Researchers Hack Transit Ticket Systems For Free Rides Using Android NFC

Security researchers have found a way to use an Android device to game certain types of cards used to pay for rides on transit systems.

Weak security in contactless transit cards using the MIFARE Ultralight chip could be exploited to rewrite data, such as adding new fares to get free rides, Corey Benninger and Max Sobell, researchers from the Intrepidus Group, told attendees at the EUSecWest conference in Amsterdam last week. The hack uses an Android app and a smartphone equipped with a near-frequency communications chip, they said.

The vulnerability lies in the fact that the tickets keep track of the number of trips left on the card but doesn’t invalidate the card once that number reaches zero, the researchers said. The Android app copies the data from a brand-new ticket and then writes that number back to the card when the rides are all used up, over and over.

“We know a number of cities are looking to roll out contactless technology and hope we can bring light to this issue so that it is implemented correctly in the future,” the researchers wrote in a blog post.

The attack does not work on all types of contactless tickets that use NFC, according to Benninger and Sobell. The exploit appears to work on disposable, paper tickets used for a specific number of trips, but not for permanent plastic cards with more complicated fare schemes. While a number of transit systems around the world use the MIFARE Ultralight chip, they don’t all appear to be affected.

It turns out the Ultralight chip includes a few bits of storage that can only be written only once, much like a physical card in which punching holes would cancel the card. Using the “One Way Counter” to invalidate the card when the rides were exhausted would prevent the attacker from repeatedly modifying the number of rides stored on the card. However, at least two transit systems in the United States, San Francisoc’s Muni rail and bus and Port Authority of New York and New Jersey’s PATH train system, are apparently not using those secure bits, and probably several more don’t as well, Benninger and Sobell said.

“A card could be limited to being used only a limited number of times,” but the secure storage area was “left unchanged by the two transit systems we looked at which used Ultralight cards,” the researchers wrote.

The Intrepidus Group released a different UltraCardTester app on to Google Play, which scans the data on a ticket to determine if the transit system in question is vulnerable. Even though San Francisco was warned back in December, the Muni system remained vulnerable as of Monday, according to The Register. “Full card emulation on smartphones is likely to happen soon. When this does, it could cause a number of NFC based access control systems to be re-evaluated,” the researchers wrote.