D. Mass: MIT Students’ Security Presentation Merits Temporary Restraining Order
By Jon Choate – Edited by Dan Ray
On August 9th, Judge Woodlock of the U.S. District Court, District of Massachusetts granted the Massachusetts Bay Transportation Authority (“MBTA”) a temporary restraining order against Zack Anderson, RJ Ryan, and Alessandro Chiesa, undergraduates at the Massachusetts Institute of Technology (“MIT”). The order “enjoined and restrained” the undergraduates from “providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security” of the MBTA fare system’s CharlieCard and CharlieTicket. CharlieCards are reusable stored-value cards, which allow Boston subway riders access at ticket terminals by waiving the card over a designated reader. The system operates wirelessly, and allows riders to add money to their cards both at subway terminals and through online accounts.
Anderson, Ryan and Chiesa reportedly uncovered several vulnerabilities with the MTBA’s CharlieTicket system while doing research for a Computer and Network Security class. Using this research, the students devised a way in which the CharlieCards can be reprogrammed using $200 worth of equipment; theoretically, this method could increase the stored-value on a card to more than $600. The students also discovered that the CharlieCards, which store balance and other information internally, can be read using non-MTBA wireless equipment. Furthermore, according to documents on their research, the three had written software capable of generating and analyzing CharlieCards in order to crack the card’s encryption.
The MIT students were scheduled to present their research at DEFCON, “one of the oldest running hacker conventions around.” It was this presentation which prompted the August 8th complaint filed by the MBTA against Anderson, Ryan and Chiesa and MIT. The complaint alleges that the students
“(i) claim to have circumvented the security features of the MBTA’s computerized CharlieTicket and CharlieCard fare media systems; (ii) publicly offered ‘free subway rides for life‘ to interested parties over the Internet; and (iii) plan to allow others to duplicate their claimed ‘breaking’ of the Fare Media’s security systems by presenting a paper, releasing software tools, and giving demonstrations at the DEFCON hackers convention this Sunday, August 10, in Las Vegas.”
The complaint further alleges that the students did not provide information regarding how they circumvented the security system to the MBTA and that public dissemination of the information before the MBTA has had an opportunity to correct the flaws will cause “significant damage to the MBTA’s transit system.”
The MIT Tech covers the story, noting that while the presentation at DEFCON was cancelled, the presentation slides and confidential vulnerability report the students wrote for the MBTA “are widely available online.” The Tech further reports that the students are being represented by the Electronic Frontier Foundation (EFF) and not by MIT’s lawyers.
In an August 9th press release, the EFF called the restraining order a violation of the students’ “First Amendment right to discuss their important research” and “blatantly unconstitutional.” According to the release, the students had planned to withhold a “key detail” of their results so that their research could not be used for malicious purposes.
A fact sheet released by the MBTA Press Office states
“The MBTA does not wish to detract from the MIT Undergrads First Amendment Rights or academic freedom. The principle that the MBTA seeks to enforce here is the principle of ‘responsible disclosure.’”
The MBTA describes “responsible disclosure” as an “industry accepted practice” where, when a computer security vulnerability is discovered, the vendor of the vulnerable system is first informed of the vulnerability and then given an opportunity to repair the vulnerability before the information is made public.
The MBTA fact sheet is available via the MIT Tech here, along with all court documents and the slides from the students’ presentation.
Parallel hosting of relevant documents by EFF available here.
Upon review before the district court on August 14th, Judge O’Toole left the restraining order in place, and ordered Anderson, Ryan and Chisea to turn over additional documents to help the court evaluate whether the students could discuss their research publicly. The court continued the scheduled hearing until Tuesday, August 19th in order to consider this new information.
The Boston Globe reports on the case, including comments by both parties as well as background on the CharlieCard system.