Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back

from the yeah,-that'll-work dept

You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn’t even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference… until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released — which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops.

Of course, even if the court had actually been able to stop the distribution of the presentation, it’s silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA’s system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don’t exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.

Filed Under: , , , , ,
Companies: mbta

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back”

Subscribe: RSS Leave a comment
Anonymous Coward says:

For those interested, here is the “controversial” MBTA presentation from DefCon this weekend (PDF), along with the MBTA’s *public* court filings related to the TRO, and a copy of a ‘confidential’ report made to the MBTA by the same presenters that apparently is dated 8 August as shown on Wired’s website late Friday and was also part of the court filing.

More info:

Wired’s coverage:

The Streissand Effect strikes again — same stuff, different year.

mediaempyre says:

Somewhere on the internet this can be found. Google is your friend.
But why oh why does MBTA not hire the university for some low price to secure the whole damn thing?? Either they are really stupid, and those kids should have their jobs, or there’s cronyism afoot and they’re really really stupid and those kids should have their jobs.

Drew Snider says:

MTA Hackers

I didn’t see the background to this, but as a former journalist (OK … former newscaster) and now Public Information Guy with Boston’s counterpart in Vancouver BC, I some questions about the events leading up to this court injunction. Did the MTA and MIT students discuss this before it went public? Did any journalists involved try to act as a go-between before running with the story? There have been instances in Vancouver — not involving my agency, happily — where reporters have suddenly ambushed a local agency by running a story that information that could compromise security has been posted on the Internet or (worse) is actually obtainable through that agency’s website. Proper course of action for the students: bring the concerns to the agency’s attention, then give the agency a week, say, to commit to addressing them or else then, they go to the media — or go public in some way. So my overall question is, are the MIT students acting in the public interest, or just a bunch of know-it-all kids trying to show off how much smarter they are than The Man?

a says:

Re: MTA Hackers

Prior restraints against speech or the press are most emphatically not in the public interest. Prior restraints are legally presumed to be unconstitional. In other words, the burden is on the party seeking the prior restraint to show that it comports with our constitutional scheme. The Supreme Court has never upheld a prior restraint.

In legal circles Alexender v United States has been recognized for its explanation of prior restraints. From that opinion:

The term “prior restraint” is used “to describe administrative and judicial orders forbidding certain communications when issued in advance of the time that such communications are to occur.” Temporary restraining orders and permanent injunctions-i. e., court orders that actually forbid speech activities-are classic examples of prior restraints.

(Citation omitted.)

Remember the Pentagon Papers case.

The public interest is best served by federal judges who uphold the Constition.

John Wilson (profile) says:

Re: MTA Hackers

As has already been mentioned prior restraint, particularly on security issues whether or not they involve MTBA or TransLink, the agency I assume you work for is most definitely isn’t in the public interest.

It’s rarely in the interest of the agency either.

It’s also been noted that the students (“know-it-all-kids”) and their Prof at MIT notified the agency involved and of their intention to reveal the vulnerabilities at DEFCON.

I don’t know how many times it has to be said before people, be they lawyers or TransLink PR hacks understand the “security by obscurity” simply does not work. Ever.

Exhibits A-Z and beyond on that point? Microsoft Windows and accompanying programs such as Outlook Express and Internet Explorer.



Phil says:

For all those stating the MtA should hire these students STFU.

The companies supplying these card systems know all to well the vulnerabilities that exist. It is just too expensive to eliminate the threat entirely. Trade offs due to IC cards requiring power yet having no internal power supply (inductive coupling), PKI management, and the need for speed are just some of the issues at hand

The MIT students didn’t discover anything previously unknown, get over yourselves (as you obviously identify with the students).

Presentation or not, very few people could reproduce this “hack” without significant know-how. And then, the system will catch pirated cards in short order and deactivate them.

Esahc (profile) says:

Re: Re:

“Presentation or not, very few people could reproduce this “hack” without significant know-how.””

Um . . . All it would take would be a Google search, & a moderate level of intelligence to obtain the know-how.

“And then, the system will catch pirated cards in short order and deactivate them.”

One time access is all a person needs too cause a large amount of damage.

In any case Boston authorities have never been the brightest; do we all remember the Aqua Team Hunger Force incident?

Phil says:

Mifare has been around for over decade and is being phased out. It’s not as if anyone is at risk except the MBTA, so what is your concern exactly? It’s their loss.

I’m sure you already possess the required FPGA programming skills and cryptographic knowledge, but it may surprise you to know it is not widespread. Not as easy as you think.
– bought a $1000 radio, with discrete component design
– utilized GNU radio (not simple to understand)
– Used said radio to sniff
– Used an FPGA board to brute force to crack
– Were able to read, write and clone
There is a whole lot of research required to get to this point, and the pay off is very small.

Not only is there value stored on the card, but it is cross referenced in the evening to audit and assure card balances match those of the database. De-activiating all cards that have balances different from what the database lists is trivial.

“One time access is all a person needs too cause a large amount of damage.”
Yeah, someone might get a full days worth of rides for free, ZOMG! The sky is falling!

Andrew D. Todd (user link) says:

So Why Not Make It Free?

As you will see from the link below, transit systems are not usually able to collect fares amounting to more than half of their expenses. Sometimes the figure is a lot less. At that level, even collecting fares becomes counterproductive, particularly when the external costs of automobiles are taken into account. Transit systems are run at a loss, as a public good. The kind of people who use them a lot, students, old-age pensioners, etc., are generally entitled to really deep discounts. Why not just make the transit system free?

another mike says:

same story from last thursday

This is the story I commented about in last Thursday’s Streisand Effect versus security through obscurity, here. So the going rate is one or two a week now.
If someone finds a big hole in your system, whatever you do, don’t sue them over it. Attend their presentation, and quietly fix the hole they found. When no one else can come in and exploit it, they’ll be the laughing stock of the conference. You’ll be more secure and have fewer attackers, you win twice.

Biz Modl (profile) says:

Not even at the level of an ordinary injunction

This case doesn’t even rise to the level of an ordinary injunction. An injunction is only supposed to be granted if there will be irreparable harm to the plaintiff if the defendant goes ahead with the action they are being sued over. In this case, the transit authority at worst stands to have people riding who didn’t pay. It won’t increase their costs one iota because they’re going to run the same trains they always do; added passengers don’t cost any extra to carry. It probably won’t decrease their revenue much because I suspect those who use the hack will ride for free just to prove they can, not because they are avoiding payment of a fare that they would have otherwise paid. And even if they do lose money, they have the option of suing the defendants for the damages. Maybe they won’t get it all back, but if a transit system can be harmed by a reduction in paid fares, they would have all disappeared long ago.

So there’s not only not “irreparable harm”, there’s darn near no harm at all. And for this some judge wants to throw away the concept of free speech?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...