Subway Hacking Case: Who’s Out of Line?
Three MIT students who found a security flaw in Boston’s transportation system won’t be talking about their discovery any time soon.
A federal judge has ruled against the students’ wishes and ordered them to stay silent, upholding a temporary restraining order requested by the Massachusetts Bay Transportation Authority. The MBTA sprung into action days before the students were set to reveal their findings at last weekend’s DEFCON 16 hackers’ conference.
The students say they found a simple way anyone could modify the cards used to pay for rides on Boston’s “T” subway system. In an nutshell, they discovered that the cards didn’t connect to a central database and didn’t have secure digital signatures — so adding hundreds of dollars in value to them wouldn’t take much.
The MBTA says it needs time to look over the data and decide how to handle it. Of course, in filing the complaint, the paperwork detailing the flaw made its way onto the Internet — so it’s all really a moot point.
That’s what makes it so surprising, then, that the judge refused to lift the restraining order and let the students discuss their discovery. Anyone can already find the information — and, on top of that, the students say they offered to give the MBTA their findings in advance. (The MBTA, for its part, says it received only a summarized version and wanted to see the whole presentation.)
The Electronic Frontier Foundation is fighting for the students’ side, but so far, it’s been a losing battle. Up next, the students will have to give the judge more details about the flaw they found. He’ll then rule on Tuesday whether to extend the restraining order or let them finally speak.
Is it the students’ responsibility to hold the MBTA’s hand and walk it through what they found? Seems to me that the kids have already gone above and beyond any obligation they might have had. Technically, if the MBTA can prove that the information would cause it harm if released, it’ll have the law on its side — though it does make you wonder where the line lies and why when it comes to this sort of case.
