US District Judge bans Defcon 16 security exploit speech

Davey Winder
Monday, 11 August 2008 04:09

Your IT - Home IT

A Judge has granted a restraining order against three students who were due to present a talk detailing vulnerabilities in the electronic ticketing system of the Massachusetts Bay Transportation Authority at the Defcon 16 hacker conference over the weekend...

The annual Defcon security and hacking conference can always be pretty much guaranteed to cause some kind of media stir. Usually down to the nature of the exploits being demonstrated by 'security researchers' during the event.

Defcon 16, however, is unique as far as I can tell in that the big controversy is about a demonstration that did not happen.

On Friday, the Massachusetts Bay Transportation Authority filed a legal suit in a federal court to get a temporary restraining order preventing a bunch of Massachusetts Institute of Technology students from detailing security vulnerabilities in the mass transit system ticketing technology.

The filing sought to prevent the students from 'publicly stating or indicating' that electronic passenger tickets were compromised until such a time as the transportation authority had a chance to fix those same flaws. The argument being that the transit system would be irreparably harmed otherwise.

Zack Anderson, Alessandro Chiesa and RJ Ryan were to give their talk "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" on Sunday. This would have discussed how they reverse engineered the fare collection system, specifically the magnetic stripe on tickets as well as the smartcard ticket used in Massachusetts.

However, District Judge Douglas P. Woodlock granted the temporary restraining order preventing them from giving the speech and demonstration. In fact, the order prevents them from disclosing any information that could be used by others to get a free subway ride for a period of ten days.

The decision has been described by the Electronic Frontier Foundation, which is representing the students, as "an illegal prior restraint on legitimate academic research in violation of the First Amendment" and goes on to warn that "squelching research and scientific discussion won't stop the attackers."

Zack Anderson says "We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes. We're disappointed that the court is preventing us from presenting our findings even with this safeguard."

The daft thing is that the kind of vulnerabilities that were to be discussed are fairly well known within both the security research and hacking communities. Indeed, the vacant Defcon speaking slot was quickly filled by a Dutch security consultant.

His topic? Vulnerabilities in transit fare cards...