Here’s the problem: The MBTA’s complaint included a full copy of the students’ presentation. Being that it’s now part of public record, that document has found its way onto the Internet — and, potentially, onto the screens of millions.
The information is actually part of a paper the students wrote for an MIT class. It details several problems with the CharlieCard system used for fares — namely that it uses no central database to track cards’ values and no secure digital signatures to keep people from changing the cards’ worth. With the right equipment — stuff you could find within a few minutes online — the students say anyone could change a 50 cent card to a $500 one.
“The CharlieTicket is vulnerable to both cloning and forgery attacks,” the students write.
So did the MBTA have the right to keep the team from discussing its find? Probably — at least in the eyes of the law. If the organization can reasonably show that releasing the information would have caused harm, it’s technically in the clear.
One of the MIT students did say he and his classmates gave the MBTA advance notice of their findings — but his interview with the Boston Herald suggests that happened just a few days before the scheduled DEFCON presentation. That leaves the MBTA room to argue it didn’t have enough time to take preventative action.
Of course, in the long run, the MBTA essentially shot itself in the foot. The documents, in the form of a PDF called “Anatomy of a Subway Hack” (PDF) are now all over the place, and people who probably wouldn’t have ever heard of the hack now know every last detail about it. What’s not clear is why the judge involved didn’t seal the related documents, which would have kept them from going public.
The Final Verdict
No doubt, this is one tricky case. Certainly, the students aren’t employees of the MBTA and are under no obligation to share anything they found. At the same time, presenting that information publicly without letting the MBTA first respond could have clearly caused business-related damage.
The best-case scenario might have been to follow the lead of security analyst Dan Kaminsky, the guy who found the massive DNS flaw affecting the whole Internet in July. Kaminsky actually came across the problem a full six months earlier. He worked hard to keep it under wraps until industry leaders could find a solid solution. Even after initially announcing the discovery and solution, Kaminsky pleaded with hackers to keep anything they found to themselves for one more month, so ISPs worldwide could have ample time to patch the hole and protect their systems.
Ultimately, though, no one in the MIT instance is faring too badly. The students have gained some short-lived fame, and hopefully the MBTA has gained some insight into a serious problem and how it can be fixed. And even if the MIT team doesn’t get any thanks for its thoughts, it did get one reward: an A for the assignment.