Judge orders halt to Defcon speech on subway card hacking

Federal judge grants the state of Massachusetts' request to prevent three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read

MIT students Alessandro Chiesa, R.J. Ryan, Zack Anderson, and Electronic Frontier Foundation staff attorney Kurt Opsahl speak at a panel turned press conference at Defcon. Declan McCullagh/CNET News

LAS VEGAS--A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.

The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."

EFF attorneys appeared with the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk is canceled, Defcon organizers hinted that there may be a related presentation on a similar topic.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.

But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not--we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.

EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.

The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."

Its suit asks a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.

That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.

Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)

Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)

Chiesa, Ryan, and Anderson at an Electronic Frontier Foundation panel. Declan McCullagh/CNET News

A representative of the Defcon convention, who asked that her name not be used, said that the students submitted their Powerpoint presentation at least a month ago. The presentation says--not-so-presciently--"what this talk is not: evidence in court (hopefully)." It also says: "THIS IS VERY ILLEGAL! So the following material is for educational use only."

In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

Also released as part of the public record was a document marked "confidential" and written by the researchers (PDF) that explains exactly how the Charlie cards can be cloned and forged. "Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.

The document also discusses the lack of physical security at the MBTA. "Doors were left unlocked allowing free entry in many subways," the document says. "The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open."

One portion of the MBTA's legal complaint that drew jeers from the Defcon crowd came in its odd claim that "A CharlieTicket standing alone constitutes a 'computer'" under federal antihacking law.

This isn't the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them.

In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn hours after he gave a talk at Defcon on how attackers could take over Cisco routers. The case was ultimately settled. Four years earlier, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel one day after he gave a presentation at Defcon on insecurities in e-book security software.

Another excerpt from the presentation distributed to thousands of Defcon attendees on CDs.

Princeton University computer science professor Ed Felten and his co-authors received legal threats from the recording industry involving a planned talk at a Pittsburgh security conference--but pulled the paper from the event, even though no lawsuit materialized.

Research into flaws in the encryption that the Mifare Classic cards, used by the MBTA, landed Dutch researchers in court recently. NXP sued to block a Dutch University from publishing information about vulnerabilities in the encryption used in the RFID cards around the world. Last month, a court ruled that the university could publish the information.

Karsten Nohl, a University of Virginia graduate student who worked with others to break the Mifare Classic crypto algorithm last year, said MBTA should not have sued researchers who voluntarily discussed their findings with them.

"It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure," Nohl said. "MBTA made it clear that they are not interested in cooperating with researchers on identifying and fixing vulnerabilities, but their lawsuit will motivate more research into the security of Boston's public transport system."

MIT's student newspaper has posted a copy of the presentation that was distributed on Defcon CDs and the subject of the court order.

In the video clip below MIT student Zack Anderson tells reporters how he felt when he learned about the lawsuit filed by the MBTA. The lawsuit was filed a few days after he had met with the agency to discuss concerns about his talk at Defcon. He is with fellow MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann, who was advising the students about what they could say in lieu of the temporary restraining order against them.

(Credit: Elinor Mills)

CNET News.com's Elinor Mills contributed to this report.

[Note: This story was updated at 12:05 p.m. PDT to reflect that a temporary restraining order was issued. It was again updated at 1:30 p.m. PDT with more details from documents on how the hacks can be done, and at 4:30 p.m. with a report from the EFF press conference and 6:15 p.m. with video.]

Click here for more coverage from Defcon.