Grey Hat India

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Three college students from the Massachusetts Institute of Technology (MIT) have been ordered by the Federal court to cancel tomorrow’s (Aug 17, Sunday) presentation at the well known hackers’ conference, DefCon,in Las Vegas where they planned to showcase security flaws that they had researched in Boston’s subway. DefCon, which is a major attraction for the world’s best-known security experts, is an annual showcase of the latest discovered weaknesses in computers, phone equipment and other electronic machines. Some even consider it to be the Mecca of the cyber-security world!!

The students had planned to  demonstrate how to use the vulnerabilities in the automated fare system to get free rides by hackigntwo of the system’s primary payment cards namely CharlieTicket and CharlieCard.The transit system plans to implement the cards’ use on its commuter rail, boats and ferries, according to its Web site. So clearly, the implications of this hack are pretty large.

The Massachusetts Bay Transportation Authority said in a complaint filed Friday that the students offered to show others how to use the hacks before giving the transit system a chance to fix the flaws. The institution (MIT) has also named in the suit.

The Electronics Frontier Foundation (EFF), which is representing MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa, plans to fight the order.

Jennifer Granick, Civil liberties director of the EFF justified the students’ plans saying that they were simply trying to share their research and planned to omit key information that would make things easier for anyone who actually wanted to hack the payment system.

Electronic copies (.ppt/.pps/.pdf) of the 87-slide presentation titled “Anatomy Of A Subway Hack” were distributed to conference attendees on CDs on Thursday, one day before DefCon officially began (and a day before the suit was filed) and as expected copies of the presentation have sprung up on the net. The presentation shows large flaws the transit system’s physical security and also shows photographs of unlocked doors, turnstile control boxes and exposed computer monitors at subway stations. We, at GreyHat India believe in complete transperency so we provide you a torrent download link for the presentation

PirateBay: thepiratebay.org/torrent/4336590/Anatomy_of_a_subway_hack_DEFCON_presentation_PDF

While one slide explains that the presentation would teach attendees how to generate fare cards, reverse engineer magnetic stripes on cards and hack radio frequency identification (RFID) cards, the very next slide screams in bold letters: “And this is very illegal! So the following material is for educational use only.”

“It is extremely important to maintain the security and integrity of the Fare Media systems,” Gary Foster, chief technology officer for the Boston Transit System, said in a court declaration. “With an insecure, compromised system, even basic revenue controls, to name one example, become significantly challenging.If you prevent legitimate researchers from talking about their findings, it’s not going to stop people from finding vulnerabilities. It’s going to stop the good guys from talking about them and from learning from each other,” Gary said. “The bad guys are still going to be looking for the vulnerabilities and still be finding them.”