Skip to main content
August 25, 2008

MBTA Hack Shows Security Hasn't Improved in 10 Years

One of my old L0pht collegues, Peiter "Mudge" Zatko, is featured in Mass High Tech today in an article titled Bay State hackers find security holes in defibrillators, RFID.

Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week’s Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient’s heart, said William Maisel of the Beth Israel Deaconess Medical Center.

It is almost like things haven't changed since the 90's when the L0pht worked to change the mindset of security:

    1. Don't trust vendor claims around security
    2. Attacks aren't "theoretical"
    3. Security by obscurity is no security


The L0pht worked as an independent security research think tank. For us it was non-profit side job researching and publishing vulnerabilities in software and hardware. We did it for our love of technology and published what we found out because purchasers and users of the vulnerable systems deserve to know.

It's 10 years later and the situation hasn't improved much. Mudge talks about the vulnerabilities the L0pht found in highway transponder systems that are still in systems being fielded today. But more important than the vulnerabilities themselves is the nature of how these vulnerabilities are coming to light. They are being found by hobbyists, students, and IT people working in their spare time. How can something as important as the security of public fare collection systems and medical equipment not have a standard process for security acceptance testing?

As we become more reliant on digital systems, with some even keeping us alive, it is high time for security testing to move beyond student papers and part time IT work. Security testing needs to become a formal part of the process of purchasing and fielding digital systems. Our lives are starting to depend on it.

Related Content

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.