A federal court judge lifted a gag order on Tuesday against three Massachusetts Institute of Technology students that prevented the trio from talking about flaws that they found in the tickets and electronic payment cards used by Boston's subway and bus lines.
The students, who were scheduled to talk about their research at the DEFCON hacking conference nine days ago, had to forego their talk after the Massachusetts Bay Transit Authority (MBTA) won a temporary restraining order preventing them from discussing details of their research. The MBTA had filed a civil lawsuit against the three students -- Zack Anderson, Russell Ryan and Alessandro Chiesa -- and the university, claiming that they violated computer crime laws by analyzing the transit authority's Charlie Ticket and Charlie Card payment system.
The EFF represented the three students under the its Coders' Rights Project.
"The only thing keeping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself," Kurt Opsahl, a senior staff attorney with the Electronic Frontier Foundation (EFF), said in a statement announcing the decision. "The MBTA would be far better off focusing on improving the MBTA's fare payment security instead of pursuing needless litigation."
Attempting to silence researchers by threatening legal action has rarely worked for companies. In 2005, networking giant Cisco Systems forced the Black Hat Security Briefings to rip a talk by security researcher Michael Lynn from the conference proceedings. However, Lynn still gave the talk and received far more media coverage than he would have otherwise. Other researchers have also attracted legal action from companies intent on keeping them mum on details of flaws in wireless drivers and in radio-frequency ID cards.
In the MIT case, the gag order did little good as the DEFCON conference's CD contained the students' presentation, as did the MBTA's public court filing. According to the undergraduates' presentation, they were able to reverse engineer the magnetic stripes and RFID chips used by the MBTA as part of the its Fare Media system. In addition, they found numerous physical security vulnerabilities -- such as unattended terminals and open network access boxes -- and created general tools for breaking the security of Mifare RFID cards used by transportation services in at least a dozen cities.
While the judge vacated the temporary restraining order, the students continue to face the lawsuit filed by the MBTA. The students have presented a 30-page analysis of the security of the transport authority's system and offered to discuss the vulnerabilities and possible remedies with the company, according to the EFF.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos