Researchers reveal NFC subway bonk-nonpayment scheme

Transit systems around the world have begun turning to card-based "contactless" ticketing systems as an easy way to process fares. But according to security researchers, flaws in some ticketing schemes could allow savvy customers to bag themselves a permanent ticket to ride, using nothing more than an Android app and an NFC-enabled phone.

Speaking at the EUSecWest conference in Amsterdam last Thursday, Corey Benninger and Max Sobell of the Intrepidus Group revealed how weak security in certain tickets based on the MIFARE Ultralight chip could allow hackers to rewrite the data on the cards, potentially recharging them an infinite number of times.

Not every type of NFC-enabled transit ticket is vulnerable. The exploit only works on disposable, paper tickets that can be purchased for a specific number of trips. Permanent, plastic cards that offer more complicated fare schemes are not affected.

According to the researchers, the vulnerability lies in the fact that the tickets keep a count of the number of trips left on the card, but they do nothing to invalidate the card once the purchased number of trips is exhausted.

The Ultralight chip does include a few bits of storage that can only be written once and never again, which allows for the digital equivalent of punching a hole to the ticket to cancel it. But according to Benninger and Sobell, at least two US transit systems don't actually use this technique, and probably many more don't, either.

"We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future," the researchers write in a blog post explaining the technical details of the hack.

The Intrepidus Group says it has actually developed an Android app that can exploit the flaw by copying the data from a brand-new ticket, then writing it back to the card when the purchased number of trips are used up. All that is required is an NFC-enabled phone, as demonstrated in the video below:

The researchers haven't released this version of the app – much to the relief of transit operators, no doubt – but they have released a version that can scan the data from a ticket to determine if the transit system in question is vulnerable. That version is available from the Google Play store.

The two vulnerable transit systems the Intrepidus Group has identified are the City of San Francisco's Muni rail and bus system and the Path train system, which shuttles passengers between New York City and various parts of the State of New Jersey.

The researchers say they have contacted both transit operators, explained the problem, and provided recommendations on how to fix the flaw. But although they say they contacted San Francisco Muni in December, your West Coast Reg hack can confirm that the Intrepidus Group's app still reports Muni tickets as vulnerable as of Monday.

The larger issue, the researchers say, is that the security features built into these disposable ticketing systems may be inadequate in a world where NFC-enabled smartphones are commonplace.

"One of the items we also raised in our talk is that full card emulation on smartphones is likely to happen soon," the researchers write. "When this does, it could cause a number of NFC based access control systems to be re-evaluated." ®