Federal judge halts Defcon talk on subway card hacking

Barn door closed a little too late


Defcon A federal judge on Saturday gagged three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping holes in the electronic payment systems of one of the nation's biggest transit agencies.

US District Judge Douglas P. Woodlock issued the order at the request of the Massachusetts Bay Transit Authority, which sued the three students and MIT on Friday. It forbids Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, from "providing program, information, software code or command that would assist another in any material way to circumvent or otherwise attack the the security" of the MBTA's fare system.

Attorneys for the Electronic Frontier Foundation, which are representing the trio, said they directed the students to pull the talk, which had been scheduled for Sunday. They said the order constituted an "illegal prior restraint" on their clients' free-speech rights.

"It's a very dangerous precedent," EFF staff attorney Marcia Hofmann told reporters at the Defcon hacking conference in Las Vegas. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law. As far as I know, this is completely unprecedented and it has a tremendous chilling effect on sharing this sort of research."

Ironically, a plethora of details around their hack is already out there. Attorneys for the MBTA attached a detailed white paper (PDF) to one of their pleadings. What's more, a PDF containing slides of the talk was part of a CD distributed to all 7,000 to 8,000 people attending the conference. (The slides are also online here (PDF).)

The research delved deep into both of the MBTA's automated payment systems. Although one method uses magnetic strip technology and the other radio frequency identification, the researchers say it's trivial to manipulate both cards to add hundreds of dollars in fare amounts.

"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states. "This in turn will harm the overall functioning of the MBTA's transit services."

Perhaps the MBTA hasn't heard of the Mifare Classic, the world's most popular RFID card, which just happens to be included in the CharlieCard. Last year researchers announced a way to crack the smartcard in a matter of minutes. The trio's research into the CharlieTicket is based on other weaknesses.

An MIT spokeswoman declined to comment to The Tech, an MIT student newspaper. Representatives from the MBTA weren't available for comment.

The lawsuit, filed Friday in US District Court in Boston, capped a week of sometimes tense negotiations between MBTA officials, the students, and their instructor, MIT Professor Ronald Rivest (the R in the RSA cryptography algorithm). On Monday, a meeting at MIT was convened that included the students and their instructor, an MBTA official and a special agent from the Boston field office of the FBI's cyber crimes division.

"The MBTA official made clear the level of concern reached all the way up to the governor's office," Anderson told El Reg earlier this week. "They wanted to know exactly what types of details we were revealing. They were pretty concerned about the tools" the students planned to release.

The 17-page complaint seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requested a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised.

According to the complaint, the students refused to provide MBTA officials with the materials they planned to present at Defcon. During a press conference, the students said MBTA officials weren't contacted about their planned talk until July 30 or 31. Based on discussions at Monday's meeting, the students believed the controversy had been resolved. They didn't find out about the lawsuit until Friday, after it was filed, they said.

The complaint takes issue with a presentation description on Defcon's website that read in part: "Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a Mifare Classic smartcard used in many subways around the world, and we discuss physical security problems."

The description was later changed to remove the first line.

Anderson said the tools scheduled to be released helped streamline research into whether payment systems from other transit agencies were vulnerable to the same types of attacks. The students never planned to give tools or instructions showing how to add fares to the MBTA cards, he stressed.

Some of the presentation materials suggest the speakers planned to go beyond that limited scope. Slides included with the Defcon CD said the talk promised attendees would learn how to "generate stored-value fare cards," "reverse engineer magstripes," and "tap into the fare vending network."

Kurt Opsahl, a senior staff attorney for EFF, denied the students ever planned to provide detailed instructions for hacking the cards.

"Please understand that rhetoric aside, the intention was to provide an interesting and useful talk but not one that would enable people to defraud the Massachusetts Bay Transit system," he said.

This isn't the first time a powerful interest has sued to muzzle a Defcon speaker. In 2005 Cisco Systems took legal action against researcher Michael Lynn after he promised to demonstrate how to run a shellcode on a router without authorization. The two ultimately settled. NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.

Opsahl said the EFF planned to appeal the decision, even though a ruling will not be issued in time to save the canceled talk. He said the judge reached a very, very wrong conclusion when using the Computer Fraud and Abuse Act as grounds for canceling the talk.

"The statute on its face appears to be discussing sending code, programs or similar types of information to a computer," Opsahl said. "It does not appear to contemplate somebody who's giving a talk to humans. ®

Broader topics


Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading
  • Perl Steering Council lays out a backwards compatible future for Perl 7
    Sensibly written code only, please. Plus: what all those 'heated discussions' were about

    The much-anticipated Perl 7 continues to twinkle in the distance although the final release of 5.36.0 is "just around the corner", according to the Perl Steering Council.

    Well into its fourth decade, the fortunes of Perl have ebbed and flowed over the years. Things came to a head last year, with the departure of former "pumpking" Sawyer X, following what he described as community "hostility."

    Part of the issue stemmed from the planned version 7 release, a key element of which, according to a post by the steering council "was to significantly reduce the boilerplate needed at the top of your code, by enabling a lot of widely used modules / pragmas."

    Continue reading

Biting the hand that feeds IT © 1998–2022