Android NFC hack enables travelers to ride US subways for free, researchers say

The researchers who developed the application said transit systems in other US cities could be vulnerable

Contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.

An NFC (near field communication) Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the "UltraReset" application, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application's developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said.

"I can do that over and over again if I chose to," Benninger said during his talk. UltraReset works on Android 2.3.3 or later. (See a video of the researchers demonstrating the NFC hack in this Vimeo clip.)

The application takes advantage of a flaw found in particular NFC-based cards, the researchers said, adding that these cards are used in the San Francisco Muni and the New Jersey Path transit systems.

Both systems were tested by the researchers and both cities were informed about the possible abuse of the system, they said. "Both systems are still vulnerable as far as we know," said Benninger, who added that San Francisco was informed in December 2011.

The hack exploits the Mifare Ultralight chip used in disposable contactless NFC cards, the researchers said. This type of chip allows anyone who has the know-how to rewrite data to the NFC chip, they said. "I coded the app in one night," Benninger said, "and I'm not a coder so if somebody knows what they are doing it is pretty easy to do."

The Mifare Ultralight can work much like a standard punch card system, but instead of punching holes in a paper ticket the card can flip bits on to indicate that a travel unit has been used, the researchers said. Those bits can never be turned back, but in the vulnerable systems user information on the card is checked but the bits are never turned on, which enables exploiters to rewrite the cards, they added.

Other U.S. cities including Boston, Seattle, Salt Lake City, Chicago and Philadelphia also use a contactless ticketing system and those systems could also be vulnerable for the same technique, they said. Those systems, however, were not tested by the researchers, who said they had not been able to travel everywhere.

An adjusted version of the UltraReset app, dubbed UltraCardTester, was made available for download by the researchers on Thursday to enable people to test their local transit system's security. UltraCardTester has the same abilities as UltraReset but isn't able rewrite the card. The function was taken out so people don't abuse it, Benninger said.

The app is, however, able to see if the bits are turned on or not, he added, saying that this gives a good indication whether the system is vulnerable. "But you won't be able to check the back end," Benninger said.

The vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.

"Our purpose is not to rub anybody's nose in," said Sobell. "We just want to raise awareness for an issue that potentially could affect many systems."

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?