A federal judge decided today not to extend the gag order imposed on three students to prevent them from releasing details of vulnerabilities in the Massachusetts Bay Transportation Authority ticketing system.
The three students-Zack Anderson, RJ Ryan and Alessandro Chiesa-all hail from MIT (Massachusetts Institute of Technology) and were set to reveal details of their discovery at the Defcon conference in Las Vegas earlier in August. Before they could, however, the MBTA filed a lawsuit against both them and MIT in U.S. district court in Massachusetts and a judge issued a 10-day gag order Aug. 9 to block the students from making the presentation.
In the Aug. 19 hearing, the judge denied a request by the MBTA to impose a five-month injunction blocking the students from releasing details of the attack while the agency fixes the issue. The students’ presentation reportedly illustrated a way to produce fare cards, reverse-engineer the cards’ magnetic stripes and hack RFID (radio-frequency identification) cards.
The decision, however, does not necessarily end the controversy. There is still the lawsuit, and there have been no reports as of yet that the city is dropping it. There is also no shortage of opinions on whether or not the trio should have been allowed to present their findings at the security conference before the MBTA could address the issue.
“This is a plain and simple case of irresponsible disclosure,” said Eric Ogren, principal analyst with the Ogren Group. “Other than fame for the presenters and MIT, what good comes out of this research? I do not see how the world is a better place with the publicity of defrauding transit systems. There is nothing responsible about this-I see this as a malicious action.”
The students did notify the MBTA of their findings a few days prior to their scheduled appearance at Defcon, which Forrester Research analyst Chenxi Wang said is proper security etiquette for researchers who find vulnerabilities. However, the issue gets more complex after that if the organization wants to prohibit the researcher from discussing the vulnerability, she said.
“Is it an irresponsible disclosure after the researcher has notified the company-in this case MBTA-but discloses the vulnerability before it is fixed?” Wang asked. “What if it takes a long time for the company to fix the vulnerability?”
Wang continued, “In this particular case, it is arguable whether the vulnerability they discovered was critical or not. How many people would hack the RFID card to get free rides on the T? The MBTA is probably better off letting them publish the result and work with the researchers to fix the vulnerability rather than pursuing injunction in the court system.”