The hacker conference Defcon is proving to be the source of breaking news this year. A lot of the technology news coverage to come out of the show concerns the three MIT students that were to present a talk on the vulnerabilities in the transit pay cards used in the Boston area by the Massachusetts Bay Transportation Authority. The same system is used in and some other cities in the US.
The Data Security Podcast spoke with some noted security experts for their take on the Subway Card Hacking controversy. But first, a quick review of the facts as they were presented here.
The Massachusetts Bay Transportation Authority went to federal court on Friday, Aug 8th to get an injunction against the students to prevent them from giving their talk at DefCon. Cnet’s news.com is doing a great job on that coverage, including coverage of yesterday’s press conference at 2PM PT with the students their lawyer from the Electronic Frontier Foundation.
One of the deeper issues of contention is when the students actually disclosed the vulnerabilities to the transit authority in Massachusetts. Giving disclosure in private to the transit authority would allow time to make changes to their systems in response to the vulnerabilities.
During yesterday’s press conference, the students, through their spokesperson, EFF attorney Kurt Opsahl, would not answer when they were asked they disclosed the results of their work to the Massachusetts Bay Transportation Authority officials.
Late in the day Saturday, The Data Security Podcast spoke with two well respected information security experts, Phil Zimmerman, and Dan Kaminsky.
Phil Zimmerman was the creator of Pretty Good Privacy, an encryption tool that was the target of a long legal battle with the federal government that began seventeen years ago (and has since been resolved).
Phil told the Data Security Podcast that if the unconfirmed reports are true that the MIT students only gave the Massachusetts Bay Transportation Authority less than ten days notice of their talk at DefCon, then the students acting in an irresponsible manner by not giving the MBTA time to put into place changes or mitigating controls in response to the flaw they students allege. Phil said that many times information security researchers find a flaw, and in their excitement they rush out to show the world the flaw, which may not always be wise.
Dan Kaminsky is famous now for what is recognized by many security experts as the ethical way to disclose a security vulnerability. Dan went to great lengths to keep the nature of a major flaw he out of the public eye until vendors could build patches to mitigate the flaw.
Dan’s comments focused on a more practical part of the controversy. Dan said, that there are “No signs that suppression of [security] talks accomplishes the [intended] goal. Suppression of speech highlights the issue.” Dan feels that all the attention this controversy is bringing will encourage others to uncover the flaws. Interestingly, the buzz at the conference is that a lot of the information in the MIT student’s talk was already uncovered by other researchers, and that information is on the internet. It appears that the MIT students leveraged flaws that were already
Dan also commented, that for the information security industry in general, when a flaw is uncovered by researchers, “You can expect co-operation from software vendors more than ever today.”
Giving credibility to Dan’s assertions is Brenno de Winter. Brenno is a Dutch journalist who has been covering the flaws in systems in Holland and the UK. Brenno says those systems are very similar to the ones in Massachusetts, and in other parts of the U.S. Brenno gave a talk today at
DefCon on Dutch researchers who uncovered the flaws in the systems in use in Holland and the UK.
Brenno claimed that these RFID systems are not only used by transit agencies in Holland and the UK, but also for door access control by government agencies, data centers, and other secure areas.
Brenno showed a YouTube video and demonstrated how simple it is to defeat these systems, and how the information about these attacks are available by doing simple Google searches. Brenno also stated that Chinese electronics makers have had the equipment and access cards for sale on the “grey market” that would permit the creation of cloned cards.
Brenno speculated that all the attention on this topic will probably result in open source and other tools being released by security researchers interested in the topic. “It would be ignorant to think otherwise,” according to Brenno. One researcher that Brenno spoke with said that a modified iPhone could be used to get information from these access cards. By merely walking in an area where people have these cards in their wallets or purses, the access information on the card could be cloned.
If Brenno claims are true, it appears that Pandora’s box is already open on at least some of the flaws the MIT students were going to talk about. Here is the takeaway: When a security flaw is discovered by security research, the responsible action is to privately inform the company that
makes the product, and give them a reasonable amount of time to address the flaw.
When companies are informed about a flaw, the prudent action is to understand the flaw and make the changes needed. Trying to keep the information away from the public is probably futile once a flaw is discovered.
We will cover more on DefCon in this week’s Data Security Podcast.