Tuesday, September 2, 2008

How (Not) to Fix a Flaw

Experts say disclosing bugs prevents security flaws from festering.

Efforts to censor three MIT students who found security flaws in the Boston subway's payment system have been roundly criticized by experts, who argue that suppressing such research could ultimately make the system more vulnerable.

The students were served with a temporary restraining order this weekend at the Defcon security conference in Las Vegas, preventing them from giving their planned talk on Boston subway's payment system.

According to slides submitted before the conference, which have also been posted online, their presentation "Anatomy of a Subway Hack" would have revealed ways to forge or copy both the old magnetic-stripe passes and the newer radio-frequency identification (RFID) cards used on Boston's subway, making it possible to travel for free. The restraining order was filed on behalf of the Massachusetts Bay Transportation Authority (MBTA), which spent more than $180 million to install the system, according to court documents. The MBTA has also brought a larger lawsuit accusing the students of violating the Computer Fraud and Abuse Act and accusing MIT of being negligent in its supervision of them.

One of the students involved, Zack Anderson, says his team had never intended to give real attackers an advantage. "We left out some details in the work we did, because we didn't want anyone to be able to attack the ticketing system; we didn't want people to be able to circumvent the system and get free fares," he says.

Marcia Hoffman, staff attorney with the Electronic Frontier Foundation, a digital-rights group that is assisting the MIT team with its defense, argues that researchers need to be protected as they investigate these types of flaws. "It's extremely rare for a court to bar anyone from speaking before that person has even had a chance to speak," she says. "We think this sets a terrible precedent that's very dangerous for security research."

The MBTA says it isn't trying to stop research, just buy time to deal with whatever flaws the students might have found. The agency also expressed skepticism about whether the MIT students had indeed found real flaws. "They are telling a terrific tale of widespread security problems, but they still have not provided the MBTA with credible information to support such a claim," says Joe Pesaturo, a spokesman for the MBTA. "It's that simple."

It is unclear, though, whether the MBTA can realistically buy the time it needs. Karsten Nohl, a University of Virginia PhD student who was one of the first to publish details of security vulnerabilities in MiFare Classic, the brand of wireless smart card used in Boston's system, says solving the problems could take a year or two and might even involve replacing all card readers and all cards in circulation.

This is not the first lawsuit to hit researchers who have studied the security of MiFare Classic. Last month, Dutch company NXP Semiconductors, which makes the MiFare cards, sued a Dutch university in an attempt to prevent researchers there from publishing details of similar security flaws. The injunction did not succeed, but as RFID technology continues to proliferate, other security experts are concerned about being able to discuss relevant security research openly.

Bruce Schneier, chief security technology officer at BT Counterpane, says the latest lawsuit only distracts from what's really at stake. "MiFare sold a lousy product to customers who didn't know how to ask for a better product," he says. "That will never get fixed as long as MiFare's shoddy security is kept secret." He adds, "The reason we publish vulnerabilities is because there's no other way for security to improve."

The same brand of RFID card is used on transport networks in other cities, including London, Los Angeles, Brisbane, and Shanghai, as well as for corporate and government identity passes. The technology has even been incorporated into some credit cards and cell phones.

Nohl says the industry should view the MIT students' work as a free service that could ultimately lead to better security. Although there has been plenty of academic research on the security of RFID, he says, little has yet made its way into products. "The core of the problem is still industry's belief that they should build security themselves, and that what they've built themselves will be stronger if they keep it secret," Nohl says.

Meanwhile, independent researchers have come up with a number of ideas for improving the security of RFID cards. Nohl and others are researching better ways of encrypting the information stored on the cards. But part of the problem is that the cards are passive, meaning that they will return a signal to any reader that sends a request. Tadayoshi Kohno and colleagues at the University of Washington are also working on a motion-sensing system that would let users activate their cards with a specific gesture, so that it does not normally respond to requests. Karl Koscher, one of the researchers who worked on the project, says their system is aimed at increasing security without destroying the convenience that has made the cards so popular.

No comments: