Feeds

Researchers reveal NFC subway bonk-nonpayment scheme

Using Android phones to dodge fares

Website security in corporate America

Transit systems around the world have begun turning to card-based "contactless" ticketing systems as an easy way to process fares. But according to security researchers, flaws in some ticketing schemes could allow savvy customers to bag themselves a permanent ticket to ride, using nothing more than an Android app and an NFC-enabled phone.

Speaking at the EUSecWest conference in Amsterdam last Thursday, Corey Benninger and Max Sobell of the Intrepidus Group revealed how weak security in certain tickets based on the MIFARE Ultralight chip could allow hackers to rewrite the data on the cards, potentially recharging them an infinite number of times.

Not every type of NFC-enabled transit ticket is vulnerable. The exploit only works on disposable, paper tickets that can be purchased for a specific number of trips. Permanent, plastic cards that offer more complicated fare schemes are not affected.

According to the researchers, the vulnerability lies in the fact that the tickets keep a count of the number of trips left on the card, but they do nothing to invalidate the card once the purchased number of trips is exhausted.

The Ultralight chip does include a few bits of storage that can only be written once and never again, which allows for the digital equivalent of punching a hole to the ticket to cancel it. But according to Benninger and Sobell, at least two US transit systems don't actually use this technique, and probably many more don't, either.

"We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future," the researchers write in a blog post explaining the technical details of the hack.

The Intrepidus Group says it has actually developed an Android app that can exploit the flaw by copying the data from a brand-new ticket, then writing it back to the card when the purchased number of trips are used up. All that is required is an NFC-enabled phone, as demonstrated in the video below:

The researchers haven't released this version of the app – much to the relief of transit operators, no doubt – but they have released a version that can scan the data from a ticket to determine if the transit system in question is vulnerable. That version is available from the Google Play store.

The two vulnerable transit systems the Intrepidus Group has identified are the City of San Francisco's Muni rail and bus system and the Path train system, which shuttles passengers between New York City and various parts of the State of New Jersey.

The researchers say they have contacted both transit operators, explained the problem, and provided recommendations on how to fix the flaw. But although they say they contacted San Francisco Muni in December, your West Coast Reg hack can confirm that the Intrepidus Group's app still reports Muni tickets as vulnerable as of Monday.

The larger issue, the researchers say, is that the security features built into these disposable ticketing systems may be inadequate in a world where NFC-enabled smartphones are commonplace.

"One of the items we also raised in our talk is that full card emulation on smartphones is likely to happen soon," the researchers write. "When this does, it could cause a number of NFC based access control systems to be re-evaluated." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.