MBTA Sues Three Students to Stop Speech on Subway Vulnerabilities
David M. Templeton—The Tech
Marissa Vogt—The Tech
An MIT student project showing how anyone with a magnetic card writer can ride the Boston subway for free was not presented at this summer’s DEF CON hacker convention because of an emergency court order. But details sufficient to repeat the attack were published in open court documents by the Massachusetts Bay Transit Authority in its request for a restraining order.
On Aug. 19, a federal judge dissolved the gag order against three MIT students. The students’ legal counsel, the Electronic Frontier Foundation, called the decision a victory for free speech and a sign that a federal state does not prohibit talking about security vulnerabilities.
The MBTA said in court that they would need five months to fix the security flaws and asked for a court order to silence the students during that period. They argued that if they students discussed their research, they would violate the National Information Infrastructure Protection Act, which prohibits knowingly causing “the transmission of a program, information, code, or command” that intentionally damages a computer used in interstate commerce.
The students — legally represented by the EFF — argued that PowerPoint presentations and cards with magnetic stripes do not represent the kind of “program, information, code, or command” whose misuse the law was meant to prevent.
Judge George O’Toole Jr. sided with the students; he denied the request for a five-month injunction and dissolved the existing order.
Zackary M. Anderson ’09, Russell J. Ryan ’09, and Alessandro Chiesa ’09 planned to present research on Sunday, Aug. 10 that would have shown how the MBTA’s CharlieTicket could be reprogrammed to contain up to $655.36 using an inexpensive magnetic stripe writer. The students would also have discussed weaknesses in the CharlieCard.
The CharlieTicket vulnerabilities were discovered in the spring by a team of four Computer and Network Security (6.857) students working on a final project; the MBTA was not notified at the time. Three of the students are those named in the MBTA’s suit. The fourth student, Samuel G. McVeety G, did not participate in the DEF CON preparation, Anderson said, and was not named in the MBTA’s complaint. Anderson, Ryan, and Chiesa continued to research the CharlieCard and submitted their findings to DEF CON.
After the presentation was canceled, the presentation slides and a confidential report the students wrote for the MBTA became widely available online. This information, made public by the MBTA in open court filings, seems to show how anyone could copy a CharlieTicket or create a new one. It is unclear whether the students managed to copy or edit the content of the CharlieCard.
According to the presentation, the students wrote software to generate and analyze cards like the CharlieCard to crack encryption keys on those cards, and they wrote software to read and duplicate cards like the CharlieCard if their encryption key is known. That software was never put online.
For court documents and a copy of the presentation, which was distributed to all DEF CON attendees, see http://www-tech.mit.edu/V128/N30/subway/.
Did students get free T fare?
The MBTA’s original complaint says that they intend to sue the students on several charges. In “Count III: Conversion,” the complaint alleges that “the MIT Undergrads exerted dominion over MBTA’s property by traveling on the MBTA lines without paying fares.”
Anderson said in an e-mail that “we never rode the T for free.” But MBTA system logs showed that someone with a CharlieTicket “obtained MBTA transit services without proper payment,” according to a declaration filed by project manager Scott Henderson, who based his analysis on a photograph of a CharlieTicket in the students’ presentation that revealed identifying features.
If this MBTA court filing is accurate, then the students have discovered a genuine weakness in the system, and the MBTA’s system is capable of revealing fraud after the fact but does not prevent fraud.
Lawsuit surprised students
The lawsuit surprised many DEF CON attendees, who are accustomed to relatively cordial relations with software companies who are informed of security holes. It also surprised the students, who said they had until then gotten positive reactions from the MBTA.
The lawsuit was filed late on Friday, Aug. 8. But MBTA officials had been aware of the talk since at least July 30, when a vendor’s marketing representative told them about a description of the talk online at defcon.org.
The students were in contact with the MBTA since July 31 through Ronald L. Rivest, the 6.857 professor who oversaw their project. They had asked him about a week earlier to help them contact the MBTA about the vulnerabilities. According to the MBTA, Rivest did not know the students had submitted their research to DEF CON. Rivest could not be reached for comment.
On Monday, Aug. 4, an MBTA transit police officer and an FBI agent met with Rivest, two of the students, and an MIT staff attorney to discuss the planned presentation. According to a declaration filed by the transit police officer, Sergeant Detective Richard Sullivan, the students said they did not hack into the MBTA’s system, they did not defraud the MBTA, and their presentation would withhold information necessary to let other people repeat their findings.
The detective asked the students to summarize in writing all the weaknesses they found and explain how to fix those vulnerabilities. They promised to supply this writeup within two weeks.
“I did not request any other documents from the MIT Undergrads, and they did not offer to provide me with any other documents,” Sullivan said in his declaration.
Leaving the Monday meeting, the students felt that the issue had been resolved based on verbal comments and that they would not face legal action, Anderson said.
But on Friday afternoon, around the time the students delivered a confidential five-page vulnerability report, they learned the MBTA had filed a complaint in the Massachusetts federal district court. They then received legal representation from the EFF.
The students were not provided notice until the MBTA had already sent lawyers to the court to file the complaint, said Kurt Opsahl, a senior staff attorney for the EFF. EFF staff and the students worked throughout Friday night to prepare a response. “We haven’t slept since Thursday,” Anderson said Saturday afternoon. EFF attorneys participated in a Saturday morning hearing via teleconference.
On Saturday afternoon, Judge Douglas P. Woodlock issued an order prohibiting the students and “all persons in active concert or participation with any of them” from “providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.”
The slides and the vulnerability assessment report, made available in the MBTA’s complaint, revealed enough information to duplicate the students’ attack on CharlieTickets.
“The court’s order is an illegal prior restraint on legitimate academic research in violation of the First Amendment,” Jennifer Granickpeech, an EFF representative, said in a press release issued by the EFF. Nevertheless, the students cancelled their talk on the EFF’s advice.
The complaint lists Anderson, Ryan, and Chiesa as defendants. Early court documents listed MIT and numerous Institute administrators as defendants, but the court action to date has only considered the three students to be defendants. MIT attorneys have nevertheless paid close attention to the proceedings and have attended hearings. “We have aligned interests, but they’re not representing us,” Anderson said.
“We can’t comment on pending litigation,” said Pamela D. Serfes, an MIT News Office representative.
Responsible disclosure?
The students did not successfully talk with the MBTA about the problems they discovered until July 31, only 10 days before the research was to be proposed. (They tried to contact the MBTA through Rivest about a week earlier, but he did not get in touch until July 31.) Computer security researchers traditionally tell companies about problems they find, give them some time to correct the problems, and only then disclose the vulnerabilities in public, in a process called “responsible disclosure” within the community.
Security expert Phil Zimmerman said that traditionally researchers give at least a month after notification before they disclose a vulnerability in a software system. In hardware systems such as the MBTA’s magnetic-stripe and RFID card system, where fixing the vulnerability could possibly take more time, researchers usually offer more time, he said. “If it was me, I would’ve tried to give them more time to fix it,” Zimmerman said. But, he said, “public disclosure is a good thing,” because intense public scrutiny can help force people to fix systems.
Should security researchers explore systems which could be critical to security, like public transportation? Well, Zimmerman said, “try not to do anything that involves hiring a criminal defense lawyer.”
When an important problem has been discovered with little time until it is publicly announced, Zimmerman said, an organization like the MBTA should fix it immediately. Because lawsuits generally result in security vulnerabilities becoming even more visible, the MBTA should “be thinking a lot about engineering right now and not litigation,” in terms of loss mitigation, he said. If the system is irreparably broken, Zimmerman said, the MBTA might consider switching back to an older form of subway authentication: tokens.
“It’s very easy to fix,” said Brenno de Winter, a Dutch journalist and security analyst. “In the Netherlands, we’ve got a system that works. It’s called paper,” he said.
Dan Kaminsky, a security researcher who recently discovered a serious vulnerability in the domain name system underlying the Internet, said that the students’ disclosure could have been handled more gracefully. But the MBTA also responded inappropriately, he said, by suing the students instead of just asking for time.
Many computer software vendors are accustomed to learning of security vulnerabilities from researchers in the responsible disclosure model, Kaminsky said. “You can expect cooperation from software vendors in a way that you could not expect six years ago,” Kaminsky said. But the MBTA is not a software company, Kaminsky noted. They may never have before encountered people interested in testing their security for free, a common occurrence outside of the software realm, Kaminsky said. This was an unpredictable “first-contact scenario,” he said.
“If your goal is to limit discussion, this [restraining order] is not the way,” Kaminsky said. “Suppressing talks in a culture that values freedom of speech just highlights the speech you’re trying to suppress.”