MBTA published checksum info in court filings

MBTA published checksum info in court filings

Summary: Something most troubling in the email exchange between Electronic Frontier Foundation lawyer Jennifer Granick and MBTA attorney Leuan Mahony, posted by News.com.


Something most troubling in the email exchange between Electronic Frontier Foundation lawyer Jennifer Granick and MBTA attorney Leuan Mahony, posted by News.com. The essence is that MBTA itself included the MIT students' confidential report (PDF) to MBTA on their security weaknesses as an exhibit in their complaint and it is now a public document. The students identify the problems:

  • Value is stored on card not in a central database
  • Anyone with a card can read and write to it
  • No crypto signature algorithm
  • No centralized card verification
CharlieTickets are stored-value cards. The value is stored an unencrypted data on track 3 of the magnetic stripe card. Anyone in possession of one of these cards can read, copy, reverse-engineer and/or rewrite the data.

The CharlieTicket has a nontrivial checksum on track 3 of the magnetic card data. Unless an attacker knows how to calculate the checksum from the forged data, the card will not work. . . . Unfortunately, the checksum formula is not a secure cryptographic algorithm. In addition, it is only six bits long, which allows an attacker to execute a brute-force attack (trying all 64 cards until one works.) We have purposely omitted details of this checksum in any public disclosures we have made. That said, this "security feature" has weaknesses that should be improve.

According to the email exchange, EFF warned MBTA that by including the report in its court filing MBTA – not the students – had exposed a critical bit of information on how to hack the cards. "We strongly urge you to take emergency measures to have it removed expeditiously," EFF's Granick wrote on Saturday afternoon. The MBTA's response, from an email by Mahoney:

The MBTA's evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal "emergency measures" are required.

So the situation that the judge must consider this morning: the students confidentially alerted MBTA as to a specific, critical vulnerability; they withheld the information from their presentation; MBTA perhaps unwittingly made the document public in their request for TRO; MBTA was alerted to the danger that they – not the students – created; and concluded that it was not worth the effort to get the document removed from the public record. Now you be the judge. How would you view MBTA's demand for a permanent injunction?

Topics: Collaboration, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Who is MBTA?

    Admittedly, I could probably look it up, but it really should be one of the first things you mention in your article.
    • scroll down

      if you read earlier posts you would see, Mass Bay Transit Authority.
  • The important question is TRO, not PRO

    The spectre of a permanent restraining order is a red herring.

    The immediate harm in this case is that the current judge refuses to reconsider the far more damaging temporary restraining order.

    That TRO prevented the students from presenting the talk for criticism and analysis by their peers in the security community. Everyone's speech was infringed, not just the students but thousands of attendees at Defcon.

    I suspect (but do not know) that there is no civil venue to address that infringement, and to sue the T for filing a baseless claim.

    If the TRO expires without being soundly overturned, that TRO will be a precedent, and any corporate thug who wants to can cite it to shut down discussions of security issues at conferences.

    And that will truly be a problem. Yes, the info will eventually get out - it's amusing that the T themselves leaked the most important bits of this, but immaterial. The info will get out; once someone finds it, others will find it as well. (Cosider Kaminsky's DNS bug; 51 hours from announcement and 'please dont' discuss openly' to first private solutions reaching Dan.)

    But people will not have the opportunity to discuss it at security events and it will get less review, investigation and potential remediation.
  • RE: MBTA published checksum info in court filings

    Normal relationship between science(and those who understand) and political bureaucrats who try to leverage everything to their advantage without a clue to the consequences.
  • As "the judge", I'd tell MBTA to put a sock in it.

    Additionally, I'd make precedent-setting rulings about the BS gag-orders on security vulnerability reporting. This has gone on far too long with different entities: gag the report, then either do nothing or call even more attention to the issue, or publicize various facts that compromise their own security.

    In this case, as well as the similar European case, the most ridiculous thing is that this stuff isn't some odd and difficult to predict or understand vulnerability. They've designed these things like cr@p from the bottom up. And they did so in the ultra-paranoid world we have created in fear that "terrorists might do something". The MBTA should get slapped around by the equally inept DHS.

    This Mahoney clown and whoever submitted the "evidence" should get canned. They shot themselves in the foot, releasing the info they wanted suppressed, invalidating their own case, and not seeing any sort of problem with any of it.

    All they wanted to do was to stop the MIT students from presenting, out of spite. At least they are sure making it look that way.
  • RE: MBTA published checksum info in court filings

    I'd tell MBTA to drop dead or words to that effect. They already told what there is to tell.