Monday, August 11, 2008

The Right Way to Respond to Getting Hacked / Cracked

Wired: Boston Subway Officials Sue to Stop DefCon Talk on Fare Card Hacks

Three MIT students have figured out how to hack the fare card system used on the Boston-area public transit ("the T"), to ride for free, add money to a stored-value card, and other such things. They cracked both the RFID card and the magnetic-stripe card. Here is a PDF of their presentation.

They were planning to give a talk on their discoveries at DefCon, the big annual hacker/cracker convention. The Massachusetts Bay Transit Authority (MBTA), which runs the T, sued them to prevent them from giving the talk. The talk will not be given. The students' faculty advisor, Dr. Ron Rivest, is being given a hard time.

The MBTA are going about this exactly the wrong way! (Although their response is understandable.)

Security systems are only trustable if they are thoroughly tested in actual use -- including normal users, hackers, and crackers. No matter how hard the MBTA try to hush up their security flaw, it will not make their security flaw magically go away. They should fix the flaw. Yes, it will cost money, but my sympathy is limited.

It is basically a given that many people will hear about this security flaw, whether or not there is a DefCon talk about it. Hello, Internet. But if people hear about this flaw only through underground/unofficial channels, what impression does that give them of the MBTA? It gives the impression that they either don't know about the flaw, or know about it and aren't doing anything about it. It gives the impression that the people who run all of Boston's public transit are a bunch of incompetents.

Moreover, by stage-whispering "Shh! Don't tell anyone about this!", they're also saying "Hey, this is significant! And leaves us very vulnerable!"

(By the way, if their goal is to decrease the number of people who hear about their security flaw, they have failed dramatically, because it's getting all over the news now. For example, I don't know anything about the presentations at DefCon, but now I know there's a security flaw in the subway system I use all the time, precisely because they're suing my classmates over it.)

What should the MBTA be doing? Shouting this as loudly as possible: "Yes, we have a security flaw! Thank you guys so much for pointing it out! We're working around the clock to fix it!" This would give the impression that the MBTA is run by intelligent people who can face reality instead of frantically trying to make it magically disappear. People would realize that the MBTA is serious about fare security.

The "Fare Security: SERIOUS BUSINESS" attitude would help decrease all kinds of subway sleaziness, including people who break fare security by the super-advanced hack of jumping over the fare gates. Not to mention things like littering, graffiti, and panhandling (none of which are huge problems on the T, I'm glad to say!). If I see someone fare-jumping, it makes me think the subway system is for shit anyway, so what does it matter if I stick gum to my seat?

And besides, the MBTA's anti-hacker attitude will just annoy crackers and make them more inclined to crack the T fares. Being realistic, and trumpeting increased security, will make crackers less inclined to attack the T.

Come on, MBTA. Have the grace to admit you've been hacked, instead of going into denial. Fix the vulnerability. Show us all you're serious about fare security. In fact, why don't you talk civilly to the people who hacked you? I'm sure they could help you build a better system.

...And, because I need some levity, here's a related episode in the adventures of Domo-kun. Hooray, cute pictures.


  1. This comment has been removed by the author.

  2. Question: did the students in question actually hack the cards, or did they just figure out how? If the latter, they deserve a shout out from MBTA; if the former, not so much. Of course, in either case there's no sense in trying to prevent the presentation.

  3. Well, in order to know how to hack something, you have to actually hack it. ('Theoretical hacking' is an oxymoron.) So, yes, in that sense, these students did "actually hack the cards".

    As I understand it, the consensus in the white-hat hacking community is that it's okay to break a security system as long as you don't actually exploit the break, and you bring the flaw to the attention of whoever's responsibility it is.

    These students told the MBTA about the flaw, and offered to help them fix it. I think it's a pretty safe bet that they weren't planning on getting much financial gain by exploiting the flaw they found.

    I'm told that there's kind of a protocol for politely publicizing security flaws: first you tell the people whose flaw it is, and give them some time to fix it, before you go public. For hardware-based problems, like this one, you give them longer because it takes longer to change hardware than software. So I guess these students could be faulted for going public too soon and not giving the MBTA enough lead time -- I'm not sure if this is actually the case. But even if it is, that's not a reason for the MBTA to sue them.

  4. IIRC magstripe, at least, doesn't have room for much information and should be relatively easy to hack. It's an old technology. I suspect they've been using it a couple decades. To fix it, they'd probably have to rip out the hardware in every station and put in something better. It's the kind of project that takes months of planning and an expenditure big enough to require approval by some body of government, which can also take months.

    Also, I believe that some sort of lawsuit and/or prosecution is required by the way the legal system works (or fails to work).