Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Hack Transit Ticket Systems For Free Rides Using Android NFC

Security researchers have found a way to use an Android device to game certain types of cards used to pay for rides on transit systems.

Security researchers have found a way to use an Android device to game certain types of cards used to pay for rides on transit systems.

Weak security in contactless transit cards using the MIFARE Ultralight chip could be exploited to rewrite data, such as adding new fares to get free rides, Corey Benninger and Max Sobell, researchers from the Intrepidus Group, told attendees at the EUSecWest conference in Amsterdam last week. The hack uses an Android app and a smartphone equipped with a near-frequency communications chip, they said.

Transit Systems Hacked Using NFCThe vulnerability lies in the fact that the tickets keep track of the number of trips left on the card but doesn’t invalidate the card once that number reaches zero, the researchers said. The Android app copies the data from a brand-new ticket and then writes that number back to the card when the rides are all used up, over and over.

“We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future,” the researchers wrote in a blog post.

The attack does not work on all types of contactless tickets that use NFC, according to Benninger and Sobell. The exploit appears to work on disposable, paper tickets used for a specific number of trips, but not for permanent plastic cards with more complicated fare schemes. While a number of transit systems around the world use the MIFARE Ultralight chip, they don’t all appear to be affected.

It turns out the Ultralight chip includes a few bits of storage that can only be written only once, much like a physical card in which punching holes would cancel the card. Using the “One Way Counter” to invalidate the card when the rides were exhausted would prevent the attacker from repeatedly modifying the number of rides stored on the card. However, at least two transit systems in the United States, San Francisoc’s Muni rail and bus and Port Authority of New York and New Jersey’s PATH train system, are apparently not using those secure bits, and probably several more don’t as well, Benninger and Sobell said.

“A card could be limited to being used only a limited number of times,” but the secure storage area was “left unchanged by the two transit systems we looked at which used Ultralight cards,” the researchers wrote.

The Intrepidus Group released a different UltraCardTester app on to Google Play, which scans the data on a ticket to determine if the transit system in question is vulnerable. Even though San Francisco was warned back in December, the Muni system remained vulnerable as of Monday, according to The Register. “Full card emulation on smartphones is likely to happen soon. When this does, it could cause a number of NFC based access control systems to be re-evaluated,” the researchers wrote.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.