Judge imposes gag order on Boston subway hackers

one that would allow people to defraud the Massachusetts” government.

The MBTA, which is a state government agency, alleges in its lawsuit that “disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems” and “constitutes a threat to public health or safety.” Its suit asks a judge to order the students “from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA’s Fare Media systems has been compromised.” The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.

This, however, could be difficult to enforce. Every one of the thousands of people in Las Vegas who registered for Defcon received a CD with the students’ 87-page presentation, titled “Anatomy of a Subway Hack.” It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards. The CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late (note that the source code to the utilities — not included on the CD — was removed from the Web site the studnets created, and as of Sunday, the Web site itself is no longer available).

Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA deputy general Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday.

A representative of the Defcon convention said that the students submitted their Powerpoint presentation at least a month ago. In addition, what looked like a black and white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle. Also released as part of the public record was a document marked “confidential” and written by the researchers which explains exactly how the Charlie cards can be cloned and forged. “Our research shows that one can write software that will generate cards of any value up to $655.36,” the document says. The document also discusses the lack of physical security at the MBTA. “Doors were left unlocked allowing free entry in many subways,” the document says. “The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open.”

This is not the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them. In 2005 Cisco Systems filed a lawsuit against security researcher Michael Lynn hours after he gave a talk at Defcon on how attackers could take over Cisco routers. The case was ultimately settled. Four years earlier, the FBI took Russian crypto expert Dmitri Sklyarov into custody at his Las Vegas hotel one day after he gave a presentation at Defcon on insecurities in e-book security software. Princeton University computer science professor Ed Felten and his co-authors received legal threats from the recording industry involving a planned talk at a Pittsburgh security conference — but pulled the paper from the event, even though no lawsuit materialized. Research into flaws in the encryption that the Mifare Classic cards, used by the MBTA, landed Dutch researchers in court recently. NXP sued to block a Dutch University from publishing information about vulnerabilities in the encryption used in the RFID cards around the world. Last month, a court ruled that the university could publish the information.

Karsten Nohl, a University of Virginia graduate student who worked with others to break the Mifare Classic crypto algorithm last year, said MBTA should not have sued researchers who voluntarily discussed their findings with them. “It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure,” Nohl said. “MBTA made it clear that they are not interested in cooperating with researchers on identifying and fixing vulnerabilities, but their lawsuit will motivate more research into the security of Boston’s public transport system.”

MIT’s student newspaper has posted a copy of the presentation that was distributed on Defcon CDs and the subject of the court order.