Boston Subway Board Member Delivers Scathing Criticism -- "System Is a Mess"

Submitted by MacRonin on August 16, 2008 - 2:23am

Boston Subway Board Member Delivers Scathing Criticism -- "System Is a Mess" - Via Threat Level:

A member of the Massachusetts Bay Transportation Authority's board seized a report by three MIT student about flaws with the Boston subway's fare collection system and delivered a scathing indictment of the subway system and its general manager, calling the system "a mess" and saying she had "lost all confidence" in the system's general manager, Daniel A. Grabauskas.

The students, who were set to deliver a presentation last Sunday at the DefCon hacker conference about security vulnerabilities in the MBTA's CharlieTicket and CharlieCard payment cards, were barred from speaking about the vulnerabilities at a hacker conference after the MBTA obtained a temporary restraining order last Saturday, gagging them for ten days.

But on Wednesday at the MBTA's monthly board meeting, board member Janice Loux distributed copies of a report the students wrote about flaws that would allow someone to fraudulently increase the fare on a CharlieTicket or clone the tickets and CharlieCards, and told fellow board members that the report (.pdf) was just another example of why the automated system is a mess, according to the Boston Globe.

Much of what the students planned to present in their DefCon talk had already been disclosed publicly by other researchers. Flaws with the MiFare Classic cards made by NXP Semiconductors, which are the same cards used in the MBTA's payment system, were made public earlier this year when University of Virginia graduate student Karsten Nohl and two others revealed that they were able to crack the encryption algorithm used on the cards.

Then in July, Dutch researcher, Bart Jacobs of Radbound University showed how he was able to wirelessly sniff MiFare Classic cards used by passengers in the London Underground's Oyster transit card to create a clone of the passenger's card and ride the subway for free. Jacobs was sued in July by NXP to prevent him from publishing a scientific paper about his findings, but won the case and plans to publish his paper in October.

The MBTA's Grabauskas told board members this week that past information released about the cards was either dismissed or dealt with by the MBTA, according to the Globe. Presumably that means it was dismisssed because MBTA officials believed that past information about flaws in the MiFare card didn't apply to their card. In the original complaint the MBTA filed against the three MIT students, the transit authorities disclosed that they had added proprietary encryption to the MBTA card, suggesting that previously disclosed flaws were not present in the MBTA cards.

The MBTA's Grabauska said that the Massachusetts payment system had received internal audits and federal reviews that had not raised any concerns about the payment cards.

A hearing is currently going on in Boston in the case. The MBTA has filed to revise the restraining order to bar the students only from discussing information about the payment system that is not public information, while the Electronic Frontier Foundation will be arguing to remove the restraining order.

The Globe has an editorial on the case today which acknowledges the need for researchers to engage in responsible disclosure but also calls for the judge to remove the restraining order.

 

(Photo: B Tal)

 

See Also:

(Read Original Article - Via Threat Level.)

Bookmark/Search this post with: