders use the CharlieCard, which brings in about US$475,000 to the transit authority each weekday. The researchers refused to give the transit authority information about security flaws in its system ahead of the talk, the filings state.
An MBTA vendor tipped off the authority on July 30 that the talk was scheduled, filings state.
The CharlieCard is based on the same Mifare Classic RFID (radio frequency identification) technology used by many other transit systems around the world. Earlier this year, Mifare's producer, NXP, sued to prevent researchers from presenting research on how to crack this technology. A Dutch court rejected NXP's claims last month.
With an average weekday ridership of 1.4 million commuters, the MBTA is the nation's fifth-largest transit system, according to the lawsuit.