The MBTA's fight to quiet three MIT students who uncovered vulnerabilities in the MBTA's Charlie Card ticketing system ended Aug. 19, as a federal judge lifted the 10-day gag order imposed on the students. The students had been blocked from presenting details of their findings at the Defcon conference earlier in August in Las Vegas. But the judge's decision to lift the MBTA's gag against the MIT students does not necessarily end the controversy: There is still the MBTA's lawsuit against the MIT students.
A federal judge decided today not to extend the gag order imposed on three
students to prevent them from releasing details of vulnerabilities in
the Massachusetts Bay Transportation Authority ticketing system.
The three students-Zack Anderson, RJ Ryan and Alessandro Chiesa-all hail
from MIT (Massachusetts Institute of Technology) and were set to reveal details
of their discovery at the Defcon conference in Las Vegas earlier in August.
Before they could, however, the MBTA filed a
lawsuit against both them and MIT in U.S.
district court in Massachusetts and
a judge issued a 10-day gag order Aug. 9 to block the students from making the
In the Aug. 19 hearing, the judge denied a request by the MBTA
to impose a five-month injunction blocking the students from releasing details
of the attack while the agency fixes the issue. The students' presentation
reportedly illustrated a way to produce fare cards, reverse-engineer the cards'
magnetic stripes and hack RFID (radio-frequency identification) cards.
The decision, however, does not necessarily end the controversy. There is
still the lawsuit, and there have been no reports as of yet that the city is
dropping it. There is also no shortage of opinions on whether or not the trio
should have been allowed to present their findings at the security conference
before the MBTA could address the issue.
"This is a plain and simple case of irresponsible
" said Eric Ogren, principal analyst with the Ogren Group. "Other
than fame for the presenters and MIT, what good comes out of this research? I
do not see how the world is a better place with the publicity of defrauding
transit systems. There is nothing responsible about this-I see this as a
The students did notify the MBTA of their
findings a few days prior to their scheduled appearance at Defcon, which
Forrester Research analyst Chenxi Wang said is proper security etiquette for
researchers who find vulnerabilities. However, the issue gets more complex
after that if the organization wants to prohibit the researcher from discussing
the vulnerability, she said.
"Is it an irresponsible disclosure after the researcher has notified
the company-in this case MBTA-but discloses
the vulnerability before it is fixed?" Wang asked. "What if it takes
a long time for the company to fix the vulnerability?"
Wang continued, "In this particular case, it is
arguable whether the vulnerability they discovered was critical or not. How
many people would hack the RFID card to get free rides on the T? The MBTA is
probably better off letting them publish the result and work with the
researchers to fix the vulnerability rather than pursuing injunction in the