MIT students barred from presenting Boston subway fare loophole

The three students were set to highlight security holes in the automated fare collection system used by the city's transit service, at a security conference on Sunday.

Zack Anderson, R.J. Ryan, and Alessandro Chiesa were set to give the talk at the DEFCON Conference in Las Vegas (PDF of full presentation available here from MIT). The Massachusetts Bay Transportation Authority complained that the students were going to show attendees how to exploit the hole, without first giving it a chance to fix the problem.

The transit agency sued both the students and the Massachusetts Institute of Technology to prevent the presentation from taking place, accusing them of violations of the Computer Fraud and Abuse Act.

According to the EFF's Jennifer Granick, who is assisting the group in their case, no identifiable information on how to exploit the hack would have been shown. It would, however, have called the MBTA's security into question.

In a presentation prepared for the conference, the three would have shown the agency's apparent lax efforts to protect itself, including unlocked doors, computer monitors with possibly sensitive information clearly visible to riders, and turnstiles that could be easily hacked.

Topics discussed would include how to forge fare cards, and alter the magnetic stripe and RFID chips in order to dupe the system. Once done, the hacker could ride the system for free.

Researchers were planning to highlight during the presentation that actually performing the hack would be "very illegal" and that information was "for educational use only."

While it wouldn't necessarily amount to a hacker being able to use the hack to take over the subway system itself, it certainly could pose a problem to an agency that depends heavily on fare collections to continue service.

In issuing its order barring the students from making their presentation, the court used a federal statute aimed at prosecuting computer intrusions. However, the EFF would have nothing of it, and argued it was in violation of the First Amendment.

"The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion," Granick said. "[The ruling] will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes."

The interest group is lauding the work on this case as one of the first to officially fall under its recently created Coders' Rights project, launched last Wednesday.

11 Responses to MIT students barred from presenting Boston subway fare loophole

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.