Transport card security flaw sparks disclosure row
A row has erupted over the disclosure of security vulnerabilities, as students won a legal battle to publish details of how to hack subway transportation systems.
MIT students Zack Anderson, RJ Ryan, and Alessandro Chiesa, were originally supposed to give a presentation at the Defcon hacker’s conference, explaining how they had compromised the Massachusetts Bay Transportation Authority’s Charlie Ticket magstrip card and ‘CharlieCard’ RFID token, used to store ticket information. MBTA was granted an injunction preventing the talk (although it was too late to pull the students’ presentation slides from conference materials).
The MBTA then attempted to lengthen the injunction for five months (see link below), giving a chance to take remedial measures, and asking for ‘key materials’ that it identified as software tools that the researchers said could be used to compromise its systems.
This is the second public to-do over the security of MiFARE, an RFID technology used in several transportation authority cards, including the CharlieCard and the UK’s Oyster Card. In July 2008, Dutch researchers who had cracked the cryptographic algorithm of the MiFARE card by examining the card’s gates using an electron microscope also won the right to publish their findings.
The Electronic Frontier Foundation has been defending the MIT students as part of its recently-launched Coders’ Rights initiative, launched in August at Defcon’s sister conference, Black Hat. The project seeks to protect security researchers who may be silenced from researching or revealing security flaws by the Digital Millennium Copyright Act or the Computer Fraud and Abuse Act.
Bruce Potter, founder of the Shmoocon security conference, praised the MIT researchers for responsible disclosure, arguing that the multiple layers of academic review that would have preceded the submission of the presentation material to Defcon helped to enforce responsible disclosure.
“The broad security research community (academic, not for profit, and commercial) has really seen a shift in disclosure processes in the last few years,” said Potter, adding that vendors were pressuring researchers more aggressively: “Researchers seem to be not disclosing, or selling the information, or just getting out of the scene altogether.”