US judge lifts gag order over transit card hack

US judge lifts gag order over transit card hack

A US judge has lifted a gag order on three students from the Massachusetts Institute of Technology (MIT) who were banned from talking publicly about security flaws they discovered in Boston's automated transit system.

Earlier this month MIT students Zack Anderson, Russell Ryan and Alessandro Chiesa were banned from discussing security vulnerabilities found in the Charlie fare card system operated by the Massachusetts Bay Transit Authority (MBTA) in Boston.

The trio were set to present their research at a security conference in Las Vegas where they had planned to demonstrate how they managed to change the value on a Charlie fare card from $2 to $653.

But on 9 August - 48 hours before the presentation - the MBTA secured an emergency injunction against the students that prevented them from presenting their findings. The MBTA lawsuit claimed that the disclosure of the information would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares.

But US District Judge George O'Toole has now lifted the order and rejected a request by the MBTA to impose a five month injunction on the students.

Cindy Cohn, legal director at Electronic Frontier Foundation (EFF), which is representing the students, applauded the removal of the injunction.

"We're very pleased that the court recognised that the MBTA's legal arguments were meritless," says Cohn. "The MBTA's attempts to silence these students were not only misguided, but blatantly unconstitutional."

The EFF says the judge found that it was unlikely that the CFAA would apply to security researchers giving an academic talk.

"A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities," says EFF staff attorney Marcia Hofmann. "Silencing researchers does not improve security - the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."

The lifting of the gag order means that the students can now discuss their research. But although the order was lifted, the MBTA's lawsuit against the students continues.

Boston's Charlie card system employs the Mifare chip developed by Dutch outfit NXP. The same chip is used in London's contactless Oyster travel card.

Last month NXP failed in its attempts to block publication of a paper by Dutch researchers detailing alleged security weaknesses - relating to an encryption algorithm - in the Mifare chips.

Earlier this year scientists at Radboud University in the Netherlands claimed they were able to use a cloned card to travel around London's underground network for free.

NXP had originally secured an injunction to stop the research being published, but the order was overturned by a Dutch court which found that the injunction violated freedom of expression laws.

MIT students' presentation - Anatomy of a Subway Hack

Comments: (0)