Defcon 16: MIT Boston transit presentation gagged

posted Aug 9th 2008 8:45pm by
filed under: cons, security hacks, transportation hacks


[Zack Anderson], [RJ Ryan], and [Alessandro Chiesa] were sued by the Massachusetts Bay Transit Authority for an alleged violation of the Computer Fraud and Abuse Act after copies of their presentation slides were circulated at Defcon 16. The slides give an eye widening glimpse into the massive security holes present in the Boston subway system. There are at least 4 major security flaws in the subway, which allowed them to get free subway rides by finding unlocked, back door routes into the subway, spoofing magnetic and RFID cards, and attacking the MTBA’s network. Judge Douglas P. Woodlock has issued a gag order, stopping the trio from giving the presentation at Defcon or disclosing sensitive information for ten days. However, the MIT school newspaper, The Tech, has published a PDF of the slides online. The research culminated in the trio warcarting the MTBA’s headquarters and being driven off by police.

Read



12 Responses to Defcon 16: MIT Boston transit presentation gagged

  • Shadyman says:
    August 9, 2008 at 9:41 pm

    Warcarting! I love it!

    Reply Report comment
  • Eddie says:
    August 9, 2008 at 10:24 pm

    “We have a bunch of security vulnerabilities, but are too lazy to be bothered with them, so shut up. Don’t let the public know that they’re being screwed. If you do, we’ll take you to court. Yeah, I told you to shut up, but you didn’t listen, so now I’ll court-order you to stop talking. Our problems don’t exist!” Yet another reason I don’t like Boston.

    Reply Report comment
  • John Adams says:
    August 10, 2008 at 1:08 am

    Let’s give thanks to the EFF for staying up all night and attempting to fight this gag order over the last 24 hours. Although they failed, the EFF is continuing to fight for these students right to speak.

    Reply Report comment
  • eric says:
    August 10, 2008 at 4:14 am

    I think the real problem is they went beyond simply finding the vulns. They *applied* them. This puts them in a very sticky legal situation, especially since their own slides act as admission of guilt.

    Reply Report comment
  • David Cranor says:
    August 10, 2008 at 4:24 am

    Anybody make a copy of the “updated slides and code” from the website before it was pulled?

    Reply Report comment
  • Eddie says:
    August 10, 2008 at 9:51 am

    Yeah, but the application of the exploits acts as a proof of concept. If these vulnerabilities were ignore-able, the transit authority wouldn’t have fought so hard to shut the kids up. If they didn’t actually apply the exploits, it becomes the kids’ word against the transit authority’s. The fact that they applied the exploits proves to everyone that the vulerabilities actually exist. Let’s just hope this whole ordeal acts as a wake-up call to the transit authority, as it very well should. But it’s Boston, so there’s a good chance it won’t. (Remember, same place a bunch of LED’s thrown together on a PCB was misconstrued as a bomb.)

    Reply Report comment
  • M4CGYV3R says:
    August 10, 2008 at 12:08 pm

    If you give a crap about freedom of speech, download, copy, and distribute these slides at every opportunity. Don’t let some corrupt judge tell us what we can and can’t see or read.

    Reply Report comment
  • craig says:
    August 10, 2008 at 6:51 pm

    Aside from the subway hacks, the presentation says they’ve built alot of really cool tools to help with their research.

    One particular one is a toolchain to easily program ‘multi-core’ FPGAs to assist with their brute forcing of the subway RFID chips.

    Even if the gag order continues, hopefully they’ll be able to post some of the tools that they developed that aren’t to do with subway systems directly.

    Reply Report comment
  • Greg says:
    August 11, 2008 at 10:45 am

    If you are interested in their court case you can find copies of all of the court documents and some email correspondence here http://cryptome.org/mbta-v-zack/mbta-v-zack.htm

    Also I think the MBTA is taking the wrong approach here. Instead of trying to give a gag order and hide the information (which will never work) they should just hire these kids to fix the system. I mean anyone who can create a “one button party mode”(http://web.mit.edu/zacka/www/midas.html) for their dorm room can fix these problems.

    Reply Report comment
  • marxc2001 says:
    August 12, 2008 at 2:50 pm

    Interesting point – this has showed up on WikiLeaks…

    https://secure.wikileaks.org/wiki/Anatomy_of_a_Subway_Hack_2008

    Sapere Aude,

    M.

    Reply Report comment
  • Boston IT Support says:
    December 8, 2008 at 12:36 pm

    interesting stuff here I wish i knew more about this stuff im trying to learn more about it

    Reply Report comment
  • axllaruse says:
    January 28, 2009 at 9:26 pm

    These kids are heroes.

    These kids have showed how careless was the security in this public transportation used by many civilians.

    What would append if some nutjob decide to make an attack on the subway?

    How many lives we have to put on risk before doing something about it?

    Do we need to wait for a disaster to append before we decide to do something about it?

    These kids should be rewarded for being good citizens and risk their freedom in order to protect our lives by publishing the security risk on Boston.

    Reply Report comment

    • Leave a Reply

    XHTML: You can use these tags: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Hack a Day serves up fresh hacks each day, every day from around the web as well as hacking related news.

    Send us your hacks










         



    Hacks

    Resources