Well Well Well
So they have now told the whole world that the issue is serious and there really IS a problem. Expect a hack pretty soon, I reckon.
A federal judge on Saturday gagged three Massachusetts Institute of Technology undergraduates from publicly presenting research at Defcon demonstrating gaping holes in the electronic payment systems of one of the nation's biggest transit agencies. US District Judge Douglas P. Woodlock issued the order at the request of the …
Sheesh! What amateurs! Everyone knows that the more important and contentious a presentation, the more innocuous the title you give it.
Had they titled the talk "Recent Results in the Investigation of Place-to-Place Transit Protocols" or something even duller and more boring, no one would have noticed in time to stop the presentation.
Look at Andrew Wiles' famous proof of Fermat's Last Theorem: he gave his presentation the title "Modular Forms, Elliptic Curves, and Galois Representations." Nothing in the title about the ultimate objective, the proof of Fermat's theorem.
or a talk I saw a while back titled "Piracy is good?" that had its question mark dropped at the very start...
Also, this is a ridiculous lawsuit. If there's a hole in a fence you mend or replace the fence. You don't sue whoever found it (assuming that they didn't create it, which in this case they didn't) for telling you it exists!
I can only wonder why they don't want a secure system. Apart from the obvious, 'We don't want to fix it because it will cost money and we have share holders to worry out.'
I agree with Will Godfrey, now the world knows where the problem lies the crackers will soon be at it. A Federal judge saying they cant discuss it at Defcon is as effective as highlighting it with neon signs saying "DO NOT LOOK FOR OUR BIG SECURITY PROBLEM. PLEASE IGNORE IT'S NOT THERE. HONESTLY AND WE'RE GOING TO SUE THOSE PESKY STUDENTS FOR BREAKING OUR NICE SECURE SYSTEM.
Well I'm convinced. Aren't you?
The MBTA (and all MA residents) has a legitimate interest in having secure fare collection systems. But clearly, they should be suing NXP Semiconductor, not the MIT students. I expect that over the next year, as it dawns on them that the cat is out of the bag, that they will get around to this.
Otherwise, what is the purpose of security at all? Why not just have unencrypted farecards and sue anyone who talks about them?
I reviewed the slides that were to be shown at the conference. Apparently, these students did violate the law:
1. They claim to have engaged in social engineering techniques that included trespassing on MBTA property.
2. They used some equipment to remotely monitor communications going on inside the MBTA building.
Both of these have nothing (directly) to do with farecard security, and they are illegal, it is Keven Mitnick-style hacking. This is NOT a good test case to maintain free speech rights on pointing out security vulnerabilities.
If you are interested in the technical aspects, then the lads' presentation of their results to their MIT class is still online. Not giving the URL as I'm not sure if that is an error by the lads (and they're in enough hot water already) or an error in the transit authorities wording of their suppression order. Just noting the irony.
What's up with the censorship here. I agree with the other posts, now that the courts have become involved if the group they are censoring now can't talk, it'll just prove whatever theory they had to be true and others will likely come along and do the same thing. The last time I checked, I wasn't in china, and merely talking about something can't put you in jail.
Theres college professors in this country that have attacked police and government installations here and are currently teaching in schools, so if merely saying or thinking something can be silenced by the courts, what's next?
Pop culture promotes the idea that computer security is like real life security systems, it makes for a better story.
In real life there is no way to keep people out, just slow them down. Safes are rated on how long it takes an expert with the proper tools to open them. But any safe can be opened.
In the computer world all the doors are 100% impenetrable, and if they are locked properly they can never be opened by anyone who wasn't given a key.
Only sometimes next to the door, behind the shrubs, there is a whole left there by the building crew.
Someone looks behind the shrub and says ah there is a huge hole there and anyone can walk through.
They are not creating the holes, they are just finding them.
@ John Widger:
'I can only wonder why they don't want a secure system. Apart from the obvious, 'We don't want to fix it because it will cost money and we have share holders to worry out.'
To answer your question, this isn't just a small thing. I think I read somewhere on The Register that Philips Semiconductor (now NXP) have issued over 10 billion (10,000,000,000) of these Mifare Classic (hackable) items worldwide.
To make it really clear: in the US, if you make a defective product (such as a car component), by law you're supposed to notify each purchaser about the defect. Here's the rub: 10,000,000,000 x (letter explaining defect + current stamp cost). Plus time and manpower to print and send it all. And that's not including replacing the product itself. Now you see why they're fighting tooth and nail. Granted that most companies would buy in bulk, it would still probably bankrupt them to replace the defective units (for free), so they're trying to keep a high, er low, profile and coast along until they can fix it in-house and sell the updated versions to their unsuspecting customers in order to stay afloat.
In their minds, why should they fix it if they lose their jobs in the process? So, they screw people.
@ James Woods:
"The last time I checked, I wasn't in china, and merely talking about something can't put you in jail."
Not true. Yelling "FIRE!" in a theater can get you arrested, and if you were to give a full-scope presentation of how to make home-grown explosives or bio-chem weapons on a street corner, you'd probably be arrested there too. And God forbid anyone should talk about doing nasty things to a politician or the President in public these days. Over-reacting is the watchword of the times. It's not Orwell yet, but give it time.
This applies equally to the MBTA, the California tollway providers, the Dutch transportation authority, the Oyster Card folks, et.al.:
The blame can ONLY be placed on the companies and governments that OPERATE these transport systems that are using the flawed security measures. The failure of these companies and government agencies to constantly review the security of their systems AND PLAN FOR UPGRADES TO DEAL WITH THESE THREATS AS THEY OCCUR is an egregious management error that MUST be addressed by their stockholders/governments.
Companies like NXP semi are really NOT to blame, especially if they can show that they were actively attempting to upsell their clients to newer technology when the old systems became vulnerable. On the other hand, if they were assuring their customers that the Mifare Classic was still secure, then they ALSO need to be part of the guilty crowd.
I fully expect the outcome of all this publicity to be criminal suits filed by government law enforcement agencies against the managers of the failed agencies and their vendors - for completely failing to do their jobs. And another round of fare hikes and taxes to pay for complete overhauls of the transport systems that are affected.
Finally, an example. If a bank were to build a vault with a screen door and pronounce it "secure" because no one had broken into it yet, the management would be behind bars in a heartbeat - or at least fired and fined. The actions of these agencies and companies is the equivalent of the screen door on a bank vault.
"Disclosure of this information - if what the MIT undergrads claim is true - will significantly compromise the CharlieCard and CharlieTicket systems," the complaint states.
No - the systems are already compromised. That is the MBTA's fault, since they bought it, or their supplier's if they lied to you, not the MIT students'. They should be thanking these people for pointing it out, and getting it fixed.
Still, if they want to make themselves look like idiots, that's fine by me.
I am curious about security inpayment systems - so I can evaluate the risk of having a credit card, decide the risk of my business being used to defraud others and so I can build a better payment system.
Some people think the only reason to go to defcon is to learn how to steal from a mass transit system. Some people are asking for copies of the materials before they are widely distributed. Apparently the research included monitoring data inside the MBTA. "The level of concern reached all the way up to the governor's office"
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/18/AR2008071801912_pf.html
Oooops! Seems the washington post managed to scoop the defcon team, and if their description of the hack is correct it was done in a way more ghetto way than cloning cards with a magstripe reader, respect for that, if its true:
"Thieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out."
It would appear that that is basically the substance of the defcon talk, and the bit about mifare vulnerabilities appears to be mostly theoretical based on the recent mifare flaws.
Since all of this information is already public domain taking the speakers to court has only had the effect of publicising the flaws more widely than would otherwise have happened, if the transit authority had kept quiet then some geeks would have known of the problem, now the world+dog knows.
Paris because even she knows you cant put the genie back in the bottle
One of the problems with the current laws when it comes to security and computer research is that there is no “whistleblower” protections, unlike those that are in place for people that expose fraud and things in other systems.
The U.S. Government wants sides with companies that make products or produce software for the most part. The lawmakers are paranoid about the internet (mostly because they don't understand it) and believe anyone who uses it is involved in either child porn or downloading movies/music or software. Anyone who researches security and exposes the chinks in the armor is a person that is a "dangerous hacker" bent on destroying the system and costing a company money.
We are not allowed to tell people that "the emperor has no clothes".
If the company was previously aware of the weakness in their security, and didn't warn the customers it sounds like fraud to me.
If the company wasn't previously aware of the weakness in their security it sounds like incompetence.
Either way, the company doesn't get a free pass by pointing at the messenger and shouting "He did it!".
It is smart to create a working subway electronics. It is smarter to find a way around it. Now, the big question, what is smartest? Smartest would be to find a way around it and then use that information to get a nice, creative job, a job that you liked. For an MIT student, you might get in contact with the people you outsmarted. Instead of garnering national attention, instead of a splash in the news, you might play your cards closer to your chest.
This post has been deleted by its author
So let me see if I get this right - you are suggesting that the operators of public transport systems be held liable because of a failure of their VENDORS?
Firstly, you haven't proven that there is a non-rectifiable problem of any great magnitude. Most of what I have seen from the slides and in other discussions on the crackable cards is in the same category of people boarding buses from the exit doors - minor fair jumping. It is not something that will stop the transport system from working, and not something that the vast majority of users are going to bother to do, especially if any detection mechanisms are put in place and violators prosecuted.
For example, it is fairly easy to monitor the transaction systems for purchased fares, and cross-correlate with the value on a card as it is used - maybe not in real-time, but certainly as a data mining operation. A card ID that is used repeatedly with an amount that is not shown to have been purchased can have the card de-activated perhaps, or CCTV can be queued to detect people using those cards and have them stopped in by security.
Even if you take exception to the methods above, my point is that there are certainly valid ways of combating this fare jumping that do NOT require the wholesale replacement of the entire card system - just a few more tools in the belt of the system security. Now as to the systems passing that cost on to the original card vendor, THAT makes a lot of sense, and if the card vendor is smart they will be working with the systems for fraud detection and prosecution tools that can be rolled out to all systems using the cracked cards...
Lastly, I don't find the actions or management of the transport systems in any way flawed - they all purchased a system that was advertised and designed as secure, and hadn't been publically broken TO THAT POINT. It was designed to hit a price/performance goal, and there was no real business case that I can see for buying more expensive cards that _might_ be more secure but at a much higher cost - and they need to buy a LOT of cards, so the cost difference would quickly add up. Given that what is being protected here is not biowarfare secrets, but common fare jumping, their actions were perfectly rational and probably even good business if you run the numbers of card costs versus potential fare jumping via cracked cards...
Look, let's start with some basics here. I'm pretty positive that none of the card manufacturers started out with the idea of deliberately releasing a substandard card. What they failed to do was to have proper research into its security, but I refuse to believe they decided to build a global business on a deliberately weak product (and techniques improve, so you're always sitting a bit on a time bomb).
However, where they went off the rails (and in principle pulled a Streisand) was by trying to halt the talk. What should have happened was invitations to talk about the issue and working out a way to address it - like you would expect with responsible disclosure.
Question: was the company notified in time to give them at least a chance? Not so sure, but I wasn't there. Observation: yup, I can see this company being well & truly stuffed for having a cracked product (depends on the nature of that hack), but you need to incorporate that risk in supplying ANY security product, and given the reaction of most suppliers so far that wasn't the case. To me it smacks of panic more than sense (default US panic button: sue someone?).
Trying to sue anyone who publishes is not going to make the problem go away. If you're a company using such cards, would you still go and buy more? Not until you've heard someone addressing the PROBLEM, rather than the messenger..
I personally hope that the researchers find a way to turn that judgment against the suppliers and make them think. Every time a researcher gets successfully halted in court, security weakens. Or is that the goal?
One thing that seems a little odd if NXP were not aware of this potential issue is that they appear to have submitted th controllers for Common Criteria EAL5+ certification (http://www.commoncriteriaportal.org/products_IC.html#IC) but not the Myfare cards (unless they did it under a different name).
Perhaps there were some doubts on their part as to the security of the cards, long before any university students showed this to be the case?
--
Martin
@Terryeo
> Smartest would be to find a way around it and then use that information to get a nice, creative job, a job that you liked.
Unfortunately, there are many examples opposing this idea. Big companies tend to blacklist hackers, crackers and phreakers, not employ them.
Since this was a research paper, why didn't they approach the company and request to do it. That way they get to do the research, the company benefits by knowing their vulnerabilities, everyone's a winner.
I don't see the advantage of letting the public know about these security issues except to aid in fare dodging.
Kingston Trio, early 1960's
"Will he ever return, no, he'll never return and his fate is still unlearned
(poor Old Charlie)
He'll ride forever ne'eth the streets of Boston, he's the man who'll never return.
Ok, not the same as Bolivian marching powder and all its wonders, but at least historically correct.
Peace, man
Paris, cus she relates to both.
Quoting Bob:
1. They claim to have engaged in social engineering techniques that included trespassing on MBTA property.
-Trespassing in most places is only a crime if the trespasser is asked to leave, by somebody with implicit or explicit authority to do so not just any joe blow, and refuses to leave. This is different to Breaking & Entering, which they also didn't do.
2. They used some equipment to remotely monitor communications going on inside the MBTA building.
-Your point being? If its externally monitorable its not an offence, though this possibly depends on what regime you live under.
None of this is relevant of course, this is an outrageous attack on free speech and should be slammed down into a very flat pancake indeed.
Does this Judge think his order will stop anything?
"US District Judge Douglas P. Woodlock issued the order at the request of the Massachusetts Bay Transit Authority, which sued the three students and MIT on Friday. It forbids Zack Anderson, 21, RJ Ryan, 22 and Alessandro Chiesa, 20, from "providing program, information, software code or command that would assist another in any material way to circumvent or otherwise attack the the security" of the MBTA's fare system."
Oh but it in no way "Forbids" others who have the information. It seemd MBTA should spend the time and money to make the system more secure and fix the issues with Faulty Cards. MBTA should also think about hiring these students to work on the system. Better yet the students should "Forbid" MBTA to use the information as im sure they will to try and fix there Broken System