Three engineering students at the Massachusetts Institute of Technology (MIT) got a bit too creative when they figured out how to crack the T's ticketing system and ride free, according to the Massachusetts Bay Transportation Authority (MBTA), which slammed the students with a lawsuit last month.
The MBTA filed the lawsuit on Aug. 8, fewer than 48 hours before the students were to give a presentation on the results of their research project at an annual hacker's conference. In the presentation, the students planned to detail how to use a $300 magnetic stripe writer to reprogram the CharlieTicket — the T's paper ticket — to contain up to $655.36 in value.
The group exposed the vulnerability as part of a class assignment, on which they earned an A. The students claimed that unencrypted information stored in the CharlieTicket's magnetic stripe can easily be cloned and altered, and that those with sufficient hardware can also read electronic information stored on a CharlieCard — a plastic ticket to enter the T.
"We were trying to make sure that their systems are safe and secure and to point out how to improve them," Zack Anderson, one of three MIT seniors whom the MBTA named in its lawsuit, told the Daily in an e-mail. "Wouldn't you rather have a friend show you how easy it is to break into your home before a stranger storms in with a mask and a gun?"
To that end, the students left out a key detail from their planned presentation to the conference. The detail would show others how to hack the MBTA's system and ride the T for free.
But according to an Aug. 25 report in MIT's student newspaper, The Tech, on Aug. 19, the MBTA publicized a confidential report from the students, and this report provides the additional information necessary "to repeat the attack" on the CharlieTicket.
The students were planning on delivering their talk to the DEF CON conference in Las Vegas. In their absence, the students' PowerPoint presentation was made available to attendees at the convention and has since become widely available on the Internet.
"We never, ever planned on releasing any details that would allow someone to repeat the attacks we discovered," Anderson said. "The confidential security analysis report [that the group provided to the MBTA] revealed more material than we ever planned on releasing publicly."
Anderson also denied ever riding the T without paying, despite the MBTA's plans to sue the students for using subway services for free. This is one of the allegations with which the students are faced.
A federal judge on Aug. 19 lifted a gag order that had been placed on Aug. 9 against the students, and denied a request by the MBTA to prohibit the students from talking about security flaws in the transit system's ticketing system for five months. The MBTA requested the five-month period in order to repair the vulnerabilities, to which it had admitted for the first time the day before. Although the gag order was eventually overturned, it did prevent the students from presenting at the DEF CON conference.
In lifting the restraining order against the students, U.S. District Judge George O'Toole, Jr. dismissed the MBTA's argument that the students' scheduled talk "would violate the Computer Fraud and Abuse Act … by enabling others to defraud the MBTA of transit fares," according to a press release from the Electronic Frontier Foundation (EFF). O'Toole ruled that speech is not covered in the same way that computers are under the federal act.
"The judge recognized that what the students had planned on doing was free speech, that they were allowed to talk about something that was true," Rebecca Jeschke, a spokesperson for the EFF, told the Daily.
The EFF, a nonprofit advocacy group, is providing legal representation for the students.
The lawsuit, MBTA v. Anderson, came less than a week after Anderson and the two other students who planned to participate in the talk, seniors R.J. Ryan and Alessandro Chiesa, voluntarily met with MBTA officials to discuss their findings.
The project also exposed physical security vulnerabilities at T subway stations –—with photographs of unlocked turnstile control boxes and unattended surveillance equipment — and included a discussion of flaws with the plastic CharlieCard.
Jeschke said that the students had given the MBTA an appropriate amount of time to alter security flaws before the DEF CON conference.
"There are responsible ways to talk about vulnerabilities, and these students were abiding by these responsibilities," she said.
According to an Aug. 20 report in the Boston Globe, MBTA officials and Anderson agreed that the CharlieTicket's flaws could be fixed without implementing a new ticketing system.
Both the MBTA and the students have expressed interest in cooperating on fixing the security vulnerabilities. "The MBTA is continuing to talk with the defendants in the lawsuit in an attempt to settle this matter," Joe Pesaturo, a spokesperson for the MBTA, told the Daily. "We continue to offer the students an invitation to sit down with the MBTA and talk about their research and the project that they did."
Anderson said that the students would accept the MBTA's invitation when the MBTA ceases to pursue legal action against them.
"We plan on sitting down with the MBTA to discuss our findings once the threat of the lawsuit goes away," he said. "[The MBTA's] tone is much improved now, and we believe the lawsuit can be put behind us, we can sit down with their staff, and actually help them fix these flaws."
The lawsuit against the students is still pending, without any outstanding motions.
