Something most troubling in the email exchange between Electronic Frontier Foundation lawyer Jennifer Granick and MBTA attorney Leuan Mahony, posted by News.com. The essence is that MBTA itself included the MIT students' confidential report (PDF) to MBTA on their security weaknesses as an exhibit in their complaint and it is now a public document. The students identify the problems:
- Value is stored on card not in a central database
- Anyone with a card can read and write to it
- No crypto signature algorithm
- No centralized card verification
CharlieTickets are stored-value cards. The value is stored an unencrypted data on track 3 of the magnetic stripe card. Anyone in possession of one of these cards can read, copy, reverse-engineer and/or rewrite the data.
The CharlieTicket has a nontrivial checksum on track 3 of the magnetic card data. Unless an attacker knows how to calculate the checksum from the forged data, the card will not work. . . . Unfortunately, the checksum formula is not a secure cryptographic algorithm. In addition, it is only six bits long, which allows an attacker to execute a brute-force attack (trying all 64 cards until one works.) We have purposely omitted details of this checksum in any public disclosures we have made. That said, this "security feature" has weaknesses that should be improve.
According to the email exchange, EFF warned MBTA that by including the report in its court filing MBTA – not the students – had exposed a critical bit of information on how to hack the cards. "We strongly urge you to take emergency measures to have it removed expeditiously," EFF's Granick wrote on Saturday afternoon. The MBTA's response, from an email by Mahoney:
The MBTA's evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal "emergency measures" are required.
So the situation that the judge must consider this morning: the students confidentially alerted MBTA as to a specific, critical vulnerability; they withheld the information from their presentation; MBTA perhaps unwittingly made the document public in their request for TRO; MBTA was alerted to the danger that they – not the students – created; and concluded that it was not worth the effort to get the document removed from the public record. Now you be the judge. How would you view MBTA's demand for a permanent injunction?