Tuesday, August 12, 2008

The MBTA's RFID

With them in debt and losing money, you think they would want the help.

Of course, to hear the MBTA tell it, there is no problem.

Then why are they so upset as to take the kids to court?

"MIT students' report makes security recommendations to T; MBTA chief faults school on response" by Christopher Baxter, Globe Correspondent and Hiawatha Bray, Globe Staff | August 12, 2008

A report provided to the MBTA by three MIT students recommends that the agency implement an auditing system to detect tickets with forged encryption codes, create a central repository to store the current value of cards, and improve physical security measures in stations across Boston.

The vulnerability assessment, a confidential document that researchers said was not part of any public presentation, was included in filings after the Massachusetts Bay Transportation Authority sued Friday in federal court. A judge granted a temporary order blocking the students from publicly discussing how to hack the CharlieCard and CharlieTicket system to ride the T for free.

The MBTA sued after learning that MIT students Zack Anderson, R.J. Ryan, and Alessandro Chiesa planned to present their findings Sunday at the DEFCON hacker convention in Las Vegas. The temporary order is valid for 10 days. Then the T must prove that the students' research poses such a risk that an extended injunction is necessary. The T is also seeking unspecified financial damages, according to court papers.

I don't think the kids will be able to cover the $8 BILLION debt, dudes!!!

Marcia Hofmann - staff lawyer for the Electronic Frontier Foundation, a nonprofit representing the students - called the decision a "dangerous precedent for security researchers," which could potentially discourage the investigation and improvement of technology across the country.

"That certainly would discourage security researchers from discussing their work and sharing information that might ultimately make systems more secure," Hofmann said.

Hey, who gives a fuck when the state is facing public humiliation?

Keep it quiet, will ya?

Anderson, a Los Angeles native and senior electrical engineering and computer science major, said the research started as a project in a network security class. He said the group was upfront with the MBTA, provided all the information it requested, and intended to help fix problems, rather than create more.

That's a good life lesson, kids.

GOVERNMENT CREATES PROBLEMS, it doesn't solve them!!!!

Despite the agency's efforts to keep the information under wraps, much of the technology and vulnerabilities of the CharlieCard and CharlieTicket were detailed in court filings.

Regular MBTA riders usually obtain a CharlieCard, a hard plastic card that contains a Radio Frequency Identification chip.

I don't want one then!!!

The card is pressed against a detector, which reads data from the chip and deducts the price of a subway or bus ride from the owner's account. Passengers can also use a paper CharlieTicket, which has a magnetic strip that stores the data. The report states that both cards can be cloned or forged.

Karsten Nohl, a German researcher who was one of the first to crack the CharlieCard's security, said he has been comparing notes with the MIT team and hopes to come to Boston to meet them. He may also give a public demonstration of the CharlieCard security flaw by purchasing a card and showing how to clone it, he said.

Like the demos on the election machines that show what crap they are?

--more--"