A federal judge on Saturday in the US granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.
The students at an Electronic
Frontier Foundation panel.
(Credit: Declan McCullagh)
The Electronic Frontier Foundation, which is representing the students, anticipated appealing the ruling, said EFF senior staff attorney Kurt Opsahl.
The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference in Las Vegas that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line.
They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.
US District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 am PDT on Saturday in the US.
EFF staff attorney Kurt Opsahl said that the temporary restraining order was "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."
EFF attorneys appeared with the three students - Zack Anderson, R.J. Ryan, and Alessandro Chiesa - in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk was canceled, Defcon organisers hinted that there may be a related presentation on a similar topic.
The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.
But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not - we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.
EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.
The MBTA, which is a state government agency, alleged in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."
Its suit asked a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised."
The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.
That could be difficult to enforce. Every one of the thousands of people in Las Vegas who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and US$990 worth of hardware to read and clone the RFID-based CharlieCards.
Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities -- not included on the CD - was removed from web.mit.edu/zacka/www/subway/ by Saturday morning in the US.)
Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)
In the video clip below MIT student Zack Anderson tells reporters how he felt when he learned about the lawsuit filed by the MBTA. The lawsuit was filed a few days after he had met with the agency to discuss concerns about his talk at Defcon. He is with fellow MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann, who was advising the students about what they could say in lieu of the temporary restraining order against them.
(Credit: Elinor Mills)
