Thursday, September 4, 2008
The legal case that pitted smart card security researchers against a big city transit authority came to an unsettled conclusion recently. On Aug, 19, 2008, a federal judge lifted a gag order that had prevented three Massachusetts Institute of Technology undergraduates from revealing security vulnerabilities in Boston's CharlieCard and CharlieTicket electronic transit fare systems.
By lifting the temporary restraining order, the U.S. District Court of Massachusetts judge allowed the three MIT students to freely discuss security weaknesses they reportedly exposed in the stored value CharlieCard and CharlieTicket systems managed by the Massachusetts Bay Transit Authority.
In the case of the CharlieCard, the weakness involved the ease with which the students were presumably able to hack the radio frequency identification (RFID) chip embedded in the transit card.
The three students had planned to reveal their findings Aug. 10, 2008, at the Defcon 16 hackers convention in Las Vegas. According to the MBTA's lawsuit, it found out about the scheduled talk on July 30, 2008. Representatives of the MBTA, the students, and the students' research advisor, MIT professor Dr. Ron Rivest, met on Aug. 4 to discuss the upcoming presentation and what it contained.
According to the students' legal counsel, the San Francisco-based nonprofit legal organization Electronic Frontier Foundation, the students made it clear to the MBTA that they would not reveal technical details in their demonstration that would allow others to use their research to exploit flaws in the MBTA's systems. The students believed the meeting had succeeded in assuaging the transit agency's concerns.
But the MBTA saw it differently. In a statement, the agency asserted that "MIT staff and the students agreed to provide the MBTA with a copy of the presentation and other information they claimed to possess. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday."
That Friday, Aug. 8, the MBTA filed its lawsuit. Invoking the Computer Fraud and Abuse Act, which puts restrictions on disclosure of information that might enable others to violate the law, the MBTA argued that the MIT students' claims, if true, would "significantly compromise the CharlieCard and CharlieTicket systems. This, in turn, will harm the overall functioning of the MBTA's transit services."
The CharlieCard, implemented in January 2007, has become the preferred fare medium for MBTA mass transit users, generating approximately $475,000 in revenue every weekday, the lawsuit said.
In addition to the lawsuit, the MBTA filed – and was granted – a temporary restraining order that prohibited the students from giving their talk. The students were at Defcon when they received the news. They were "very surprised," said Marcia Hofmann, Staff Attorney at the EFF.
Although Hofmann said information on slides that accompanied the presentation was already publicly available on the Internet, the students, in consultation with the EFF, decided against giving the talk.
One security vulnerability the students would have discussed involved the MiFare Classic RFID chip reportedly embedded in CharlieCards. Unlike the mag stripe-enabled CharlieTicket that functions like a traditional payment card at the POS, the CharlieCard's embedded chip enables the card to be waved at POS terminals rather than swiped.
The MiFare chip, developed by NXP Semiconductors of The Netherlands, is used worldwide in such applications as employee security badges and mass transit cards.
At a December 2007 hacker's conference in Berlin, researchers first revealed how to hack into the MiFare chip and crack its security encryption. Fraudsters could then hypothetically clone that security code onto other RFID chips, embed those chips on blank cards and sell them on the black market.
In April 2008, the Dutch government publicly admitted the vulnerability did, in fact, exist, and its smart card fare transit system would need to be upgraded.
According to Karsten Nohl, a graduate student at the University of Virginia and one of the researchers behind the Berlin demonstration, the MBTA had known about the security flaw at least since early March 2008, when a story on the system vulnerability ran in The Boston Globe.
"If [MBTA] had started working on an upgrade to their systems in February or March when everybody in Boston was talking about it for a few days, then they would have something ready now," Nohl said. "And they haven't done anything so far."
In light of this supposed lack of action on the part of MBTA, Nohl called its lawsuit against the MIT students the "worst decision ever by MBTA."
Nohl said the suit "completely disrupts the trust that has been built between researchers and industry if any progress has been made toward what we call responsible disclosure – for example, informing on MBTA's security problems beforehand and then giving them time to respond. Well, that's not going to happen anymore if the only response you'll get is a lawsuit that prevents you from doing further research."
Hofmann added that researchers need to be able to freely point out vulnerabilities in systems; otherwise the flaws won't get fixed.
"And so what worries me about this situation is that it's going to discourage people from revealing that they discovered a security vulnerability for fear of getting sued," Hofmann said. "And it's just going to basically chill that kind of research and the revelations that that kind of research brings about. I think society is worse off for that."
Nohl sees another negative aspect. The lawsuit "attracts attention to the wrong side of the problem," he said. Instead of focusing on a solution to the security weakness, the lawsuit focuses attention on the weakness itself.
"So researchers are now encouraged to find flaws, talk about flaws publicly because that's how they get [media] attention, and completely neglect the counter to that – finding solutions, which researchers are actually really good at," Nohl said.
But Hofmann pointed out that the case has even broader free-speech implications.
"It is only in extremely rare circumstances that the courts, in general, will gag somebody from being able to say something before they even have a chance to say it," she said. "The MBTA's temporary restraining order presents a very severe restriction on somebody's ability to express themselves, and that is, of course, a right that is protected by the First Amendment. And so this is a very critical First Amendment issue."
Although the EFF was successful in getting the gag order lifted, the nonprofit said the MBTA's lawsuit against the students continues. According to the EFF, the students have voluntarily provided a 30-page security analysis to the MBTA regarding the supposed vulnerabilities in Boston's electronic ticketing systems. EFF claims the students have offered to personally consult with the MBTA on the security flaws and how to fix them.
Nohl said that regardless of how the MBTA lawsuit plays out, the security vulnerabilities will be published at a security conference in Spain in October 2008.
"And probably MBTA hasn't made the connection yet," Nohl added. "The most time they can ever buy themselves [to fix the vulnerabilities] is until October."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.