Three MIT students were ordered by a federal judge not to give a presentation at the annual DEF CON hacker convention on vulnerabilities in Boston's public transit's fare-card system, the Tech reports. The judge issued a temporary restraining order on behalf of the Massachusetts Bay Transportation Authority. "The injunction prevents them from disclosing ways to hack into the system," an MBTA spokeswoman told the Boston Herald. "It's a preventive matter for us."
The students were planning to show their research on how the MBTA's CharlieTicket could be reprogrammed to contain up to $655.36, essentially allowing the hacker to ride the public transit system free.
The students say they were shocked to hear the MBTA was pursuing legal action, saying they had been in contact with MBTA as early as July 31 about the DEF CON presentation and that relations between the two were generally cordial. One student added that he had left an August 4 meeting with the MBTA thinking the "issue had been resolved" and "that they would not face legal action." The lawsuit was filed late Friday afternoon, four days after that meeting and two days before the presentation.
Some security experts have criticized the students for not giving the MBTA enough lead time to respond before the presentation—citing that most software companies are given about a month to fix problems before vulnerabilities are made public. The MBTA was informed just 10 days before the convention talk.
The slides from the presentation, which were distributed to all DEF CON attendees, have found their way online. Ironically, most of the information about the vulnerabilities has been publicized anyway by the MBTA's inclusion of the hackers' slides and a vulnerability assessment report in its legal complaint, which is available online.