Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back
from the yeah,-that'll-work dept
You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn't even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference... until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released -- which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops.Of course, even if the court had actually been able to stop the distribution of the presentation, it's silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA's system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don't exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bans, defcon, mit, obscurity, security, subway
Companies: mbta
Reader Comments
Subscribe: RSS
View by: Time | Thread
I want one
Just so I can say I have a copy.
[ link to this | view in chronology ]
Court Records (was Re: I want one)
Court documents in DEFCON prior restraint case, courtesy of MIT's The Tech.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
What the hell?
[ link to this | view in chronology ]
http://infowarrior.org/users/rforno/mirror/
More info:
Wired's coverage:
http://feeds.feedburner.com/~r/wired27b/~3/360219474/injunction-requ.html
The Streissand Effect strikes again -- same stuff, different year.
[ link to this | view in chronology ]
But why oh why does MBTA not hire the university for some low price to secure the whole damn thing?? Either they are really stupid, and those kids should have their jobs, or there's cronyism afoot and they're really really stupid and those kids should have their jobs.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
You would think...
Good point about the refund on unused credit; hadn't thought of that angle before!
[ link to this | view in chronology ]
MTA Hackers
[ link to this | view in chronology ]
Re: MTA Hackers
Prior restraints against speech or the press are most emphatically not in the public interest. Prior restraints are legally presumed to be unconstitional. In other words, the burden is on the party seeking the prior restraint to show that it comports with our constitutional scheme. The Supreme Court has never upheld a prior restraint.
In legal circles Alexender v United States has been recognized for its explanation of prior restraints. From that opinion:
(Citation omitted.)
Remember the Pentagon Papers case.
The public interest is best served by federal judges who uphold the Constition.
[ link to this | view in chronology ]
Re: MTA Hackers
[ link to this | view in chronology ]
Re: MTA Hackers
It's rarely in the interest of the agency either.
It's also been noted that the students ("know-it-all-kids") and their Prof at MIT notified the agency involved and of their intention to reveal the vulnerabilities at DEFCON.
I don't know how many times it has to be said before people, be they lawyers or TransLink PR hacks understand the "security by obscurity" simply does not work. Ever.
Exhibits A-Z and beyond on that point? Microsoft Windows and accompanying programs such as Outlook Express and Internet Explorer.
ttfn
John
[ link to this | view in chronology ]
The companies supplying these card systems know all to well the vulnerabilities that exist. It is just too expensive to eliminate the threat entirely. Trade offs due to IC cards requiring power yet having no internal power supply (inductive coupling), PKI management, and the need for speed are just some of the issues at hand
The MIT students didn't discover anything previously unknown, get over yourselves (as you obviously identify with the students).
Presentation or not, very few people could reproduce this "hack" without significant know-how. And then, the system will catch pirated cards in short order and deactivate them.
[ link to this | view in chronology ]
Re:
Well, no worries then, right?
[ link to this | view in chronology ]
Re:
Um . . . All it would take would be a Google search, & a moderate level of intelligence to obtain the know-how.
"And then, the system will catch pirated cards in short order and deactivate them."
One time access is all a person needs too cause a large amount of damage.
In any case Boston authorities have never been the brightest; do we all remember the Aqua Team Hunger Force incident?
[ link to this | view in chronology ]
Mifare has been around for over decade and is being phased out. It's not as if anyone is at risk except the MBTA, so what is your concern exactly? It's their loss.
@Esahc
I'm sure you already possess the required FPGA programming skills and cryptographic knowledge, but it may surprise you to know it is not widespread. Not as easy as you think.
They:
- bought a $1000 radio, with discrete component design
- utilized GNU radio (not simple to understand)
- Used said radio to sniff
- Used an FPGA board to brute force to crack
- Were able to read, write and clone
There is a whole lot of research required to get to this point, and the pay off is very small.
Not only is there value stored on the card, but it is cross referenced in the evening to audit and assure card balances match those of the database. De-activiating all cards that have balances different from what the database lists is trivial.
"One time access is all a person needs too cause a large amount of damage."
Yeah, someone might get a full days worth of rides for free, ZOMG! The sky is falling!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Okay, Phil...
So...ummm...doesn't that just make the case that the MBTA response was even stupider than it at first appears?
[ link to this | view in chronology ]
for the lulz
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
And, of course, there's a torrent.
http://thepiratebay.org/torrent/4336556/Banned_Defcon_Presentation_on_CharlieCard_Hacks_ n_cracks
[ link to this | view in chronology ]
So Why Not Make It Free?
http://en.wikipedia.org/wiki/Farebox_recovery_ratio
[ link to this | view in chronology ]
Also, I doubt 99.9% of people even know WTF the article is talking about much, much less how to reproduce any of the hacks after having read the info.
[ link to this | view in chronology ]
same story from last thursday
If someone finds a big hole in your system, whatever you do, don't sue them over it. Attend their presentation, and quietly fix the hole they found. When no one else can come in and exploit it, they'll be the laughing stock of the conference. You'll be more secure and have fewer attackers, you win twice.
[ link to this | view in chronology ]
Not even at the level of an ordinary injunction
So there's not only not "irreparable harm", there's darn near no harm at all. And for this some judge wants to throw away the concept of free speech?
[ link to this | view in chronology ]