The Green Sheet Online Edition
September 22, 2008 • Issue 08:09:02
CharlieCard gets charley horse
Editor's Note: This story is reprinted from SellingPrepaid E-Magazine at www.sellingprepaid.com.
The legal case that pitted smart card security researchers against a big-city transit authority came to an unsettled conclusion recently. On Aug, 19, 2008, a federal judge lifted a gag order that had prevented three Massachusetts Institute of Technology undergraduates from revealing security vulnerabilities in Boston's CharlieCard and CharlieTicket electronic transit fare systems.
By lifting the temporary restraining order, the U.S. District Court of Massachusetts allowed the three MIT students to freely discuss security weaknesses they reportedly exposed in the stored value CharlieCard and CharlieTicket systems managed by the Massachusetts Bay Transit Authority.
In the case of the CharlieCard, the weakness involved the ease with which the students were presumably able to hack the radio frequency identification (RFID) chip embedded in the transit card.
The three students had planned to reveal their findings on Aug. 10, 2008. According to the MBTA's lawsuit, it found out about this on July 30, 2008. Representatives of the MBTA, the students, and the students' research advisor, MIT professor Dr. Ron Rivest, met on Aug. 4 to discuss the upcoming presentation.
According to the students' legal counsel, the San Francisco-based nonprofit legal organization Electronic Frontier Foundation, the students made it clear to the MBTA that they would not reveal technical details that would enable others to use their research to exploit flaws in the MBTA's systems.
However, in a statement, the MBTA asserted, "MIT staff and the students agreed to provide the MBTA with a copy of the presentation and other information they claimed to possess. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday."
That Friday, Aug. 8, the MBTA filed its lawsuit. Invoking the Computer Fraud and Abuse Act, which puts restrictions on disclosure of information that might enable others to violate the law, the MBTA argued that the MIT students' claims, if true, would "significantly compromise the CharlieCard and CharlieTicket systems." The CharlieCard, implemented in January 2007, has become the preferred fare medium for MBTA mass transit users, generating approximately $475,000 every weekday, the lawsuit said.
In addition to the lawsuit, the MBTA was granted a temporary restraining order that prohibited the students' presentation. Although Hofmann said the presentation's information was already available on the Internet, the students decided against giving the talk.
Closing the barn door
One vulnerability the students would have discussed involved the MiFare Classic RFID chip, which was developed by NXP Semiconductors of The Netherlands and reportedly embedded in CharlieCards. This embedded chip enables the card to be waved at POS terminals rather than swiped.
In December 2007, researchers revealed how to hack into the MiFare chip and crack its security encryption. Fraudsters could then hypothetically clone that security code onto other RFID chips, embed those chips on blank cards and sell them on the black market.
According to Karsten Nohl, a graduate student at the University of Virginia, the MBTA had known about the security flaw at least since early March 2008 when a story on the system vulnerability ran in The Boston Globe.
"If [MBTA] had started working on an upgrade to their systems in February or March when everybody in Boston was talking about it for a few days, then they would have something ready now," Nohl said.
Nohl said the suit "completely disrupts the trust that has been built between researchers and industry if any progress has been made toward what we call responsible disclosure - for example, informing on MBTA's security problems beforehand and then giving them time to respond.
"Well, that's not going to happen anymore if the only response you'll get is a lawsuit that prevents you from doing further research."
Hofmann added that researchers need to be able to freely point out vulnerabilities in systems; otherwise the flaws won't get fixed.
Nohl sees another negative aspect. The lawsuit "attracts attention to the wrong side of the problem," he said. Instead of focusing on a solution to the security weakness, the lawsuit focuses attention on the weakness itself.
Time running out
Although the EFF was successful in getting the gag order lifted, the nonprofit said the MBTA's lawsuit against the students continues.
According to the EFF, the students have voluntarily provided a 30-page security analysis to the MBTA regarding the supposed vulnerabilities in Boston's electronic ticketing systems. EFF claims the students have offered to personally consult with the MBTA on the security flaws and how to fix them. Nohl said that regardless of how the MBTA lawsuit plays out, the security vulnerabilities will be published at a security conference in Spain in October 2008.
"And probably MBTA hasn't made the connection yet," Nohl added. "The most time they can ever buy themselves [to fix the vulnerabilities] is until October."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.