Thursday, August 14, 2008

Defcon: 'Subway Hack' talk gagged

The Defcon hacker conference always courts controversy – even though the visitors to said event fit more in the original definition of the word than the media-hijacked cracker synonym – and this year is no exception, with the news that the Massachusetts Transit Authority has been granted an injunction preventing three erstwhile hackers from distributing their presentation "Anatomy of a Subway Hack."

According to CNet, the three MIT undergraduates – Russell Ryan, Zack Anderson, and Alessandro Chiesa – were scheduled to give a presentation on Sunday regarding their successful attempts to "completely break the CharlieCard," a radio-frequency ID tag-based system used by the Massachusetts Bay Transportation Authority on the Boston T subway system – pretty much the Massachusetts equivalent to the Oystercard system used here in the UK. In traditional Defcon style, the planned presentation was to be accompanied with the release of software they had developed to hack the CharlieCard system.

Based around the MiFare Classic RFID – the same as used by the Oystercard - system which is already known to be flawed, the information on how to modify, crack, and bypass the CharlieCard is already out there – or can be readily surmised. Indeed, NXP's MiFare Classic has been referred to as "kindergarten cryptography" by expert Bruce Schneier on his blog, in which he claims that "anyone with any security experience would be embarrassed to put his name to the design."

With the judgement coming down from on-high that the talk is to be nixed, the Electronic Frontier Foundation has got involved with claims that the gag order is "violating their First Amendment rights" and talk of an appeal to be lodged. There certainly seems to be grounds, too: even ignoring the fact that the gist of the presentation – that the MiFare Classic system used by the CharlieCard is completely insecure – is already public knowledge, there still seems to be no real reason for the Transit Authority to be stomping on the report. If anything, by going to the lengths of a court-mandated gag order the Authority is ensuring that the news of the system's insecurity will spread much farther than it would ever have at Defcon.

The plot thickens, too, when you learn that the researchers has requested that their professor contact the Authority ahead of the publication of their findings specifically to avoid this kind of knee-jerk reaction. Due to staff absence, this contact never happened – and when the Authority got wind of the research they responded in amazingly heavy-handed fashion – calling the FBI to investigate the students and their actions.

Although the Authority claims in its filing with the court that the disclosure of the research would "constitute a threat to public health or safety", its real motives are plain to see in the request that the judge prevent the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." That's not an order to prevent them issuing a cookbook how-to so high-tech hooligans can defraud the system – that's an order to prevent them from even insinuating that the CharlieCard system just might have a hole the size of a double-decker bus in its security system. Clearly the Authority is thinking more about its public image than about the possible harm that might come to the system itself from such information.

Which isn't to say that the students themselves are blameless in all this: according to CNet, the original PowerPoint presentation regarding the research – which has already been distributed to Defcon ticket holders as part of their conference pack – contains the notation that "THIS IS VERY ILLEGAL! So the following material is for educational use only."

Yeah. Probably not the best thing for a court to see, chaps.

As it stands, the students will not be giving their talk any time in the future – but with the presentation already available on the 'net, does the gag order really serve a non-punitive purpose?

Do you agree that the students have crossed the line, or should the Authority be concentrating less on what a bunch of hackers may or may not know and more on actually securing the system before one of those "threats to public health or safety" happens? Share your thoughts over in the forums.

  • Students design better pipette
  • Defcon: Warballooning goes ahead
  • Gigabyte TPM Explained
  • Acrobat suffers security flaw
  • 0 comments: