Wired: Boston Subway Officials Sue to Stop DefCon Talk on Fare Card Hacks
Three MIT students have figured out how to hack the fare card system used on the Boston-area public transit ("the T"), to ride for free, add money to a stored-value card, and other such things. They cracked both the RFID card and the magnetic-stripe card. Here is a PDF of their presentation.
They were planning to give a talk on their discoveries at DefCon, the big annual hacker/cracker convention. The Massachusetts Bay Transit Authority (MBTA), which runs the T, sued them to prevent them from giving the talk. The talk will not be given. The students' faculty advisor, Dr. Ron Rivest, is being given a hard time.
The MBTA are going about this exactly the wrong way! (Although their response is understandable.)
Security systems are only trustable if they are thoroughly tested in actual use -- including normal users, hackers, and crackers. No matter how hard the MBTA try to hush up their security flaw, it will not make their security flaw magically go away. They should fix the flaw. Yes, it will cost money, but my sympathy is limited.
It is basically a given that many people will hear about this security flaw, whether or not there is a DefCon talk about it. Hello, Internet. But if people hear about this flaw only through underground/unofficial channels, what impression does that give them of the MBTA? It gives the impression that they either don't know about the flaw, or know about it and aren't doing anything about it. It gives the impression that the people who run all of Boston's public transit are a bunch of incompetents.
Moreover, by stage-whispering "Shh! Don't tell anyone about this!", they're also saying "Hey, this is significant! And leaves us very vulnerable!"
(By the way, if their goal is to decrease the number of people who hear about their security flaw, they have failed dramatically, because it's getting all over the news now. For example, I don't know anything about the presentations at DefCon, but now I know there's a security flaw in the subway system I use all the time, precisely because they're suing my classmates over it.)
What should the MBTA be doing? Shouting this as loudly as possible: "Yes, we have a security flaw! Thank you guys so much for pointing it out! We're working around the clock to fix it!" This would give the impression that the MBTA is run by intelligent people who can face reality instead of frantically trying to make it magically disappear. People would realize that the MBTA is serious about fare security.
The "Fare Security: SERIOUS BUSINESS" attitude would help decrease all kinds of subway sleaziness, including people who break fare security by the super-advanced hack of jumping over the fare gates. Not to mention things like littering, graffiti, and panhandling (none of which are huge problems on the T, I'm glad to say!). If I see someone fare-jumping, it makes me think the subway system is for shit anyway, so what does it matter if I stick gum to my seat?
And besides, the MBTA's anti-hacker attitude will just annoy crackers and make them more inclined to crack the T fares. Being realistic, and trumpeting increased security, will make crackers less inclined to attack the T.
Come on, MBTA. Have the grace to admit you've been hacked, instead of going into denial. Fix the vulnerability. Show us all you're serious about fare security. In fact, why don't you talk civilly to the people who hacked you? I'm sure they could help you build a better system.
...And, because I need some levity, here's a related episode in the adventures of Domo-kun. Hooray, cute pictures.