BOSTON (CN) – A federal judge blocked three MIT students from giving a presentation at a hackers’ conference that was supposed to expose security flaws in the automated fare system used in Boston’s subways and buses.
U.S. District Judge Douglas Woodlock issued two restraining orders barring undergraduates Zack Anderson, RJ Ryan and Alessandro Chiesa from presenting their findings on the system’s alleged vulnerabilities at the Aug. 10 DefCon conference in Las Vegas.
The ruling is a victory for the Massachusetts Bay Transportation Authority, which claimed the presentation would show others how to hack its smartcards, called CharlieTickets and CharlieCards, before the transportation authority could address any weaknesses.
In its lawsuit, the transit agency said the students “claim to have circumvented the security features of the MBTA’s computerized CharlieTicket and CharlieCard fare media systems; (ii) publicly offered ‘free subway rides for life’ to interested parties over the Internet; and (iii) plan to allow others to duplicate their claimed ‘breaking’ of the Fare Media’s security systems by presenting a paper, releasing software tools, and giving demonstrations at the DefCon hackers convention this Sunday, August 10, in Las Vegas. Despite the MBTA’s requests, MIT has been unwilling to set limits on the MIT Undergrads’ activities.”
The complaint continued: “The MIT Undergrads have declined to provide the MBTA or its system vendors with information concerning the claimed security flaws in the system. If what the MIT Undergrads claim in their public announcements is true, public disclosure of the security flaws – before the MBTA and its system vendors have an opportunity to correct the flaws – will cause significant damage to the MBTA’s transit system.”
The MBTA said it demanded to meet with the students, and did meet with them, but the students insisted they would carry through their promise, or threat, to reveal how they defeated the MBTA’s security system, and continued “to promise the release of software tools and demonstrations to allow others to duplicate the attacks.”
Disclosure of the flaws “will significantly compromise the CharlieCard and CharlieTicket systems,” thereby jeopardizing the overall functioning of the fifth largest mass transit system, a project leader said in a court declaration.
The MBTA is represented by Ieuan Mahony with Holland & Knight.