Thoughts 10 Aug 2008 10:52 am
Judge halts Black Hat smart card presentation
CNET, LAS VEGAS–A federal judge on Saturday granted the Massachusetts transit authority’s request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.
The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.
The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe “several attacks to completely break the CharlieCard,” an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.
U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide “program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.” Woodlock granted the MBTA’s request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.
Also released as part of the public record was a document marked “confidential” and written by the researchers that explains exactly how the Charlie cards can be cloned and forged. “Our research shows that one can write software that will generate cards of any value up to $655.36,” the document says.
The document also discusses the lack of physical security at the MBTA. “Doors were left unlocked allowing free entry in many subways,” the document says. “The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open.”
One portion of the MBTA’s legal complaint that drew jeers from the Defcon crowd came in its odd claim that “A CharlieTicket standing alone constitutes a ‘computer’” under federal antihacking law.
This is an interesting court order in that it redefines the word “computer”. If this order stands the usb drive in your pocket will become a computer. Your debit card will become a computer and so will your drivers license.
What to do if you are a government or quasi government agency and have a broken system:
- Step one is to pretend there’s nothing wrong.
- Step two is to wait until the problem becomes public knowledge and then loudly deny that the problem exists.
- Step three is to “look into the problem” while continuing to deny that a problem exists.
- Step four is to try and muzzle whoever pointed out the problem by insisting that they broke the law by exposing the problem, and are in fact criminals.
- And the one thing you never do is fix the problem, voluntarily or otherwise.
The basic problem with the CharlieTicket and its’ ilk lies in the RFID approach.
A man in GB proved that he could capture data and clone a passport with little difficulty.
Anything that can be read without physical contact is a security liability. These devices are not in service to protect the consumer as various federal agencies have claimed, but rather to make it easier to track individuals.
The latest RFID technology can be read from 2 or three feet away, making it easier for retailers to track sales vs visits. And for groups like DHS to track where we go and when we go there.