Three MIT undergraduates who found weaknesses in the fare cards for Boston’s subway system had planned to give a talk about their work at a hackers’ conference in Las Vegas this weekend. But on Friday the Massachusetts Bay Transit Authority sued the students and MIT to stop the speech, and on Saturday morning a federal judge slapped the students with a 10-day restraining order to keep their mouths shut.
The MBTA said that they needed time to investigate the student’s claims, and if they were true, to try to correct them before sensitive information got out via the students’ slide show presentation. One slide explains that the presentation would teach attendees how to generate fare cards, reverse engineer magnetic stripes on cards and hack radio frequency identification (RFID) cards. The next slide says: “And this is very illegal! So the following material is for educational use only” [AP].
Zack Anderson, one of the students in question, said he and his colleagues contacted MBTA to talk about their findings so transit officials could figure out how to respond. “We felt like the issue was resolved. That was verbally affirmed in a Monday meeting. Then Friday we find out there’s a federal lawsuit against us” [Boston Herald]. The students also said they planned to leave out key bits of information that would’ve allowed people to steal free subway rides.
The case took a couple more turns over the weekend. An Internet civil liberties organization called the Electronic Frontier Foundation took up the students’ case, saying the judge had erred in allowing a gag order. The students missed their speaking time yesterday thanks to the restraining order, but EFF says it plans to keep fighting the injunction.
In the end, the MBTA likely brought more publicity to their woes than they ever would’ve received if they’d just let the students be. In a declaration to the courts, the MBTA publicly released a “vulnerability assessment” they received from the students on the day of the lawsuit, which seemed to defeat the whole purpose of suing the students to begin with: Ironically, the document reveals more about the vulnerability in the MBTA system than the slides that the restraining order sought to suppress contain [Wired]. (You can read it here [pdf]). And if you were curious about the slide show, The Tech, MIT’s student newspaper, published it online [pdf] for all to see.
Image: flickr/SignalPAD
August 12th, 2008 at 3:54 pm
Ever since the MBTA filed the lawsuit which put the vulnerability assessment into the public domain, I’ve been more interested than ever in how CharlieCards and CharlieTickets work. The MBTA brought far more publicity to their grave vulnerabilities than the talk at DEF CON would have. The MBTA made a poor legal and business decision to stop the talk.