EFF to appeal court order halting subway hacker talk

Massachusetts transportation authority argues Defcon presentation would cause "significant damage to the MBTA's transit system".

The Electronic Frontier Foundation plans to appeal a US District Court order imposing a temporary injunction on a Defcon presentation that would have detailed flaws in the Massachusetts Bay Transportation Authority electronic ticketing system.

"The court ultimately came to a very, very wrong conclusion," EFF senior staff attorney Kurt Opsahl said during an EFF discussion at Defcon a few hours after Judge Douglas Woodlock of the US District Court for the District of Massachusetts issued a court order halting the planned talk about the transit-system security flaws.

The MBTA filed a lawsuit Friday seeking to stop three Massachusetts Institute of Technology students from giving the talk. The lawsuit also names MIT as a defendant. The Boston-area transportation authority argued that the presentation would cause "significant damage to the MBTA's transit system," according to an online posting of the lawsuit.

MIT students Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa had been scheduled to talk about "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" at the Defcon conference Sunday. They received an "A" grade on the project in an MIT class, Opsahl said.

"The first notice that the MBTA provided that they were going to the court was after they had gone to the court," Opsahl said at the EFF session. The judge cited a computer intrusion statute in issuing the order, he said.

"The statute on its face appears to be discussing sending code programs or similar type of information to a computer and does not appear to contemplate somebody who is giving a talk to humans," Opsahl said. "Nevertheless, the court disagreed with that interpretation."

The court order seems to say that a magnetic strip on a paper card or a smartcard counts as a computer and the EFF disagrees with that interpretation, he said.

The temporary restraining order "reflects the court's view that they believe that the Massachusetts Bay Transit Authority was likely to succeed on the merits -- we think that's actually not the case," Opsahl said.

Some of the material in the students' talk regarding security problems with the MBTA's electronic ticketing system had been previously reported in the Boston Globe and Boston Herald newspapers, Opsahl said.

"Courts have found that the First Amendment covers these things," Opsahl said. "We believe that this is a protected speech activity. When you discuss security issues, if you are telling the truth, that is something that should be protected."

Though the students are barred by court order from providing information that would have helped others circumvent the talk, their presentation slides had already been included in a conference CD given to Defcon attendees. The MBTA itself put some details in the public record, by filing a confidential assessment of its security system with the court.

In the Defcon presentation slides, the students describe a variety of techniques that could be used to gain free access to Boston's transit system, some of which they admit are illegal. They say that the point of the talk is to show the results of a penetration test of the MBTA system, but they were clearly aware that it could have caused legal problems. One slide reads simply "What this talk is not: evidence in court (hopefully)".

The passage in the Defcon show guide describing their talk begins, "Want free subway rides for life?" That line was removed from the description of the talk posted at the Defcon Web site.

The students discuss physical security problems they found with the system, such as unlocked gates and unattended surveillance booths. They say they were able to access fiber switches connecting fare vending machines to the unlocked network, and they also describe techniques to clone and reverse-engineer the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards.

In court filings, the MBTA says that 68 percent of its riders use the CharlieCard, which brings in about US$475,000 to the transit authority each weekday.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?