An attempt to stop a group of MIT computer engineers from exposing a security flaw in Boston’s transportation system may be backfiring. The Massachusetts Bay Transportation Authority filed a suit to prevent the students from discussing their findings at Defcon 16, an annual hackers’ conference taking place in Las Vegas over the weekend. A judge ended up issuing a temporary restraining order that forced the students to cancel their presentation.
The team had discovered a way anyone could hack into CharlieCard — the automated fare system used for the T, Boston’s subway. The restraining order did keep them from presenting the hack at the conference; however, it’s caused the subject to garner international attention — and, because the MBTA filed the students’ paper as part of its complaint, it effectively led to the full text becoming readily available online.
The MIT students found that the CharlieCard system stored monetary value only on individual cards, not in any type of central database. Because of this, they say, anyone who buys reading/writing equipment — something easy enough to find on the Internet — could alter a card’s data and add hundreds of dollars in value.
“Our research shows that one can write software that will generate cards of any value up to $655.36,” the students write. “Anyone in possession of one of these cards can read, copy, reverse-engineer, and/or rewrite the data,” they continue.
The students — whose paper, incidentally, received an “A” at MIT — go on to explain that the current system uses no cryptographic signature algorithm to validate cards’ integrity and make sure they weren’t modified. They suggest implementing an auditing system as well as a central repository to maintain a database of card values. They also recommend implementing a cryptographically secure digital signature into the cards to keep hackers from altering their data.
“If cost were not an issue, the best way to fix problems with the CharlieCard is to merge a secure RFID (radio frequency identification) card,” the students suggest.
The case is quickly generating a debate over freedom of speech and whether the MBTA was out of line. One of the MIT students told the Boston Herald that he and his teammates did contact the organization beforehand and offer to show them how to resolve the flaw, saying they “felt like the issue was resolved” following a meeting last Monday. On Friday, however, they learned of the federal complaint.
“That’s routine,” W. Wat Hopkins, a communications studies professor at Virginia Tech specializing in free speech issues, told TechNewsWorld. “It certainly is prior restraint on the part of government, but my guess is it’s the kind of prior restraint that would be upheld on every level of court because it involves real damage to other people.”
The order simply gives the complainant — in this case, the MBTA — the opportunity to argue its point. Even though the students say they presented the findings in advance, they may not have given the MBTA enough time to adequately address the findings and find a solution.
“It’s a very, very touchy situation,” Hopkins noted. “Prior restraint by the government is a very arduous system to prove. The Supreme Court has said that any system of prior restraint is presumed to be unconstitutional, [so] the government has a heavy burden of proof to try to justify the system,” he said.
Essentially, Hopkins explained, the government must demonstrate that the publication of the information could do real damage in order to approve such an order. The ruling might not provide long-lasting protection, but it gives the filer a period of time to express its concern and process the data.
“[The order] might be overruled — but by that time, the conference is over and now they have to turn to a journal to try to publish their academic work,” Hopkins said.
Importance of Time
Clearly, the end result and the ultimate Internet-wide publication of the students’ find might not be what the MBTA wanted. It’s an effect, however, that security gurus such as Dan Kaminsky — the man who discovered the Internet-wide DNS flaw in July — have seen before.
“Suppressing speech in the United States has not worked well in recent times,” Kaminsky, an analyst with ICActive, told TechNewsWorld. “It ends up just calling out whatever it was that you were trying to block.”
It’s a courtesy, Kaminsky believes, to give a company enough time to respond to a flaw before exposing it. In his case, he opted to keep the details of his finding quiet for a full six months so the proper parties could find a fix before the news became widespread. Not taking those steps, Kaminsky said, can be detrimental to everyone involved.
“You’ve got to give people some time. If you don’t, you’re just giving enough warning to the lawyers and nothing else,” Kaminsky proposed.
“No one here is getting what they want,” he added. “That is always tragic to see.”