Published in News

M.I.T. students hack MBTA transit system

by on11 August 2008

Image

MBTA obtains court order

The Massachusetts Bay Transportation Authority (MBTA) has sued three students from the Massachusetts Institute of Technology (M.I.T.) and M.I.T. itself to prevent a presentation that discloses flaws in the MBTA’s electronic ticketing subway system.

The lawsuit alleges that the student presentation at the Defcon Conference would cause significant damage to the MBTA's transit system, in particular, its ticket sales.  The U.S. District Court agreed, and granted a temporary injunction to the MBTA.

In a presentation that was distributed ahead of time to Defcon attendees, the students described a method that could be used to gain free access to Boston's transit system. The presentation pointed out physical security problems they found with the system, such as unlocked gates and unattended surveillance booths, and claim they accessed fiber switches connecting fare vending machines to the unlocked network. 

The presentation also described techniques to clone and reverse-engineer the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards.

M.I.T. students, Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa were scheduled to talk about "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" at the Defcon conference on Sunday. They received a project grade of "A" in their class at M.I.T.

In court paperwork, the MBTA says that 68 percent of its riders use CharlieCard, which earns the MBTA nearly $475,000 per weekday. The M.I.T. students refused to give the MBTA information about the security flaws in its system ahead of the talk, according to the pleadings. The MBTA was tipped off ahead of time that the talk was scheduled by one of its vendors and went to court.

But wait, there’s more!

The Electronic Frontier Foundation (EFF) has announced that it will file an appeal of the U.S. District Court order injunction on the Defcon presentation on behalf of M.I.T. students. EFF senior staff attorney, Kurt Opsahl, said they were joining the action because, "The court ultimately came to a very, very wrong conclusion. The first notice that the MBTA provided that they were going to the court was after they had gone to the court."

"The statute on its face appears to be discussing sending code programs or similar type of information to a computer and does not appear to contemplate somebody who is giving a talk to humans," Opsahl said.
He went on to state that the temporary restraining order granted by the Court "reflects the court's view that they believe that the Massachusetts Bay Transit Authority was likely to succeed on the merits -- we think that's actually not the case. Some of the material in the students' talk regarding security problems with the MBTA's electronic ticketing system had been previously reported in the Boston Globe and Boston Herald newspapers.”

"Courts have found that the First Amendment covers these things," Opsahl said. "We believe that this is a protected speech activity. When you discuss security issues, if you are telling the truth, that is something that should be protected."

Stay tuned.

Last modified on 20 August 2008
Rate this item
(0 votes)