NFC-based contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.
“An NFC -enabled Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the “UltraReset” application”, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application’s developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said.
The video demonstrates resetting a 10 ride contactless subway card using an application on Android that the researchers wrote called “UltraReset”. This application takes advantage of a flaw found in particular NFC/RFID based cards. These cards are used in at least two major USA city transit systems and could allow riders to continuously reuse their cards for travel. The hack exploits the Mifare Ultralight chip used in disposable contactless NFC cards, the researchers said.
We don’t condone this kind of usage/hacks of NFC -based travel cards but we believe that these type of travel hacks will be come more frequent in the future. “I coded the app in one night,” Benninger said, “and I’m not a coder so if somebody knows what they are doing it is pretty easy to do.” The good news for travel companies however is that this vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.