LAS VEGAS -- The Massachusetts Bay Transit Authority (MBTA), which runs bus and subway service in the Greater Boston area, successfully sued three undergraduate students and the Massachusetts Institute of Technology on Saturday, preventing the students from detailing the results of a systematic attack on the transportation agency's payment card system.
In court documents filed on Friday, the MBTA had asked for legal and financial relief on seven counts that it maintains the students -- Zack Anderson, Russell Ryan and Alessandro Chiesa -- and the university violated in doing the research. In particular, the agency asked for a temporary restraining order to prevent the students from presenting at the DEFCON conference on Sunday as well as attorneys' fees and treble damages for any harm done to the system. A federal judge for the U.S. District Court of Massachusetts granted the injunction on Saturday, and the DEFCON conference organizers announced the talk had been cancelled.
In the court filings, the MBTA maintains that the students did not contact the agency, violating commonly-accepted "responsible disclosure" principles, and stated in the original description of their talk, that attendees could get "free subway rides for life." After contacting law enforcement, MBTA officials met with the students and their professor, noted encryption expert Ronald Rivest, but the researchers would not give them details of their planned talk.
"The MIT Undergrads stated that they did not intend to harm the MBTA," the agency said in its filing. "Despite this statement, and the MBTA's request, the defendants have not provided the MBTA with a copy of the materials that the MIT Undergrads plan to present."
The materials are present, however, on the DEFCON conference's CD and were also included in the MBTA's public court filing along with a white paper authored by the three students that contains recommendations for mitigating the issues. According to the undergraduates' presentation, they were able to reverse engineer the magnetic stripes and RFID chips used by the MBTA as part of the its Fare Media system. In addition, they found numerous physical security vulnerabilities -- such as unattended terminals and open network access boxes -- and created general tools for breaking the security of Mifare RFID cards used by transportation services in at least a dozen cities.
The EFF represented the three undergraduate students. Neither the EFF nor the students could immediately be reached for comment.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos