A federal judge ordered three college students to cancel a Sunday presentation at a computer-hackers conference where they had planned to...

Share story

LAS VEGAS — A federal judge ordered three college students to cancel a Sunday presentation at a computer-hackers conference where they had planned to show security flaws in the automated fare system used by Boston’s subway.

The temporary restraining order, issued by a U.S. district judge in Massachusetts, prevented the Massachusetts Institute of Technology students from demonstrating at the Defcon security conference in Las Vegas how to use the vulnerabilities to get free rides.

The San Francisco-based Electronic Frontier Foundation, which is representing MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa, plans to fight the order, said Jennifer Granick, the group’s civil-liberties director.

The Massachusetts Bay Transportation Authority said in a complaint filed Friday that the students offered to show others how to use the hacks before giving the transit system a chance to fix the flaws. MIT is also named in the suit.

But Granick said Sunday the students were simply trying to share their research and planned to omit key information that would help anyone who wanted to hack the payment system.

Lawyers for the transit system did not immediately return phone calls seeking comment Sunday.

Electronic copies of the 87-slide presentation circulating the Internet disparaged the transit system’s physical security and showed photographs of unlocked doors, turnstile control boxes and exposed computer monitors at subway stations.

One slide explains that the presentation would teach attendees how to generate fare cards, reverse-engineer magnetic stripes on cards and hack radio frequency identification (RFID) cards.

The next slide says: “And this is very illegal! So the following material is for educational use only.”

The presentation was distributed to conference attendees on CDs Thursday, before the conference officially began and the transit system sued

In court documents, Gary Foster, the transit system’ chief technology officer, said the presentation would “inflict significant damage” if the Massachusetts Bay Transportation Authority didn’t have a chance to correct the flaws.

The MIT students’ presentation was supposed to demonstrate hacks for the system’s primary two payment cards — CharlieCard and CharlieTicket — which work on the system’s subways and buses. The transit system plans to implement the cards’ use on its commuter rail, boats and ferries, according to its Web site.

Granick said ordering the students not to share their findings would be “dangerous,” and have a chilling effect on researchers who want to point out flaws that lead to improvements.

“The bad guys are still going to be looking for the vulnerabilities and still be finding them.”