Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back
from the yeah,-that'll-work dept
You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn’t even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference… until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released — which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops.
Of course, even if the court had actually been able to stop the distribution of the presentation, it’s silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA’s system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don’t exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.
Filed Under: bans, defcon, mit, obscurity, security, subway
Companies: mbta
Comments on “Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back”
I want one
So, not having a pacer account, how can I get a copy of these court records?
Just so I can say I have a copy.
Re: Court Records (was I want one)
Court documents in DEFCON prior restraint case, courtesy of MIT’s The Tech.
is that what we call the ostrich defense?
Re: Re:
no – obviously they are using the Streisand effect to advertise their fine subway – using this talk to allow engineers and hackers to travel at new, subsidised prices. I wonder is it possible to get a refund on unused credit?
What the hell?
Standing aside from the usual idiocy of an agency trying to hide its crappy security, what is wrong with our law schools? Did these lawyers not realize any evidence entered into the court becomes public record?
For those interested, here is the “controversial” MBTA presentation from DefCon this weekend (PDF), along with the MBTA’s *public* court filings related to the TRO, and a copy of a ‘confidential’ report made to the MBTA by the same presenters that apparently is dated 8 August as shown on Wired’s website late Friday and was also part of the court filing.
http://infowarrior.org/users/rforno/mirror/
More info:
Wired’s coverage:
http://feeds.feedburner.com/~r/wired27b/~3/360219474/injunction-requ.html
The Streissand Effect strikes again — same stuff, different year.
Somewhere on the internet this can be found. Google is your friend.
But why oh why does MBTA not hire the university for some low price to secure the whole damn thing?? Either they are really stupid, and those kids should have their jobs, or there’s cronyism afoot and they’re really really stupid and those kids should have their jobs.
I bet/hope those kids get better jobs than working for MBTA.
Interesting presentation, I enjoyed reading the documents
You would think...
That the T would be very interested in replacing their current IT professionals with these MIT students!
Good point about the refund on unused credit; hadn’t thought of that angle before!
MTA Hackers
I didn’t see the background to this, but as a former journalist (OK … former newscaster) and now Public Information Guy with Boston’s counterpart in Vancouver BC, I some questions about the events leading up to this court injunction. Did the MTA and MIT students discuss this before it went public? Did any journalists involved try to act as a go-between before running with the story? There have been instances in Vancouver — not involving my agency, happily — where reporters have suddenly ambushed a local agency by running a story that information that could compromise security has been posted on the Internet or (worse) is actually obtainable through that agency’s website. Proper course of action for the students: bring the concerns to the agency’s attention, then give the agency a week, say, to commit to addressing them or else then, they go to the media — or go public in some way. So my overall question is, are the MIT students acting in the public interest, or just a bunch of know-it-all kids trying to show off how much smarter they are than The Man?
Re: MTA Hackers
Prior restraints against speech or the press are most emphatically not in the public interest. Prior restraints are legally presumed to be unconstitional. In other words, the burden is on the party seeking the prior restraint to show that it comports with our constitutional scheme. The Supreme Court has never upheld a prior restraint.
In legal circles Alexender v United States has been recognized for its explanation of prior restraints. From that opinion:
(Citation omitted.)
Remember the Pentagon Papers case.
The public interest is best served by federal judges who uphold the Constition.
Re: MTA Hackers
I could be wrong, but I think I read that the students contacted the MBTA regarding this presentation and all they got in return was that they had been reported to the FBI, and now were under investigation.
Re: MTA Hackers
As has already been mentioned prior restraint, particularly on security issues whether or not they involve MTBA or TransLink, the agency I assume you work for is most definitely isn’t in the public interest.
It’s rarely in the interest of the agency either.
It’s also been noted that the students (“know-it-all-kids”) and their Prof at MIT notified the agency involved and of their intention to reveal the vulnerabilities at DEFCON.
I don’t know how many times it has to be said before people, be they lawyers or TransLink PR hacks understand the “security by obscurity” simply does not work. Ever.
Exhibits A-Z and beyond on that point? Microsoft Windows and accompanying programs such as Outlook Express and Internet Explorer.
ttfn
John
For all those stating the MtA should hire these students STFU.
The companies supplying these card systems know all to well the vulnerabilities that exist. It is just too expensive to eliminate the threat entirely. Trade offs due to IC cards requiring power yet having no internal power supply (inductive coupling), PKI management, and the need for speed are just some of the issues at hand
The MIT students didn’t discover anything previously unknown, get over yourselves (as you obviously identify with the students).
Presentation or not, very few people could reproduce this “hack” without significant know-how. And then, the system will catch pirated cards in short order and deactivate them.
Re: Re:
“STFU, It’s a known problem, it’s not a problem.”
Well, no worries then, right?
Re: Re:
“Presentation or not, very few people could reproduce this “hack” without significant know-how.””
Um . . . All it would take would be a Google search, & a moderate level of intelligence to obtain the know-how.
“And then, the system will catch pirated cards in short order and deactivate them.”
One time access is all a person needs too cause a large amount of damage.
In any case Boston authorities have never been the brightest; do we all remember the Aqua Team Hunger Force incident?
@ChuckHatesTucker
Mifare has been around for over decade and is being phased out. It’s not as if anyone is at risk except the MBTA, so what is your concern exactly? It’s their loss.
@Esahc
I’m sure you already possess the required FPGA programming skills and cryptographic knowledge, but it may surprise you to know it is not widespread. Not as easy as you think.
They:
– bought a $1000 radio, with discrete component design
– utilized GNU radio (not simple to understand)
– Used said radio to sniff
– Used an FPGA board to brute force to crack
– Were able to read, write and clone
There is a whole lot of research required to get to this point, and the pay off is very small.
Not only is there value stored on the card, but it is cross referenced in the evening to audit and assure card balances match those of the database. De-activiating all cards that have balances different from what the database lists is trivial.
“One time access is all a person needs too cause a large amount of damage.”
Yeah, someone might get a full days worth of rides for free, ZOMG! The sky is falling!
Re: Re:
I concede to your point regarding the knowledge involved, but are we talking free rides or access to back rooms & secure areas?
Okay, Phil...
…good point there. The hack is clearly not so easy to reproduce as to result in widespread abuse (read: loss of revenue)
So…ummm…doesn’t that just make the case that the MBTA response was even stupider than it at first appears?
for the lulz
The presentation is also available through the MIT web site.
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
And, of course, there’s a torrent.
http://thepiratebay.org/torrent/4336556/Banned_Defcon_Presentation_on_CharlieCard_Hacks_n_cracks
So Why Not Make It Free?
As you will see from the link below, transit systems are not usually able to collect fares amounting to more than half of their expenses. Sometimes the figure is a lot less. At that level, even collecting fares becomes counterproductive, particularly when the external costs of automobiles are taken into account. Transit systems are run at a loss, as a public good. The kind of people who use them a lot, students, old-age pensioners, etc., are generally entitled to really deep discounts. Why not just make the transit system free?
http://en.wikipedia.org/wiki/Farebox_recovery_ratio
Considering I’d never had known about this hack otherwise, thanks for the suing!
Also, I doubt 99.9% of people even know WTF the article is talking about much, much less how to reproduce any of the hacks after having read the info.
same story from last thursday
This is the story I commented about in last Thursday’s Streisand Effect versus security through obscurity, here. So the going rate is one or two a week now.
If someone finds a big hole in your system, whatever you do, don’t sue them over it. Attend their presentation, and quietly fix the hole they found. When no one else can come in and exploit it, they’ll be the laughing stock of the conference. You’ll be more secure and have fewer attackers, you win twice.
Not even at the level of an ordinary injunction
This case doesn’t even rise to the level of an ordinary injunction. An injunction is only supposed to be granted if there will be irreparable harm to the plaintiff if the defendant goes ahead with the action they are being sued over. In this case, the transit authority at worst stands to have people riding who didn’t pay. It won’t increase their costs one iota because they’re going to run the same trains they always do; added passengers don’t cost any extra to carry. It probably won’t decrease their revenue much because I suspect those who use the hack will ride for free just to prove they can, not because they are avoiding payment of a fare that they would have otherwise paid. And even if they do lose money, they have the option of suing the defendants for the damages. Maybe they won’t get it all back, but if a transit system can be harmed by a reduction in paid fares, they would have all disappeared long ago.
So there’s not only not “irreparable harm”, there’s darn near no harm at all. And for this some judge wants to throw away the concept of free speech?