How (Not) to Fix a Flaw

Experts say disclosing bugs prevents security flaws from festering.

Efforts to censor three MIT students who found security flaws in the Boston subway's payment system have been roundly criticized by experts, who argue that suppressing such research could ultimately make the system more vulnerable.

Credit: Technology Review

The students were served with a temporary restraining order this weekend at the Defcon security conference in Las Vegas, preventing them from giving their planned talk on Boston subway's payment system.

According to slides submitted before the conference, which have also been posted online, their presentation "Anatomy of a Subway Hack" would have revealed ways to forge or copy both the old magnetic-stripe passes and the newer radio-frequency identification (RFID) cards used on Boston's subway, making it possible to travel for free. The restraining order was filed on behalf of the Massachusetts Bay Transportation Authority (MBTA), which spent more than $180 million to install the system, according to court documents. The MBTA has also brought a larger lawsuit accusing the students of violating the Computer Fraud and Abuse Act and accusing MIT of being negligent in its supervision of them.

One of the students involved, Zack Anderson, says his team had never intended to give real attackers an advantage. "We left out some details in the work we did, because we didn't want anyone to be able to attack the ticketing system; we didn't want people to be able to circumvent the system and get free fares," he says.

Story continues below

Marcia Hoffman, staff attorney with the Electronic Frontier Foundation, a digital-rights group that is assisting the MIT team with its defense, argues that researchers need to be protected as they investigate these types of flaws. "It's extremely rare for a court to bar anyone from speaking before that person has even had a chance to speak," she says. "We think this sets a terrible precedent that's very dangerous for security research."

The MBTA says it isn't trying to stop research, just buy time to deal with whatever flaws the students might have found. The agency also expressed skepticism about whether the MIT students had indeed found real flaws. "They are telling a terrific tale of widespread security problems, but they still have not provided the MBTA with credible information to support such a claim," says Joe Pesaturo, a spokesman for the MBTA. "It's that simple."