title: MBTA: misunderstanding publicity, misunderstanding security

MBTA: misunderstanding publicity, misunderstanding security

Imagine you work for the transportation authority in a major US city. Your authority deployed a fare collection system over the last few years that use both prepaid mag stripe and prepaid RFID-based fare cards. Now imagine that one of your suppliers points you at the agenda of a security conference where someone is going to give a talk whose description starts out with "want free subway rides for life?" The description goes on to say that the talk will show how to break your new fare cards. What would you do?

If you worked for the Massachusetts Bay Transportation Authority (MBTA) you might freak out and start throwing lawyers. In fact, that is just what happened. (Massachusetts transit agency sues to stop hacker talk - http://www.networkworld.com/news/2008/080908-massachusetts-transit-agency-sues-to.html) I suppose there could be dumber things to do in this circumstance but it might take a while to think of one. Actually, come to think of it, you could sue after the slides for the presentation (http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf ) had already been distributed to the 7,000 or more conference attendees and you could append a copy of a white paper (http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf) that covers about what the talk would have covered to your law suit thus making it a public document.

It would help if you were somewhat clueless about security and did not know that the underlying RFID technology your fare card uses had been broken earlier this year and the cat was well out of the bag. (Hacker trio finds a way to crack popular smartcard in minutes - http://www.networkworld.com/news/2008/030608-hacker-cracks-smartcard.html).

By suing the MBTA has ensured maximum attention to the fact that their fare cards are breakable and cloneable. If they had ignored the situation the story would have likely received almost no coverage since there was little new in it. The security community already knew that the MBTA RFID cards used the discredited Mifare Classic RFID and there would have been little interest in yet another example of braking a technology that had already been broken. One thing that was not well known was that the mag stripe card was so poorly designed from a security perspective. The MBTA's lawsuit has ensured that the poor design will now be known by tens of thousands, if not hundreds of thousands more people than would have found out if the talk had gone ahead.

The MBTA defaulted to the common but dumb idea that if security flaws are hidden they will not be exploited. This never works in the long run and is counter to more than a hundred years of the understanding of security. (see: FCC ignores more than 100 years of wisdom - http://www.networkworld.com/columnists/2007/070907bradner.html)

One can excuse the MBTA for doing what they did - the people involved were unlikely to have the faintest idea about either the effect of calling attention to the talk by suing or the futility of trying to hide security flaws. It's harder to excuse the judge granting the MBTA's request for an injunction (something that did not happen when the makers of the Mifare Classic chips tried to block Dutch researchers disclosing their research into vulnerabilities in the technology - http://news.cnet.com/8301-1009_3-9994120-83.html).

It's also hard to excuse the makers of these cards not understanding that they would get far better security if they asked for public review of their technology - the 6-bit checksum on the mag stripe fare card would not have survived 5 minutes of such review. Sadly, there is no empirical evidence that such companies learn anything from experience.

disclaimer: Places like Harvard endeavor to get students to learn without having experience absolutely everything but the above discussion represents my opinion, not the university's.