Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back

from the yeah,-that'll-work dept

Mon, Aug 11th 2008 2:13am — Mike Masnick

You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn't even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference... until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released -- which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops.

Of course, even if the court had actually been able to stop the distribution of the presentation, it's silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA's system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don't exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bans, defcon, mit, obscurity, security, subway
Companies: mbta

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

bobbknight, 11 Aug 2008 @ 3:14am

I want one
So, not having a pacer account, how can I get a copy of these court records?
Just so I can say I have a copy.
[ link to this | view in chronology ]
- a, 11 Aug 2008 @ 6:05am
  
  Court Records (was Re: I want one)
  Court documents in DEFCON prior restraint case, courtesy of MIT's The Tech.
  [ link to this | view in chronology ]
wasnt me!, 11 Aug 2008 @ 3:55am

is that what we call the ostrich defense?
[ link to this | view in chronology ]
- Anonymous Coward, 11 Aug 2008 @ 4:41am
  
  Re:
  no - obviously they are using the Streisand effect to advertise their fine subway - using this talk to allow engineers and hackers to travel at new, subsidised prices. I wonder is it possible to get a refund on unused credit?
  [ link to this | view in chronology ]
Ferin (profile), 11 Aug 2008 @ 4:58am

What the hell?
Standing aside from the usual idiocy of an agency trying to hide its crappy security, what is wrong with our law schools? Did these lawyers not realize any evidence entered into the court becomes public record?
[ link to this | view in chronology ]
Anonymous Coward, 11 Aug 2008 @ 5:01am

For those interested, here is the "controversial" MBTA presentation from DefCon this weekend (PDF), along with the MBTA's *public* court filings related to the TRO, and a copy of a 'confidential' report made to the MBTA by the same presenters that apparently is dated 8 August as shown on Wired's website late Friday and was also part of the court filing.
http://infowarrior.org/users/rforno/mirror/
More info:
Wired's coverage:
http://feeds.feedburner.com/~r/wired27b/~3/360219474/injunction-requ.html
The Streissand Effect strikes again -- same stuff, different year.
[ link to this | view in chronology ]
mediaempyre, 11 Aug 2008 @ 5:01am

Somewhere on the internet this can be found. Google is your friend.
But why oh why does MBTA not hire the university for some low price to secure the whole damn thing?? Either they are really stupid, and those kids should have their jobs, or there's cronyism afoot and they're really really stupid and those kids should have their jobs.
[ link to this | view in chronology ]
Anonymous Coward, 11 Aug 2008 @ 5:31am

I bet/hope those kids get better jobs than working for MBTA.
[ link to this | view in chronology ]
Blake, 11 Aug 2008 @ 5:37am

Interesting presentation, I enjoyed reading the documents
[ link to this | view in chronology ]
matt, 11 Aug 2008 @ 6:20am

You would think...
That the T would be very interested in replacing their current IT professionals with these MIT students!

Good point about the refund on unused credit; hadn't thought of that angle before!
[ link to this | view in chronology ]
Drew Snider, 11 Aug 2008 @ 6:37am

MTA Hackers
I didn't see the background to this, but as a former journalist (OK ... former newscaster) and now Public Information Guy with Boston's counterpart in Vancouver BC, I some questions about the events leading up to this court injunction. Did the MTA and MIT students discuss this before it went public? Did any journalists involved try to act as a go-between before running with the story? There have been instances in Vancouver -- not involving my agency, happily -- where reporters have suddenly ambushed a local agency by running a story that information that could compromise security has been posted on the Internet or (worse) is actually obtainable through that agency's website. Proper course of action for the students: bring the concerns to the agency's attention, then give the agency a week, say, to commit to addressing them or else then, they go to the media -- or go public in some way. So my overall question is, are the MIT students acting in the public interest, or just a bunch of know-it-all kids trying to show off how much smarter they are than The Man?
[ link to this | view in chronology ]
- a, 11 Aug 2008 @ 7:01am
  
  Re: MTA Hackers
  Prior restraints against speech or the press are most emphatically not in the public interest. Prior restraints are legally presumed to be unconstitional. In other words, the burden is on the party seeking the prior restraint to show that it comports with our constitutional scheme. The Supreme Court has never upheld a prior restraint.
  
  In legal circles Alexender v United States has been recognized for its explanation of prior restraints. From that opinion:
  The term "prior restraint" is used "to describe administrative and judicial orders forbidding certain communications when issued in advance of the time that such communications are to occur." Temporary restraining orders and permanent injunctions-i. e., court orders that actually forbid speech activities-are classic examples of prior restraints.
  
  (Citation omitted.)
  
  Remember the Pentagon Papers case.
  
  The public interest is best served by federal judges who uphold the Constition.
  [ link to this | view in chronology ]
- silentsteel (profile), 11 Aug 2008 @ 7:46am
  
  Re: MTA Hackers
  I could be wrong, but I think I read that the students contacted the MBTA regarding this presentation and all they got in return was that they had been reported to the FBI, and now were under investigation.
  [ link to this | view in chronology ]
- John Wilson, 12 Aug 2008 @ 5:09pm
  
  Re: MTA Hackers
  As has already been mentioned prior restraint, particularly on security issues whether or not they involve MTBA or TransLink, the agency I assume you work for is most definitely isn't in the public interest.
  
  It's rarely in the interest of the agency either.
  
  It's also been noted that the students ("know-it-all-kids") and their Prof at MIT notified the agency involved and of their intention to reveal the vulnerabilities at DEFCON.
  
  I don't know how many times it has to be said before people, be they lawyers or TransLink PR hacks understand the "security by obscurity" simply does not work. Ever.
  
  Exhibits A-Z and beyond on that point? Microsoft Windows and accompanying programs such as Outlook Express and Internet Explorer.
  
  ttfn
  
  John
  [ link to this | view in chronology ]
Phil, 11 Aug 2008 @ 7:19am

For all those stating the MtA should hire these students STFU.

The companies supplying these card systems know all to well the vulnerabilities that exist. It is just too expensive to eliminate the threat entirely. Trade offs due to IC cards requiring power yet having no internal power supply (inductive coupling), PKI management, and the need for speed are just some of the issues at hand

The MIT students didn't discover anything previously unknown, get over yourselves (as you obviously identify with the students).

Presentation or not, very few people could reproduce this "hack" without significant know-how. And then, the system will catch pirated cards in short order and deactivate them.
[ link to this | view in chronology ]
- ChurchHatesTucker (profile), 11 Aug 2008 @ 7:35am
  
  Re:
  "STFU, It's a known problem, it's not a problem."
  
  Well, no worries then, right?
  [ link to this | view in chronology ]
- Esahc (profile), 11 Aug 2008 @ 7:39am
  
  Re:
  "Presentation or not, very few people could reproduce this "hack" without significant know-how.""
  
  Um . . . All it would take would be a Google search, & a moderate level of intelligence to obtain the know-how.
  
  "And then, the system will catch pirated cards in short order and deactivate them."
  
  One time access is all a person needs too cause a large amount of damage.
  
  In any case Boston authorities have never been the brightest; do we all remember the Aqua Team Hunger Force incident?
  [ link to this | view in chronology ]
Phil, 11 Aug 2008 @ 8:55am

@ChuckHatesTucker
Mifare has been around for over decade and is being phased out. It's not as if anyone is at risk except the MBTA, so what is your concern exactly? It's their loss.

@Esahc
I'm sure you already possess the required FPGA programming skills and cryptographic knowledge, but it may surprise you to know it is not widespread. Not as easy as you think.
They:
- bought a $1000 radio, with discrete component design
- utilized GNU radio (not simple to understand)
- Used said radio to sniff
- Used an FPGA board to brute force to crack
- Were able to read, write and clone
There is a whole lot of research required to get to this point, and the pay off is very small.

Not only is there value stored on the card, but it is cross referenced in the evening to audit and assure card balances match those of the database. De-activiating all cards that have balances different from what the database lists is trivial.

"One time access is all a person needs too cause a large amount of damage."
Yeah, someone might get a full days worth of rides for free, ZOMG! The sky is falling!
[ link to this | view in chronology ]
- Esahc (profile), 11 Aug 2008 @ 11:50am
  
  Re:
  I concede to your point regarding the knowledge involved, but are we talking free rides or access to back rooms & secure areas?
  [ link to this | view in chronology ]
trollificus, 11 Aug 2008 @ 9:41am

Okay, Phil...
...good point there. The hack is clearly not so easy to reproduce as to result in widespread abuse (read: loss of revenue)

So...ummm...doesn't that just make the case that the MBTA response was even stupider than it at first appears?
[ link to this | view in chronology ]
Jeff, 11 Aug 2008 @ 10:31am

for the lulz
The presentation is also available through the MIT web site.

http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

And, of course, there's a torrent.

http://thepiratebay.org/torrent/4336556/Banned_Defcon_Presentation_on_CharlieCard_Hacks_ n_cracks
[ link to this | view in chronology ]
Andrew D. Todd, 11 Aug 2008 @ 11:03am

So Why Not Make It Free?
As you will see from the link below, transit systems are not usually able to collect fares amounting to more than half of their expenses. Sometimes the figure is a lot less. At that level, even collecting fares becomes counterproductive, particularly when the external costs of automobiles are taken into account. Transit systems are run at a loss, as a public good. The kind of people who use them a lot, students, old-age pensioners, etc., are generally entitled to really deep discounts. Why not just make the transit system free?

http://en.wikipedia.org/wiki/Farebox_recovery_ratio
[ link to this | view in chronology ]
zealeus, 11 Aug 2008 @ 11:27am

Considering I'd never had known about this hack otherwise, thanks for the suing!
Also, I doubt 99.9% of people even know WTF the article is talking about much, much less how to reproduce any of the hacks after having read the info.
[ link to this | view in chronology ]
another mike, 11 Aug 2008 @ 1:53pm

same story from last thursday
This is the story I commented about in last Thursday's Streisand Effect versus security through obscurity, here. So the going rate is one or two a week now.
If someone finds a big hole in your system, whatever you do, don't sue them over it. Attend their presentation, and quietly fix the hole they found. When no one else can come in and exploit it, they'll be the laughing stock of the conference. You'll be more secure and have fewer attackers, you win twice.
[ link to this | view in chronology ]
Biz Modl, 11 Aug 2008 @ 9:06pm

Not even at the level of an ordinary injunction
This case doesn't even rise to the level of an ordinary injunction. An injunction is only supposed to be granted if there will be irreparable harm to the plaintiff if the defendant goes ahead with the action they are being sued over. In this case, the transit authority at worst stands to have people riding who didn't pay. It won't increase their costs one iota because they're going to run the same trains they always do; added passengers don't cost any extra to carry. It probably won't decrease their revenue much because I suspect those who use the hack will ride for free just to prove they can, not because they are avoiding payment of a fare that they would have otherwise paid. And even if they do lose money, they have the option of suing the defendants for the damages. Maybe they won't get it all back, but if a transit system can be harmed by a reduction in paid fares, they would have all disappeared long ago.

So there's not only not "irreparable harm", there's darn near no harm at all. And for this some judge wants to throw away the concept of free speech?
[ link to this | view in chronology ]