Risk Assessments/Management, Data Security, Encryption, Breach, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

MBTA dismisses lawsuit against MIT students

The Massachusetts Bay Transit Authority (MBTA) has dismissed a lawsuit against three Massachusetts Institute of Technology (MIT) students who were banned from presenting research last summer at a hacker convention, the nonprofit representing the students announced Monday.

The students were set to show how weak encryption in the MBTA's transit fare payment system -- namely its RFID-based CharlieCard and CharlieTicket passes -- could be exploited through forgery and cloning to grant passengers free rides.

But, in August, a federal judge blocked the students -- Zack Anderson, R.J. Ryan and Alessandro Chiesa -- from giving a talk at the Defcon conference in Las Vegas.

The judge based his decision on the federal Computer Fraud and Abuse Act. But the Electronic Frontier Foundation (EFF), a digital rights watchdog that represented the students, said the law applied to computer intrusions, not research presentations at conferences.

About two weeks later, another judge sided with the students after he ruled against a request by the MBTA that the restraining order, banning the students to present their findings, be extended another five months.

The MBTA had filed a separate lawsuit against the students, but formally dismissed that action on Oct. 7, Jennifer Stisa Granick, EFF's civil liberties director, told SCMagazineUS.com on Monday. Soon after, the students prepared a report and met with MBTA officials to discuss the vulnerabilities and ways to address them.

"From the very beginning, we wanted to help them out and make the system more secure," Anderson, 22, an MIT senior, told SCMagazineUS.com on Monday. "Now things are a lot more productive. They seem very receptive now to start fixing things. I think they're instituting the plan that we set out."

Anderson, who was home in Los Angeles for the semester break, said the students never planned to present any specifics that would have enabled people to construct attacks.

"This has been a big victory for disclosure," Anderson said. "People realize that the way to handle security vulnerabilities is not to try to squelch it, but to deal with it. I don't' think they handled it correctly from the beginning, but things are now on track."

He said the students' discovery doesn't just apply to the MBTA, but to other transit systems across the world.

"The problem is potentially a lot bigger than Boston," Anderson said.

An MBTA spokesman on Monday referred questions to a prepared statement.

"This is a great opportunity for both the MBTA and the MIT students," MBTA General Manager Daniel Grabauskas said in the statement. "As we continue to research ways to improve the fare system for our customers, we appreciate the cooperative spirit demonstrated by the MIT students."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.