EFF To Appeal Court Order Halting Student Subway Hacking Presentation

A federal court judge placed a 10-day injunction Saturday on any information contained in the students' planned presentation at the Defcon security conference, and ordered the three students not to disclose to the public how to get free rides on the subway, after the MBTA filed a lawsuit Friday.

The suit claimed that the students violated the Computer Fraud and Abuse Act by presenting information in a public forum that could be used to illegally bypass fares for the public transit system. The lawsuit aimed to halt the student presentation, which was slated to be made public at the security conference Defcon, held in Las Vegas Sunday.

In their planned presentation, Massachusetts Institute of Technology undergrads Zack Anderson, RJ Ryan and Alessandro Chiesa claimed to have found a way to circumvent paying fare for the the MBTA's electronic CharlieTicket and CharlieCard subway fare systems. The three MIT students prepared a detailed analysis of the problem at Defcon on Sunday, titled "Evidence of a Subway Hack," which was also posted on the Internet.

While the presentation was halted, the material remained available online. In their presentation, the trio outlined numerous ways to both physically and electronically break into Boston's public transit system, almost all of which they admitted were illegal. Specifically, the student group discovered that the MBTA's automated fare system, known as the Charlie Card and CharlieTicket, stored monetary value on individual cards, but were not compiled in any sort of electronic database. Consequently, the flaw could allow even novice hackers to break into the system in order to alter the card's readings to add hundreds of dollars of fare on Boston subway tickets.

The presentation slides contained information on ways to bypass physical security blocks, as well as how to hack into the MBTA electronic ticket system to get "free rides for life" and other perks.

One slide read, "You'll learn how to generate stored-value cards, reverse engineer magstripes, hack RFID cards, use software radio to sniff, use FPGA's to brute force, tap into the fare vending network, social engineer, warcart," while another read "And this is very illegal, so the following material is for education use only."

Judge Douglas Woodlock of the U.S. District Court for the District of Massachusetts placed an injunction on the presentation after the MBTA filed a lawsuit that named all three students, as well as institution of MIT, as defendants. The project had received an "A" grade from MIT professor and computer scientist Ron Rivest.

However, according to court documents, Woodlock claimed that the information would harm the transportation authority if it was made public before the agency had an opportunity to correct the security errors.

"If what the MIT Undergrads claim in their public announcements is true, public disclosure of the security flaws " before the MBTA and its system vendors have an opportunity to correct the flaws " will cause significant damage to the MBTA's transit system."

Critics of the injunction such as the Electronic Frontier Foundation, a non-profit organization dedicated to free speech and consumer rights issues, argued that the injunction violated the students' First Amendment rights, while asserting that the court erred in what it said constituted a "transmission" of a computer program.

"The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion," said Jennifer Granick, EFF civil liberties director, in a written statement.

"Security and the public interest benefit immensely from the free flow of ideas and information on vulnerabilities. More importantly, squelching research and scientific discussion won't stop the attackers. It will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes."