Notes on the MIT/MBTA disclosure incident

| Comments (0) | COMSEC
Some MIT students broke the fare card system used by the Massachusetts Bay Transit Authority (slides here) and were scheduled to present at DEFCON. MBTA responded by seeking (and obtaining) a temporary restraining order forbidding them from disclosing "for ten days any information that could be used by others to get free subway rides." [*]. Unfortunately for the MBTA, the presentations had already been distributed on CDROM to DEFCON attendees, so this didn't have quite the impact one might have wanted. Plus the MIT Tech published a copy of the slides, so the information is pretty much out there now. Some thoughts:

  • Attempts to suppress this sort of information rarely work well. That's especially true in this case because the best attack in terms of cost/benefit ratio is also the obvious attack: making duplicates of the card magstripes to mount a replay attack. As soon as you know this is possible—and something that simple is hard to hide—then the game is over.
  • According to this Wired article the researchers didn't notify the MbtA and refused to give them details of the vulnerabilities they found:
    On August 5th, the court documents reveal, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about what the students would disclose in their talk. But the students would not provide the MBTA with a copy of the materials they planned to present in their talk or information about the security flaws they found in the transit system.

    I'd be interested in hearing more about their reasons for choosing not to reveal the information. Is it just that they didn't trust the MBTA?

  • There's sort of a collective action problem here. If organizations respond to notifications of security vulnerabilities by trying to suppress them, researchers are likely to respond by simply publishing all the details unilaterally so there's no possibility of suppression. So, while it may be MBTA's best strategy to try to suppress this information (and I'm not saying it is (see above), but they clearly think it is), it is likely to lead to a regime in which organizations don't get any warning before disclosure, which doesn't seem optimal.

Of course, this is a ritual that's happened at DefCon and Black Hat before, so it wasn't exactly unexpected. Still, you'd think that organizations would get smarter about not trying to suppress stuff once it's already too late.

Leave a comment