Court blocks MIT students from showing subway hack

By Hum
in Back Page News

 Share

Recommended Posts

Grand Master

Hum

Posted
Posted

LAS VEGAS (AP) -- A federal judge ordered three college students to cancel a Sunday presentation at a computer hackers' conference where they planned to show security flaws in the automated fare system used by Boston's subway.

The temporary restraining order, issued by a U.S. district judge in Massachusetts, prevented the Massachusetts Institute of Technology students from demonstrating at the Defcon conference in Las Vegas how to use the vulnerabilities to get free rides.

The Electronics Frontier Foundation, which is representing MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa, plans to fight the order, said Jennifer Granick, the group's civil liberties director.

The Massachusetts Bay Transportation Authority said in a complaint filed Friday that the students offered to show others how to use the hacks before giving the transit system a chance to fix the flaws. MIT is also named in the suit.

But Granick told The Associated Press on Sunday that the students were simply trying to share their research and planned to omit key information that would make things easier for anyone who actually wanted to hack the payment system.

Lawyers for the transit system did not immediately return phone calls seeking comment on Sunday.

Electronic copies of the 87-slide presentation circulating the Internet disparaged the transit system's physical security and showed photographs of unlocked doors, turnstile control boxes and exposed computer monitors at subway stations.

One slide explains that the presentation would teach attendees how to generate fare cards, reverse engineer magnetic stripes on cards and hack radio frequency identification (RFID) cards.

The next slide says: ''And this is very illegal! So the following material is for educational use only.''

The presentation was distributed to conference attendees on CDs on Thursday, before the conference officially began and the transit system filed suit.

In court documents, Gary Foster, chief technology officer for the transit system said the presentation would ''inflict significant damage'' if the Massachusetts Bay Transportation Authority did not have a chance to correct the flaws.

''It is extremely important to maintain the security and integrity of the Fare Media systems,'' Foster said in a court declaration. ''With an insecure, compromised system, even basic revenue controls, to name one example, become significantly challenging.''

The MIT students' presentation was supposed to demonstrate hacks for the system's primary two payment cards -- CharlieCard and CharlieTicket -- which work on the system's subways and buses. The transit system plans to implement the cards' use on its commuter rail, boats and ferries, according to its Web site.

Granick said ordering the students to not share their findings would be ''dangerous,'' and have a chilling effect on legitimate researchers who want to point out flaws that lead to system improvements.

''If you prevent legitimate researchers from talking about their findings, it's not going to stop people from finding vulnerabilities. It's going to stop the good guys from talking about them and from learning from each other,'' Granick said. ''The bad guys are still going to be looking for the vulnerabilities and still be finding them.''

Defcon, attended by many of the world's best-known security experts, has become an annual showcase of the latest discovered weaknesses in computers, phone equipment and other machines.

source

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Windows 11 KB5094126, KB5093998 bugging out Office apps but it may not be Microsoft's fault

      By sphbecker · Posted

      "...but it may not be Microsoft's fault" seems like a reasonable way to tease what is going on without leaving the user with a false impression that an update is the problem. A title isn't a summery, it is meant to entice the user to read the article. It should not contain a misleading premise; which this title does not. You could maybe complain that the first paragraph should have included that detail. The writing style popularized over 100 years ago in newspapers will cover the most important information as soon as possible with details and nuance added later; the idea being that with each new paragraph you have less of the reader's focus.
    • Samsung Galaxy XR arrives in the UK with new AI and enterprise features

      By Fiza Ali · Posted

      Samsung Galaxy XR arrives in the UK with new AI and enterprise features by Fiza Ali Samsung is bringing its Galaxy XR headset to the UK several months after the device made its debut as the first headset built on Google's Android XR platform. The headset was first teased in late 2024 alongside Google's introduction of Android XR before making its commercial debut in 2025. Developed in collaboration with Google and Qualcomm, Galaxy XR combines mixed reality experiences with Gemini-powered AI features, allowing users to interact with digital content using voice, gestures, and visual inputs. While the hardware itself remains largely unchanged from the version Samsung unveiled last year, the company is using the UK launch to spotlight several software enhancements that have arrived through recent updates. Among the most notable additions is deeper integration with Google's ecosystem. Galaxy XR users can explore destinations through Google Maps' Immersive View, receiving AI-powered recommendations and contextual information from Gemini while navigating virtual environments. Furthermore, entertainment experiences have also expanded; users can watch 180-degree and 360-degree videos on YouTube, browse spatial content converted into 3D, and ask Gemini questions about on-screen content without interrupting playback. Samsung is also highlighting mixed-reality features such as Circle to Search, which allows users to identify real-world objects through hand gestures while using the headset's video pass-through mode. Another feature automatically converts photos and videos into spatial 3D experiences. Moreover, the headset now also supports Android Enterprise, allowing organisations to manage deployments using existing Android management tools. Annika Bizon, Vice President, Product and Marketing, Mobile Experience, Samsung UK & Ireland, talked about the device, stating: The headset is powered by Qualcomm's Snapdragon XR2+ Gen 2 platform and features dual 4K Micro-OLED displays. The tech giant says that users can expect up to 2.5 hours of battery life. Samsung also confirmed that Galaxy XR will continue receiving software and security updates as the company works alongside Google and Qualcomm to expand the Android XR ecosystem. Galaxy XR is now available for pre-order and will go on sale on 8 July. Customers interested in trying the headset before launch can visit Samsung KX in London and selected Samsung Experience Stores from 17 June. Finally, the company will also host a livestream on 19 June showcasing the headset's capabilities and answering questions from prospective customers.
    • Politically funny images of the World

      By +primortal · Posted

    • Politically funny images of the World

      By +primortal · Posted

    • Politically funny images of the World

      By +primortal · Posted

  • Recent Achievements

    • First Post
      Jocimo earned a badge
      First Post
    • Week One Done
      suprememobiles48 earned a badge
      Week One Done
    • One Month Later
      Windows Guy earned a badge
      One Month Later
    • One Month Later
      Prasann earned a badge
      One Month Later
    • Week One Done
      Prasann earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      521
    2. 2
      +Edouard
      174
    3. 3
      PsYcHoKiLLa
      95
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      70
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!