Hacking transit systems that use NFC-based tickets

NFC-based contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.

“An NFC -enabled Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the “UltraReset” application”, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application’s developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said.

The video demonstrates resetting a 10 ride contactless subway card using an application on Android that the researchers wrote called “UltraReset”. This application takes advantage of a flaw found in particular NFC/RFID based cards. These cards are used in at least two major USA city transit systems and could allow riders to continuously reuse their cards for travel. The hack exploits the Mifare Ultralight chip used in disposable contactless NFC cards, the researchers said.

We don’t condone this kind of usage/hacks of NFC -based travel cards but we believe that these type of travel hacks will be come more frequent in the future. “I coded the app in one night,” Benninger said, “and I’m not a coder so if somebody knows what they are doing it is pretty easy to do.” The good news for travel companies however is that this vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.

Tags: , , ,

Categories: Near Field Communications, Secure Element, Ticketing, Video

CONNECT with Contactless Intelligence

Connect with us here

One Comment on “Hacking transit systems that use NFC-based tickets”

  1. Free Rider
    September 24, 2012 at 10:53 am #

    This assumes that when you use the “recharged ” card the the metro database will not notice this discepancy when it makes a reconcillation and block the card. So on the next attempt you are held at the gate and the guard alrted with the potential for arrest. You can then end up with charged with a felony for the price of a subway ride – doh!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: