Massachusetts Bay Transportation Authority v. Anderson

Last updated

Massachusetts Bay Transportation Authority v. Anderson
District-Massachusetts.gif
Court United States District Court for the District of Massachusetts
Full case nameMassachusetts Bay Transportation Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and the Massachusetts Institute of Technology
DecidedAugust 19, 2008 (2008-08-19)
Case history
Prior action(s)injunction granted August 9, 2008 (2008-08-09) Civil Action No. 08-11364-GAO
Court membership
Judge sitting George A. O'Toole, Jr. [1]
Case opinions
Judge rejected MBTA's request to extend injunction
Keywords

Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority (MBTA) to prevent three Massachusetts Institute of Technology (MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's CharlieCard automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of free speech protected by the First Amendment to the United States Constitution.

Contents

The MBTA claimed that the MIT students violated the Computer Fraud and Abuse Act (CFAA) and on August 9, 2008, was granted a temporary restraining order (TRO) against the students to prevent them from presenting information to DEFCON conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional prior restraint.

The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the Streisand effect, increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings. [2]

Background

In December 2007, cautions were published separately by Karsten Nohl [3] and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on NXP's MIFARE chip set and contactless electronic card system. [4] [5] In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals. [6] [7] A comparable independent cryptanalysis, focused on the MIFARE Classic chip, was performed at the Radboud University Nijmegen. On March 7 the scientists were able to recover a cryptographic key from the RFID card without using expensive equipment. [8] With respect to responsible disclosure the Radboud University Nijmegen published the article [9] six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In the Netherlands, the judge ruled on July 18 that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published. [10]

In May 2008, MIT students Zack Anderson, [11] [12] Russell J. Ryan, [13] Alessandro Chiesa, [14] and Samuel G. McVeety presented a final paper in Professor Ron Rivest's 6.857: Computer and Network Security class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system. [15] Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the DEF CON hacker convention which claimed to review and demonstrate how to reverse engineer the data on the magstripe card, several attacks to break the MIFARE-based Charlie Card, and brute force attacks using FPGAs. [16]

Before the complaint was filed in August 2008, Bruce Schneier wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for." [17]

Litigation

On August 8, 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge Douglas P. Woodlock [18] and while the students appeared as scheduled, they did not speak or present at the convention. [19] [20] However, the injunction not only garnered more popularity and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards (by what is called the Streisand effect) since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. [21] [22]

The MBTA retained Holland & Knight to represent them and contended that under the norm of responsible disclosure, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the Computer Fraud and Abuse Act. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer irreparable harm if the students were allowed to present; that the students converted and trespassed on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA. [23]

The MIT students retained the Electronic Frontier Foundation and Fish & Richardson to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a prior restraint infringing their First Amendment right to protected free speech about academic research. [24] [25] A letter published by 11 prominent computer scientists on August 11 supported the defendants' assertions and claimed that the precedent of the gag order will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure." [26]

On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings. [2]

See also

Related Research Articles

<span class="mw-page-title-main">Massachusetts Bay Transportation Authority</span> Public transport agency in the U.S.

The Massachusetts Bay Transportation Authority is the public agency responsible for operating most public transportation services in Greater Boston, Massachusetts. The MBTA transit network includes the MBTA subway with three metro lines, two light rail lines, and a five-line bus rapid transit system ; MBTA bus local and express service; the twelve-line MBTA Commuter Rail system, and several ferry routes. In 2022, the system had a ridership of 216,329,500, or about 778,600 per weekday as of the third quarter of 2023, of which the rapid transit lines averaged 283,900 and the light rail lines 101,300, making it the fourth-busiest rapid transit system and the third-busiest light rail system in the United States. As of the third quarter of 2023, average weekday ridership of the commuter rail system was 92,400, making it the fifth-busiest commuter rail system in the U.S.

<span class="mw-page-title-main">Bruce Schneier</span> American computer scientist

Bruce Schneier is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Center for Internet & Society as of November, 2013. He is a board member of the Electronic Frontier Foundation, Access Now, and The Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. He is the author of several books on general security topics, computer security and cryptography and is a squid enthusiast.

DEF CON is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer- and hacking-related subjects, as well as cyber-security challenges and competitions. Contests held during the event are extremely varied and can range from creating the longest Wi-Fi connection to finding the most effective way to cool a beer in the Nevada heat.

<span class="mw-page-title-main">Oyster card</span> Payment method for public transport in London

The Oyster card is a payment method for public transport in London in England, United Kingdom. A standard Oyster card is a blue credit-card-sized stored-value contactless smart card. It is promoted by Transport for London (TfL) and can be used on travel modes across London including London Buses, London Underground, the Docklands Light Railway (DLR), London Overground, Tramlink, some river boat services, and most National Rail services within the London fare zones. Since its introduction in June 2003, more than 86 million cards have been used.

"M.T.A.", often called "The MTA Song", is a 1949 song by Jacqueline Steiner and Bess Lomax Hawes. Known informally as "Charlie on the MTA", the song's lyrics tell an absurd tale of a man named Charlie trapped on Boston's subway system, which was then known as the Metropolitan Transit Authority (MTA). The song was originally recorded as a mayoral campaign song for Progressive Party candidate Walter A. O'Brien. A version of the song with the candidate's name changed became a 1959 hit when recorded and released by The Kingston Trio, an American folk singing group.

<span class="mw-page-title-main">MIFARE</span> Brand of smart and proximity cards

MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.

The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.

<span class="mw-page-title-main">EasyCard</span> Contactless smart card used in Taiwan

The EasyCard is a contactless smartcard system operated by the EasyCard Corporation, which was previously named the "Taipei Smart Card Corporation", for payment on the Taipei Metro, buses, and other public transport services in Taipei since June 2002, and its usage has since expanded to multiple kinds of businesses. Its use has also since been expanded to include convenience stores, department stores, supermarkets, taxis, and other retailers since 1 April 2010. Like conventional electronic fare systems, the card employs RFID technology to operate without physical contact. They are available for purchase at all Metro stations and all chain convenience stores.

<span class="mw-page-title-main">Peiter Zatko</span> American computer security expert

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

<span class="mw-page-title-main">CharlieCard</span> Public transit smart card used in Boston

The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in the U.S. state of Massachusetts.

<span class="mw-page-title-main">Rejsekort</span> Electronic fare card used in Denmark

Rejsekort is an electronic ticket system for public transport in Denmark. The system is a collaborative work between DSB, HUR, Ørestadsselskabet, and various regional bus companies, and work on it started on August 18, 2003. In June 2005, Thales Group and Accenture were chosen as suppliers.

<span class="mw-page-title-main">Breeze Card</span> Public transit smart card used in Atlanta, Georgia

The Breeze Card is a stored value smart card that passengers use as part of an automated fare collection system which the Metropolitan Atlanta Rapid Transit Authority (MARTA) introduced to the general public in early October 2006. The card automatically debits the cost of the passenger’s ride when placed on or near the Breeze Target at the fare gate. Transit riders are able to add value or time-based passes to the card at Breeze Vending Machines (BVM) located at all MARTA stations. The major phases of MARTA's Breeze transformation took place before July 1, 2007 when customers were still able to purchase TransCards from ridestores or their employers. They were also able to obtain paper transfers from bus drivers to access the train. As of July 1, 2007 the TransCard and the paper transfers were discontinued and patrons now use a Breeze Card or ticket to access the system, and all transfers are loaded on the card. Breeze Vending Machines (BVM) distribute regional transit provider passes The Breeze Card employs passive RFID technology currently in use in many transit systems around the world.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

<span class="mw-page-title-main">OV-chipkaart</span> Dutch public transport card

The OV-chipkaart is a contactless smart card system used for all public transport in the Netherlands. First introduced in the Rotterdam Metro in April 2005, it has subsequently been rolled out to other areas and travel modes. It fully replaced the national strippenkaart system for buses, trams, and metro trains in 2011, and the paper ticket system for rail travel in July 2014.

<span class="mw-page-title-main">Crypto-1</span> Stream cipher

Crypto1 is a proprietary encryption algorithm and authentication protocol created by NXP Semiconductors for its MIFARE Classic RFID contactless smart cards launched in 1994. Such cards have been used in many notable systems, including Oyster card, CharlieCard and OV-chipkaart.

Wireless identity theft, also known as contactless identity theft or RFID identity theft, is a form of identity theft described as "the act of compromising an individual’s personal identifying information using wireless mechanics." Numerous articles have been written about wireless identity theft and broadcast television has produced several investigations of this phenomenon. According to Marc Rotenberg of the Electronic Privacy Information Center, wireless identity theft is a serious issue as the contactless (wireless) card design is inherently flawed, increasing the vulnerability to attacks.

<span class="mw-page-title-main">TFI Leap Card</span> Irish rapid transit payment card

The TFI Leap Card is a contactless smart card for automated fare collection overseen by Transport for Ireland (TFI). It was introduced in the Greater Dublin area in 2011 for Luas, DART, Iarnród Éireann and Dublin Bus, but acceptance has significantly expanded, and it is now accepted in cities nationwide and on some longer distance commuter routes. Initially, Leap Cards offered only a pre-paid electronic wallet system for single-trip fares; since May 2014, it has also been possible to load it with weekly, monthly and annual subscriptions. In September 2017, there were over 2.5 million Leap Card users according to the National Transport Authority. The Leap Card is the result of many years' work by the Railway Procurement Agency and the National Transport Authority as part of the rollout of an integrated ticketing scheme for public transport in Dublin city. Fares are generally discounted compared to cash prices, and integrated ticketing is offered in the Dublin area via a flat fare system across all modes of transport. The minimum top-up for the card is currently €5, and it can be topped up via iPhone/Android App, at LUAS or DART ticketing machines, and in convenience stores offering Payzone services.

<span class="mw-page-title-main">Melanie Rieback</span> Dutch-American computer scientist

Melanie R. Rieback is a computer scientist, chiefly known for her work regarding the privacy and security of radio-frequency identification technology.

<span class="mw-page-title-main">Karsten Nohl</span> German cryptography expert and hacker (born 1981)

Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.

<span class="mw-page-title-main">Proxmark3</span>

Proxmark3 is a multi-purpose hardware tool for radio-frequency identification (RFID) security analysis, research and development. It supports both high frequency and low frequency proximity cards and allows users to read, emulate, fuzz, and brute force the majority of RFID protocols.

References

  1. "Judges of the United States Courts - Biography of Judge George A. O'Toole, Jr". Federal Judicial Center. Archived from the original on September 21, 2008. Retrieved August 15, 2008.
  2. 1 2 Malone, Scott (August 19, 2008). "Judge backs hackers in Boston subway dispute". Reuters. Retrieved August 19, 2008.
  3. "Karsten Nohl webpage". University of Virginia. Archived from the original on February 4, 2020. Retrieved August 15, 2008.
  4. Plötz, Henryk; Meriac, Milosch (August 2007). "Practical RFID Attacks". Berlin, Germany: Chaos Communication Camp.{{cite journal}}: Cite journal requires |journal= (help)
  5. Courtois, Nicolas T.; Nohl, Karsten; O’Neil, Sean (April 14, 2008). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". IACR pre-print archive. Retrieved August 15, 2008.{{cite journal}}: Cite journal requires |journal= (help)
  6. "Group Demonstrates Security Hole in World's Most Popular Smartcard". UVA Today. February 26, 2008. Archived from the original on August 5, 2012. Retrieved August 15, 2008.
  7. Dayal, Geeta (March 19, 2008). "How they hacked it: The MiFare RFID crack explained : A look at the research behind the chip compromise". Computerworld . Retrieved August 15, 2008.
  8. "Scientists of the Radboud University Nijmegen break the security of the MIFARE Classic cards" (PDF). Archived from the original (PDF) on March 18, 2021. Retrieved April 29, 2009.
  9. Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (October 4, 2008). "Dismantling MIFARE Classic" (PDF). 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. Archived from the original (PDF) on February 23, 2021. Retrieved July 19, 2020.
  10. Arnhem Court Judge Services (July 18, 2008). "Pronunciation, Primary Claim (dutch)". Rechtbank Arnhem. Archived from the original on February 15, 2012. Retrieved April 29, 2009.
  11. Zack Anderson homepage at MIT
  12. Zack Anderson personal homepage
  13. Russell J. Ryan homepage
  14. Alessandro Chiesa page at MIT
  15. Baxter, Christopher (August 12, 2008). "MIT students' report makes security recommendations to T". Boston Globe. Retrieved August 15, 2008.
  16. "Speakers for DEFCON 16". DEFCON Communications. Retrieved August 16, 2008.
  17. Schneier, Bruce (August 7, 2008). "Hacking Mifare Transport Cards". Schneier on Security newsletter.
  18. "Judges of the United States Courts - Biography of Judge Douglas Woodlock". Federal Judicial Center. Archived from the original on September 16, 2008. Retrieved August 15, 2008.
  19. McCullagh, Declan (August 9, 2008). "Judge orders halt to Defcon speech on subway card hacking". CNET News. Retrieved August 15, 2008.
  20. Lundin, Leigh (August 17, 2008). "Dangerous Ideas". MBTA v DefCon 16. Criminal Brief. Retrieved October 7, 2010.
  21. Heussner, Ki Mae (August 12, 2008). "Injunction to Silence MIT Student Hackers Backfires". ABC News. Retrieved August 15, 2008.
  22. Stix, Gary (August 14, 2008). "MIT hackers make Massachusetts officials nervous at Defcon". Scientific American: 60-Second Science Blog. Archived from the original on September 11, 2012. Retrieved August 15, 2008.
  23. Complaint, pp. 12–16.
  24. Response, pp. 9–17.
  25. McCullagh, Declan (August 13, 2008). "Transit agency wants MIT students to stay gagged". CNET News. Retrieved August 15, 2008.[ dead link ]
  26. Letter from Computer Science Professors and Computer Scientists, p. 7.

Further reading

Court documents

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.