UPDATE: The MBTA won a temporary restraining order that will keep the students from discussing their findings. Read the judge's order (in PDF). Read the MBTA complaint (in PDF).
Wired reports the T wants to stop three MIT students from giving a talk at a hacker convention this weekend on their efforts to crack the CharlieCard system.
The transit authority, known as the MBTA, is also seeking to prevent the students from "publicly stating or indicating" that electronic passenger tickets used on the transit system have been compromised until the MBTA can fix security flaws in the system. It further seeks to bar the students from releasing any tools or providing any information that would allow someone to hack the transit system and obtain free rides.
A hearing is scheduled for 11 a.m. in U.S. District Court in Boston on the T's request for a temporary restraining order to keep Zack Anderson, RJ Ryan and Alessandro Chiesa from giving a talk at the DefCon conference in Las Vegas on Sunday on The Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems:
In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subways around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We survey 'human factors' that lead to weaknesses in the system, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote in the process of researching these attacks. With live demos, we will demonstrate how we broke these systems.
Human factors? So they managed to sweet-talk some T employees to inadvertently help them out.
Anderson told the Register the trio initially contacted the T to offer their help in fixing the vulnerabilities and that they weren't planning to release specific enough details to let somebody else replicate their feats.