Feeds

Researchers reveal NFC subway bonk-nonpayment scheme

Using Android phones to dodge fares

Seven Steps to Software Security

Transit systems around the world have begun turning to card-based "contactless" ticketing systems as an easy way to process fares. But according to security researchers, flaws in some ticketing schemes could allow savvy customers to bag themselves a permanent ticket to ride, using nothing more than an Android app and an NFC-enabled phone.

Speaking at the EUSecWest conference in Amsterdam last Thursday, Corey Benninger and Max Sobell of the Intrepidus Group revealed how weak security in certain tickets based on the MIFARE Ultralight chip could allow hackers to rewrite the data on the cards, potentially recharging them an infinite number of times.

Not every type of NFC-enabled transit ticket is vulnerable. The exploit only works on disposable, paper tickets that can be purchased for a specific number of trips. Permanent, plastic cards that offer more complicated fare schemes are not affected.

According to the researchers, the vulnerability lies in the fact that the tickets keep a count of the number of trips left on the card, but they do nothing to invalidate the card once the purchased number of trips is exhausted.

The Ultralight chip does include a few bits of storage that can only be written once and never again, which allows for the digital equivalent of punching a hole to the ticket to cancel it. But according to Benninger and Sobell, at least two US transit systems don't actually use this technique, and probably many more don't, either.

"We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future," the researchers write in a blog post explaining the technical details of the hack.

The Intrepidus Group says it has actually developed an Android app that can exploit the flaw by copying the data from a brand-new ticket, then writing it back to the card when the purchased number of trips are used up. All that is required is an NFC-enabled phone, as demonstrated in the video below:

The researchers haven't released this version of the app – much to the relief of transit operators, no doubt – but they have released a version that can scan the data from a ticket to determine if the transit system in question is vulnerable. That version is available from the Google Play store.

The two vulnerable transit systems the Intrepidus Group has identified are the City of San Francisco's Muni rail and bus system and the Path train system, which shuttles passengers between New York City and various parts of the State of New Jersey.

The researchers say they have contacted both transit operators, explained the problem, and provided recommendations on how to fix the flaw. But although they say they contacted San Francisco Muni in December, your West Coast Reg hack can confirm that the Intrepidus Group's app still reports Muni tickets as vulnerable as of Monday.

The larger issue, the researchers say, is that the security features built into these disposable ticketing systems may be inadequate in a world where NFC-enabled smartphones are commonplace.

"One of the items we also raised in our talk is that full card emulation on smartphones is likely to happen soon," the researchers write. "When this does, it could cause a number of NFC based access control systems to be re-evaluated." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.