D. Mass: MIT Students’ Security Presentation Merits Temporary Restraining Order
By Jon Choate – Edited by Dan Ray
Mass. Bay Transp. Auth. v. Anderson
D. Mass., August 9th, 2008, No. 08-11364-GAO
Temporary Restraining Order (Hosted by EFF)
On August 9th, Judge Woodlock of the U.S. District Court, District of Massachusetts granted the Massachusetts Bay Transportation Authority (“MBTA”) a temporary restraining order against Zack Anderson, RJ Ryan, and Alessandro Chiesa, undergraduates at the Massachusetts Institute of Technology (“MIT”). The order “enjoined and restrained” the undergraduates from “providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security” of the MBTA fare system’s CharlieCard and CharlieTicket. CharlieCards are reusable stored-value cards, which allow Boston subway riders access at ticket terminals by waiving the card over a designated reader. The system operates wirelessly, and allows riders to add money to their cards both at subway terminals and through online accounts.
Anderson, Ryan and Chiesa reportedly uncovered several vulnerabilities with the MTBA’s CharlieTicket system while doing research for a Computer and Network Security class. Using this research, the students devised a way in which the CharlieCards can be reprogrammed using $200 worth of equipment; theoretically, this method could increase the stored-value on a card to more than $600. The students also discovered that the CharlieCards, which store balance and other information internally, can be read using non-MTBA wireless equipment. Furthermore, according to documents on their research, the three had written software capable of generating and analyzing CharlieCards in order to crack the card’s encryption.
The MIT students were scheduled to present their research at DEFCON, “one of the oldest running hacker conventions around.” It was this presentation which prompted the August 8th complaint filed by the MBTA against Anderson, Ryan and Chiesa and MIT. The complaint alleges that the students
“(i) claim to have circumvented the security features of the MBTA’s computerized CharlieTicket and CharlieCard fare media systems; (ii) publicly offered ‘free subway rides for life‘ to interested parties over the Internet; and (iii) plan to allow others to duplicate their claimed ‘breaking’ of the Fare Media’s security systems by presenting a paper, releasing software tools, and giving demonstrations at the DEFCON hackers convention this Sunday, August 10, in Las Vegas.”
The complaint further alleges that the students did not provide information regarding how they circumvented the security system to the MBTA and that public dissemination of the information before the MBTA has had an opportunity to correct the flaws will cause “significant damage to the MBTA’s transit system.”
The MIT Tech covers the story, noting that while the presentation at DEFCON was cancelled, the presentation slides and confidential vulnerability report the students wrote for the MBTA “are widely available online.” The Tech further reports that the students are being represented by the Electronic Frontier Foundation (EFF) and not by MIT’s lawyers.