LAS VEGAS – The Massachusetts Bay Transportation Authority filed a suit in federal court on Friday seeking a temporary restraining order to prevent three undergraduate students from the Massachusetts Institute of Technology from presenting a talk at the DefCon hacker conference this weekend about security vulnerabilities in payment systems used in the Massachusetts mass transit system.

The transit authority, known as the MBTA, is seeking to prevent the students from "publicly stating or indicating" that electronic passenger tickets used on the transit system have been compromised until the MBTA can fix security flaws in the system. It further seeks to bar the students from releasing any tools or providing any information that would allow someone to hack the transit system and obtain free rides.

The MBTA says in its complaint that disclosure of the flaws, before it has a chance to fix them, will cause irreparable harm to the transit system.

The three student researchers, Zack Anderson, R.J. Ryan and Alessandro Chiesa, are scheduled to give a talk Sunday afternoon entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems."

According to a description of the talk posted on the conference website, the students plan to discuss vulnerabilities in the fare collection system of Boston's T subway system and to demonstrate how they reverse engineered the mag stripe on paper passenger tickets known as the CharlieTicket as well as how they cracked smartcard tickets known as the CharlieCard. They also plan to release several open source tools that they created in the course of their transit card research.

The MBTA, which oversees the T subway, operates the fifth largest transit system in the United States, servicing 175 towns and cities. It uses both the CharlieTicket and the CharlieCard in its passenger payment system. The CharlieCard, which was first used in January 2007, provides the MBTA with nearly $500,000 in revenue per weekday, according to the court documents. More than 68 percent of passengers use it to pay their fare.

The CharlieCard is a MiFare Classic card, which was the subject of much controversy earlier this year after Dutch researchers showed how they were able to hack the cards. But the MBTA says in the court papers that it has substantially enhanced the security of its MiFare cards with proprietary encryption, making previously reported flaws with the MiFare Classic card irrelevant to the CharlieCard.

The MBTA filed its suit in the U.S. District Court in Massachusetts against the three students and their university, stating that the students violated the Computer Fraud and Abuse Act in accessing protected MBTA computers without authorization, for which the MBTA seeks unspecified damages. The MBTA also asserts that MIT and the student's supervisor, computer science professor Ron Rivest, failed to properly supervise the students to prevent them from attacking and harming the transit system.

The MBTA first became aware of the researchers' talk on July 30 when one of its vendors pointed it to the DefCon website where the talk was listed on the conference schedule. A description of the talk began with the provocative line, "Want free subway rides for life?" and discussed how the researchers social engineered transit employees to accomplish their hack of the transit cards.

On August 5th, the court documents reveal, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about what the students would disclose in their talk. But the students would not provide the MBTA with a copy of the materials they planned to present in their talk or information about the security flaws they found in the transit system.

After that meeting the MBTA says the description of the talk on the conference website was revised to delete the reference to "free subway rides for life" and alter the comment about social engineering transit employees. (The image below right, taken from the court document, shows changes made to the description of the talk. Text with a line through it indicates deletions; underlined words indicate additions. The original description still appears in the printed version of the schedule that is being handed out to conference attendees.)

The MBTA asserted in the court filing that it sought the restraining order on Friday after again requesting, and failing to receive from the students, a copy of their presentation materials.

Efforts to reach the three students and the MBTA for comment were unsuccessful.

A spokeswoman for the DefCon conference said she was aware that the MBTA had met with the students to discuss the talk but thought the meeting had satisfied the MBTA's concerns. She was not aware that the MBTA had gone to court to halt the talk.

She noted, however, that the restraining order would have little effect in suppressing the information at this point since the speakers' slides were on the conference CD-ROM, which had already been distributed to conference attendees Friday morning.

"The MBTA was a day late," she said.

UPDATE: The Electronic Frontier Foundation is representing the students. A hearing in the case occurred this morning in Massachusetts and a judge issued the restraining order. Jennifer Granick, an attorney with the Electronic Frontier Foundation, said through a DefCon spokeswoman that EFF advised the students to pull their talk.

UPDATE II: Among the documents the MBTA filed with its declaration to the court today is a vulnerability assessment report (.pdf) that the three students gave the MBTA about the flaws in its system. The document is dated August 8, the day the MBTA filed its lawsuit against the students, and is essentially the information the students declined to give the MBTA before it filed its lawsuit.

Ironically, the document reveals more about the vulnerability in the MBTA system than the slides that the restraining order sought to suppress contain. The vulnerability assessment report is now available for anyone to download from the Massachusetts court's electronic records system.

The EFF will be holding a press conference at DefCon this afternoon to discuss the case.

[Please see a follow-up story about the press conference.]

Below is a selection of slides from the pulled talk:

(Photo: B Tal)