Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Hack Transit Ticket Systems For Free Rides Using Android NFC

Security researchers have found a way to use an Android device to game certain types of cards used to pay for rides on transit systems.

Security researchers have found a way to use an Android device to game certain types of cards used to pay for rides on transit systems.

Weak security in contactless transit cards using the MIFARE Ultralight chip could be exploited to rewrite data, such as adding new fares to get free rides, Corey Benninger and Max Sobell, researchers from the Intrepidus Group, told attendees at the EUSecWest conference in Amsterdam last week. The hack uses an Android app and a smartphone equipped with a near-frequency communications chip, they said.

Transit Systems Hacked Using NFCThe vulnerability lies in the fact that the tickets keep track of the number of trips left on the card but doesn’t invalidate the card once that number reaches zero, the researchers said. The Android app copies the data from a brand-new ticket and then writes that number back to the card when the rides are all used up, over and over.

“We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future,” the researchers wrote in a blog post.

The attack does not work on all types of contactless tickets that use NFC, according to Benninger and Sobell. The exploit appears to work on disposable, paper tickets used for a specific number of trips, but not for permanent plastic cards with more complicated fare schemes. While a number of transit systems around the world use the MIFARE Ultralight chip, they don’t all appear to be affected.

It turns out the Ultralight chip includes a few bits of storage that can only be written only once, much like a physical card in which punching holes would cancel the card. Using the “One Way Counter” to invalidate the card when the rides were exhausted would prevent the attacker from repeatedly modifying the number of rides stored on the card. However, at least two transit systems in the United States, San Francisoc’s Muni rail and bus and Port Authority of New York and New Jersey’s PATH train system, are apparently not using those secure bits, and probably several more don’t as well, Benninger and Sobell said.

“A card could be limited to being used only a limited number of times,” but the secure storage area was “left unchanged by the two transit systems we looked at which used Ultralight cards,” the researchers wrote.

The Intrepidus Group released a different UltraCardTester app on to Google Play, which scans the data on a ticket to determine if the transit system in question is vulnerable. Even though San Francisco was warned back in December, the Muni system remained vulnerable as of Monday, according to The Register. “Full card emulation on smartphones is likely to happen soon. When this does, it could cause a number of NFC based access control systems to be re-evaluated,” the researchers wrote.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.