The hackers convention Defcon has increasingly become a hotbed of controversy, it seems that every year some proposed discussion gets someone riled up, this year it is the Massachusetts Bay Transportation Authority (MBTA).  The source of the trouble being a proposed paper by 3 MIT students that details security issues with the MBTA’s electronic ticketing system.

When the MBTA heard of the paper they immediately rushed into court to obtain a temporary restraining order to prevent the talk from going ahead. Their concern was that by these students discussing the security holes the MBTA was faced with a real possibility of people using the information to hack the ticketing system.

This is all well and good, but in order to persuade the Judge the MBTA had to explain the exact nature of the vulnerabilities, and naturally the document is in the public domain! So rather than the problem getting quietly buried in the world of the security types attending Defcon, now everyone knows about it! One wonders what the MBTA was thinking? So while the MBTA has now obtained a 10 day restraining order against the 3 MIT students, their dirty little secret is available for all to read.

Wired’s Threat Level blog has a nice article about the case, and they have also thoughtfully provided access to a copy of the offending document so we can all share the MBTA’s angst.

In a nutshell, the MBTA use a very insecure system for their electronic fare tickets. One of the mayor issues is that the cards balance is stored on the mag stripe rather than in some central database, with a couple of hundred dollars worth of easily obtained equipment the would be hacker can either clone tickets, of add balance to real tickets.

Simon Barrett

http://zzsimonb.blogspot.com

Be Sociable, Share!