December 22, 2008, 3:32 PM — Three Massachusetts Institute of Technology students who were sued earlier this year by the Massachusetts Bay Transit Authority (MBTA) said Monday that they are now working to make the Boston transit system more secure.
The announcement brings to a close a high profile case that pitted the rights of security researchers to freely discuss their findings against the concerns of one of the country's largest transit systems, which worried that this type of information could lead to widespread ticket fraud. "I'm really glad to have it behind me. I think this is really what should have happened from the start," said Zack Anderson, one of the students sued by the MBTA.
Anderson, along with Russell "RJ" Ryan and Alessandro Chiesa, was prevented from giving a talk entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems" at the Defcon hacker conference last August.
The students had planned to show that they had reverse engineered the MBTA's CharlieTicket magnetic stripe tickets and CharlieCard smartcards. The CharlieCard uses the same Mifare Classic RFID (radio frequency identification) technology that was cracked earlier this year by security researchers.
The MBTA had argued that the presentation could have caused "significant damage" to the transit system, but the students had said that they had no intention of releasing key pieces of information that would have allowed people to hack the system.
On Aug. 19, a judge threw out the MBTA's gag order, but the transit authority could have brought new motions against them, and so the case had been hanging over the MIT researchers.
The settlement ends the matter in an amicable way. "For professional reasons and for public interest reasons, the students wanted to help the MBTA," said Jennifer Granick, a lawyer with the Electronic Frontier Foundation who represents the students.
The case against the three was finally settled on Oct. 7, but this was not publicly announced until Monday, because it took two months for all parties to schedule a public announcement of the settlement, Granick said. The researchers met with MBTA technical staff on Oct. 21 to discuss their findings and are working to improve the transit authority's fare collection system, she added.
The MBTA could not be reached immediately for comment.
