Subway riders evade fares with Android NFC hack

No thanks to a hack on Android phones, subway riders in the United States can steal free subway rides by using their phones' near-field communication (NFC) feature.

 

Researchers demonstrated this at the EUSecWest security conference in Amsterdam, according to a report on tech site Mashable.

 

The NFC hack by researchers Intrepidus Group's Corey Benninger and Max Sobell in effect replenishes the fare cards of users for free, Mashable reported.

 

Dubbed UltraReset, the application lets travelers read a fare card's balance and write the stored data back to the card. This resets the balance to get more free rides.

 

UltraReset works on Android 2.3.3 or later.

 

The Mashable article cited a Computerworld article that quoted Benninger as saying he could replenish his card endlessly - "if I chose to."

 

UltraCardTester

 

But instead of releasing the app to the Google Play market, the researchers put out a tweaked version dubbed UltraCardTester to let people test their local transit system's security.

 

"You can't rewrite your subway card balance, but you can let the transit people know that their system's insecure," Mashable said.

 

Vulnerable cards

 

The researchers said their app exploits a flaw in some NFC-based cards that rely on Mifare Ultralight chips used in disposable, contactless NFC cards.

 

Benninger said the vulnerability comes from the Ultralight cards' counters, which Mashable said are easy to rewrite.

 

Mashable said the researchers described the Mifare Ultralight as like a punch card system that flips bits on to record trips rather than punching holes in a paper ticket.

 

Benninger and Sobell listed cities whose transit systems rely on it, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, to demonstrate how widespread NFC technology is.

 

 

Benninger and Sobell tested the transit systems of San Francisco with its Muni system, and New Jersey with its Path transit system, and found them exploitable.

 

They promptly and told San Francisco about it in December 2011, though Benninger said both cities still appear to be exposed to fare ripoff.

 

"Both systems are still vulnerable as far as we know," he said.

 

Easy to fix

 

The researchers said the vulnerability is easy to fix, as transit companies could use an alternative, more secure chip, or they could adjust back-end systems to make sure the bits in the cards are turned on when travel units are used. — TJD, GMA News