Feeds

Researchers reveal NFC subway bonk-nonpayment scheme

Using Android phones to dodge fares

The essential guide to IT transformation

Transit systems around the world have begun turning to card-based "contactless" ticketing systems as an easy way to process fares. But according to security researchers, flaws in some ticketing schemes could allow savvy customers to bag themselves a permanent ticket to ride, using nothing more than an Android app and an NFC-enabled phone.

Speaking at the EUSecWest conference in Amsterdam last Thursday, Corey Benninger and Max Sobell of the Intrepidus Group revealed how weak security in certain tickets based on the MIFARE Ultralight chip could allow hackers to rewrite the data on the cards, potentially recharging them an infinite number of times.

Not every type of NFC-enabled transit ticket is vulnerable. The exploit only works on disposable, paper tickets that can be purchased for a specific number of trips. Permanent, plastic cards that offer more complicated fare schemes are not affected.

According to the researchers, the vulnerability lies in the fact that the tickets keep a count of the number of trips left on the card, but they do nothing to invalidate the card once the purchased number of trips is exhausted.

The Ultralight chip does include a few bits of storage that can only be written once and never again, which allows for the digital equivalent of punching a hole to the ticket to cancel it. But according to Benninger and Sobell, at least two US transit systems don't actually use this technique, and probably many more don't, either.

"We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future," the researchers write in a blog post explaining the technical details of the hack.

The Intrepidus Group says it has actually developed an Android app that can exploit the flaw by copying the data from a brand-new ticket, then writing it back to the card when the purchased number of trips are used up. All that is required is an NFC-enabled phone, as demonstrated in the video below:

The researchers haven't released this version of the app – much to the relief of transit operators, no doubt – but they have released a version that can scan the data from a ticket to determine if the transit system in question is vulnerable. That version is available from the Google Play store.

The two vulnerable transit systems the Intrepidus Group has identified are the City of San Francisco's Muni rail and bus system and the Path train system, which shuttles passengers between New York City and various parts of the State of New Jersey.

The researchers say they have contacted both transit operators, explained the problem, and provided recommendations on how to fix the flaw. But although they say they contacted San Francisco Muni in December, your West Coast Reg hack can confirm that the Intrepidus Group's app still reports Muni tickets as vulnerable as of Monday.

The larger issue, the researchers say, is that the security features built into these disposable ticketing systems may be inadequate in a world where NFC-enabled smartphones are commonplace.

"One of the items we also raised in our talk is that full card emulation on smartphones is likely to happen soon," the researchers write. "When this does, it could cause a number of NFC based access control systems to be re-evaluated." ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.