bit-tech.net

Defcon: 'Subway Hack' talk gagged

Defcon: 'Subway Hack' talk gagged

The Massachusetts Bay Transit Authority is keen to see this document detailing flaws in its RFID system vanish.

The Defcon hacker conference always courts controversy – even though the visitors to said event fit more in the original definition of the word than the media-hijacked cracker synonym – and this year is no exception, with the news that the Massachusetts Transit Authority has been granted an injunction preventing three erstwhile hackers from distributing their presentation “Anatomy of a Subway Hack.”

According to CNet, the three MIT undergraduates – Russell Ryan, Zack Anderson, and Alessandro Chiesa – were scheduled to give a presentation on Sunday regarding their successful attempts to “completely break the CharlieCard,” a radio-frequency ID tag-based system used by the Massachusetts Bay Transportation Authority on the Boston T subway system – pretty much the Massachusetts equivalent to the Oystercard system used here in the UK. In traditional Defcon style, the planned presentation was to be accompanied with the release of software they had developed to hack the CharlieCard system.

Based around the MiFare Classic RFID – the same as used by the Oystercard - system which is already known to be flawed, the information on how to modify, crack, and bypass the CharlieCard is already out there – or can be readily surmised. Indeed, NXP's MiFare Classic has been referred to as “kindergarten cryptography” by expert Bruce Schneier on his blog, in which he claims that “anyone with any security experience would be embarrassed to put his name to the design.

With the judgement coming down from on-high that the talk is to be nixed, the Electronic Frontier Foundation has got involved with claims that the gag order is “violating their First Amendment rights” and talk of an appeal to be lodged. There certainly seems to be grounds, too: even ignoring the fact that the gist of the presentation – that the MiFare Classic system used by the CharlieCard is completely insecure – is already public knowledge, there still seems to be no real reason for the Transit Authority to be stomping on the report. If anything, by going to the lengths of a court-mandated gag order the Authority is ensuring that the news of the system's insecurity will spread much farther than it would ever have at Defcon.

The plot thickens, too, when you learn that the researchers has requested that their professor contact the Authority ahead of the publication of their findings specifically to avoid this kind of knee-jerk reaction. Due to staff absence, this contact never happened – and when the Authority got wind of the research they responded in amazingly heavy-handed fashion – calling the FBI to investigate the students and their actions.

Although the Authority claims in its filing with the court that the disclosure of the research would “constitute a threat to public health or safety”, its real motives are plain to see in the request that the judge prevent the students “from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised.” That's not an order to prevent them issuing a cookbook how-to so high-tech hooligans can defraud the system – that's an order to prevent them from even insinuating that the CharlieCard system just might have a hole the size of a double-decker bus in its security system. Clearly the Authority is thinking more about its public image than about the possible harm that might come to the system itself from such information.

Which isn't to say that the students themselves are blameless in all this: according to CNet, the original PowerPoint presentation regarding the research – which has already been distributed to Defcon ticket holders as part of their conference pack – contains the notation that “THIS IS VERY ILLEGAL! So the following material is for educational use only.

Yeah. Probably not the best thing for a court to see, chaps.

As it stands, the students will not be giving their talk any time in the future – but with the presentation already available on the 'net, does the gag order really serve a non-punitive purpose?

Do you agree that the students have crossed the line, or should the Authority be concentrating less on what a bunch of hackers may or may not know and more on actually securing the system before one of those “threats to public health or safety” happens? Share your thoughts over in the forums.

6 Comments

Discuss in the forums Reply
liratheal 11th August 2008, 09:13 Quote
While I could understand if the Transit Authority chaps wanted to round-file this presentation for the sake of the system not being abused by people that way inclined, aren't they likely to lose more money though legal fees than they would if this was just ignored?

It's not like Defcon presentations are going to make huge news - I doubt if anyone would bother picking the story up if there weren't any legal goings on.
Mentai 11th August 2008, 10:14 Quote
So whats the security compromise? If it's just using the subway for free, this is a big over reaction. If you can do something more, I don't think it should be made public in anyway except that there is a compromise, and the students could go on their payrole to help fix it?
liratheal 11th August 2008, 10:25 Quote
Quote:
Originally Posted by Mentai
So whats the security compromise? If it's just using the subway for free, this is a big over reaction. If you can do something more, I don't think it should be made public in anyway except that there is a compromise, and the students could go on their payrole to help fix it?

Flicking through the slides it seems to be more focused on how easy it is to defraud the system and, as one of the slides puts it, 'get free subway rides for life'.

The warcart picture I've seen is hardly.. Subtle, though.
TreeDude 11th August 2008, 14:43 Quote
Even with the info on the net, it is only going to be a few people who actually use it for free rides. They should just use the info to fix the hole and move on.
DXR_13KE 11th August 2008, 15:05 Quote
with this they have taken a spotlight the size of the moon and pointed it to the flaw, that is great thinking guys!!!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums