The MBTA acknowledged in court yesterday that its CharlieTicket system is vulnerable to fraud, validating a key finding of three MIT students who drew attention to the security problems as part of a class project.
The admission came during a hearing at which a federal judge lifted a 10-day order barring the students from talking about their findings and denied the MBTA's request to keep them silent about the most sensitive parts of their research for five months.
The Massachusetts Bay Transportation Authority had previously declined to say whether its fare system was vulnerable, and one of the students who raised the issues said they were treated like pranksters for their attempts to unmask the problems.
"It's good that they've at least acknowledged that," Zack Anderson said in a telephone interview after yesterday's hearing. "The issues really do need to be fixed."
The 10-day order was granted by another federal judge earlier this month just before the students were scheduled to give a talk called "anatomy of a subway hack" at a hackers convention in Las Vegas. In an online advertisement for their presentation, the students said they could provide hackers with "free rides for life."
The lawyer representing the MBTA, Ieuan G. Mahony, and T general manager Daniel A. Grabauskas said the agency will now try to meet with the students in hopes of learning more about their research - a much more conciliatory approach than it had taken over the previous two weeks. Civil liberties groups and Internet technology buffs have been watching the case closely for its possible ramifications on the limitations of free speech as it relates to electronic security.
"I hope it gives people comfort that they can do security research . . . without fear that they're going to be dragged into federal court and gagged," said Cindy Cohn, legal director for the Electronic Frontier Foundation, which is representing the students.
At the same time, MBTA riders have been wondering how vulnerable the electronic fare system is.
MBTA officials and Anderson say the problems with the paper CharlieTicket are correctable and do not require scrapping the system.
According to the MBTA, fewer than a third of riders use the CharlieTicket - a paper ticket sold at most T stations. The card's magnetic strip is not encrypted and is possible to clone using easily available equipment, according to the MIT students.
The MBTA did not acknowledge any security flaws with the more popular plastic CharlieCard, used by 70 percent of riders, though the MIT students argue that the card may be vulnerable, too. The CharlieCard contains a Radio Frequency Identification chip that provides a higher level of security, but still can be cloned or forged, according to the students.
"We didn't do any proven attack on the CharlieCard, but there are definitely issues present," said Anderson, who conducted the research with Alessandro Chiesa and R.J. Ryan.
The trio submitted a 30-page sealed document to the court last week that their lawyers said contained "the universe of information" and more than they ever intended to publicly reveal. That document, Mahony said, showed that the students were able to counterfeit and clone the CharlieTicket.
"The materials that we've gotten from the students so far don't show they've been able to compromise the CharlieCard," Mahony said.
In a statement, Grabauskas said he renewed "my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself."
He defended the lawsuit, although it has led to the widespread dissemination of some portions of the students' work.
Other MBTA officials painted the legal action as successful because it stopped the presentation at the hacker conference and compelled the students to give the agency more information about their findings. MBTA spokesman Joe Pesaturo said he does not know how much the MBTA will be billed for the legal work, which was handled by a private law firm.
Pesaturo downplayed the security issues, writing in an e-mail that corporations and public agencies will always need to make security enhancements to protect against hacking.
"It was not a flaw with the ticket or the system," Pesaturo wrote. "Someone has worked toward figuring out the combination to the padlock. We are changing the combination and adding more security enhancements."
But Mahony said the reason the T was seeking the five-month restraining order was because it needed that much time to correct any security problems.
US District Judge George A. O'Toole Jr. denied the MBTA's request for that order, not on the basis of whether the students were innocent or whether their First Amendment rights had been violated, but because he disagreed with the MBTA's reading of the federal law it used as basis for its claim.
O'Toole said he agreed with the MBTA that the students' research, if publicized, "might facilitate" the cloning or forging of CharlieTickets. Still, he said, the damaging "transmission" of information that is regulated by the Computer Fraud and Abuse Act applies to computers, not to speech.
He also said the MBTA had not proved beyond speculation how much the students' findings had or could harm the agency. The Computer Fraud and Abuse Act applies only to damages of more than $5,000.
Cohn, of the Electronic Frontier Foundation, argued during the hearing that the MBTA had unfairly targeted the students rather than acknowledge its own weaknesses.
"It was not until just this morning that the MBTA admitted what the students were doing isn't a prank," Cohn said. "If there's ever been a shoot-the-messenger case, I guess this is it."
The students, she said, "didn't create the vulnerabilities," but were being punished for exposing them. They never intended to reveal the key information that would allow someone to hack into the system, Cohn said.
"This is a public debate on a matter of public importance, and they want to participate," she said.
The MBTA is still concerned that the students may have more information or haven't been truthful about their intentions, Mahony said during the hearing.
Anderson said he, Ryan, and Chiesa do not plan to tell anyone exactly how to exploit the MBTA's system.
"We've always maintained that there are certain details that we didn't want to disclose, because we don't want people defrauding the MBTA," he said yesterday afternoon. "We're definitely going to stay true to that."
Anderson said he would be willing to talk with MBTA officials and try to reach a resolution.
"We've always wanted to settle this amicably," he said. "My God, we never wanted any of this."