Security researchers from Intrepidus Group have demonstrated a vulnerability at the EUSecWest security conference in Amsterdam that lets San Francisco public transportation users travel for free.
According to the researchers, the contactless fare cards in the New Jersey and San Francisco transit systems use the Mifare Ultralight chip that allows anyone to rewrite the card as needed. The system relies on a series of bits that are flipped whenever a ride is used. Corey Benninger and Max Sobell used a NFC-capable Android smartphone and the “UltraReset” application to rewrite data on the card and restore the fare balance to 10.
“I can do that over and over again if I chose to,” Benninger said in a quote for Computerworld. “I coded the app in one night,” Benninger said, “and I’m not a coder so if somebody knows what they are doing it is pretty easy to do.“
The same contactless payment system is used in other US cities, such as Boston, Seattle, Salt Lake City, Chicago and Philadelphia, but the researchers were unable to test these systems as of this writing. However, the researchers published a modified version of the UltraReset app, called UltraCardTester, to let other users assess whether their transit system is vulnerable to this type of attack.
“Our purpose is not to rub anybody’s nose in,” said Sobell. “We just want to raise awareness for an issue that potentially could affect many systems.“
The researchers also claimed that the transit companies could fix this vulnerability by simply switching to a safer breed of RFID chips, or by implementing additional checks in the back-end system to ensure the bits in the cards are turned on when all the fares have been exhausted.