Last weekend, a federal judge issued an injunction blocking some MIT students from explaining to a Defcon audience how to hack the RFID-based fare card system used by the Massachusetts Bay Transportation System (MBTA).
In one account, one student said he was now “afraid.”
Good.
Judging from what I’ve read, that seems to be the minority view.
My colleague Adam Gaffin pointed out the MIT students included a lengthy list of all the ways you can hack the system without any equipment at all, apparently not even a jimmy: walking through unattended fare gates; unprotected and even unlocked network switch rooms; and so on.
NW Columnist Scott Bradner, with Olympian assurance, explained that the MBTA understood neither publicity nor security. Suing the hackers just called more attention to the problem, he says. And “The MBTA defaulted to the common but dumb idea that if security flaws are hidden they will not be exploited. This never works in the long run….”
Actually, the MBTA defaulted to the not-so-dumb-idea that if you make available detailed information about how to exploit a hidden security flaw, in this case including source code posted on one student’s Website but later removed, it sure makes it a lot easier for the exploiters. In a touch of unintended hilarity, the MIT hackers originally included a Powerpoint slide that warned “THIS IS VERY ILLEGAL! So the following material is for educational use only.” Right.
In a nice touch, the MBTA’s suit quoted from the “MITnet Rules of Use” which warn students against messing with the integrity of the system by, among other things, “attempting to capture or crack passwords or encryption….”
The Electronic Frontier Foundation, the cyber-ACLU, found yet another reason to harp about how publicly revealing ways to violate computer security is not only a Public Service but a constitutionally protected Public Service. “We believe that this is a protected speech activity. When you discuss security issues, if you are telling the truth, that is something that should be protected,” according to an EFF staff attorney. I guess that means if the MIT hackers stood up at Defcon and said “the MBTA system is hackproof” then EFF would be demanding that authorities prosecute the hell out of them.
The MBTA, like every government agency, by definition deserves humiliation, since that is the only sure and certain method of quality improvement in the public sector. Unlocked network switching rooms? Heads should roll. Except, being a state civil service agency, even in the utterly unlikely chance that were to happen, the MBTA would have to keep the headless corpse in place and pay it disability.
Most of the “physical hacks” such as sneaking past a dozing MBTA employee are by definition individual acts. But the original text of the MIT hackers promised “free subway rides for life” — the prospect of fraud on a grand scale.
But how likely is that? Some security folks argue the risk is minimal: as far as we know, it hasn’t been done despite the fact the Mifare Classic vulnerabilities were exposed a year ago. But the recent federal indictments against a ring of hackers, charging them with subverting network security at 9 major US retailers show something else: how a small, highly motivated group of people exploited network vulnerabilities, compromised the online identity of hundreds of thousands of consumers, and looted millions. Their scheme only began to unravel when they tried attacking an as-yet unnamed retailer who had crafted a security system that actually worked.
There’s an appealing simplicity in the smug conviction of dumb (MBTA), dumber (the judge), and dumbest (NXP,the RFID card maker). A Slashdotter wondered whether “Dutch openness” (a Dutch court recently refused to block researchers from disclosing Mifare Classic bugs) or “Soviet-style secrecy” (MIT students snatched from the campus at midnight by men in fedoras and dark overcoats, whisked away in a black Mariah to a cellar in Dorchester) would ultimately prevail at Defcon.
But security and publicity, like life, are never that simple. I haven’t looked in detail at the specific legal arguements advanced in the MBTA’s suit, or by the Electronic Frontier Foundation. But UCLA law prof Eugene Volokh has some preliminary thoughts on his blog, identifying two key issues: is such speech consitutionally protected, and even if not, can it be restricted? He also notes that the MBTA argued in its filing that the students obtained the information they were going to disclose illegally, in violation of the Computer Fraud and Abuse Act. “So this is a pretty complex legal question…,” he concludes. No kidding.
It’s certainly true that as a result of the MBTA’s court suit, a lot more people than otherwise now know that the MBTA fare system can be hacked.
But they also know one more thing: do it, and you face legal action.
Works for me.
Copyright © 2008 IDG Communications, Inc.
