Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Efforts to censor three MIT students who found security flaws in the Boston subway’s payment system have been roundly criticized by experts, who argue that suppressing such research could ultimately make the system more vulnerable.

The students were served with a temporary restraining order this weekend at the Defcon security conference in Las Vegas, preventing them from giving their planned talk on Boston subway’s payment system.

According to slides submitted before the conference, which have also been posted online, their presentation “Anatomy of a Subway Hack” would have revealed ways to forge or copy both the old magnetic-stripe passes and the newer radio-frequency identification (RFID) cards used on Boston’s subway, making it possible to travel for free. The restraining order was filed on behalf of the Massachusetts Bay Transportation Authority (MBTA), which spent more than $180 million to install the system, according to court documents. The MBTA has also brought a larger lawsuit accusing the students of violating the Computer Fraud and Abuse Act and accusing MIT of being negligent in its supervision of them.

One of the students involved, Zack Anderson, says his team had never intended to give real attackers an advantage. “We left out some details in the work we did, because we didn’t want anyone to be able to attack the ticketing system; we didn’t want people to be able to circumvent the system and get free fares,” he says.

Marcia Hoffman, staff attorney with the Electronic Frontier Foundation, a digital-rights group that is assisting the MIT team with its defense, argues that researchers need to be protected as they investigate these types of flaws. “It’s extremely rare for a court to bar anyone from speaking before that person has even had a chance to speak,” she says. “We think this sets a terrible precedent that’s very dangerous for security research.”

The MBTA says it isn’t trying to stop research, just buy time to deal with whatever flaws the students might have found. The agency also expressed skepticism about whether the MIT students had indeed found real flaws. “They are telling a terrific tale of widespread security problems, but they still have not provided the MBTA with credible information to support such a claim,” says Joe Pesaturo, a spokesman for the MBTA. “It’s that simple.”

5 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Web, security, MIT, RFID

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me