Contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.
An NFC (near field communication) Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the "UltraReset" application, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application's developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said.
"I can do that over and over again if I chose to," Benninger said during his talk. UltraReset works on Android 2.3.3 or later.
The application takes advantage of a flaw found in particular NFC-based cards, the researchers said, adding that these cards are used in the San Francisco Muni and the New Jersey Path transit systems.
Both systems were tested by the researchers and both cities were informed about the possible abuse of the system, they said. "Both systems are still vulnerable as far as we know," said Benninger, who added that San Francisco was informed in December 2011.
The hack exploits the Mifare Ultralight chip used in disposable contactless NFC cards, the researchers said. This type of chip allows anyone who has the know-how to rewrite data to the NFC chip, they said. "I coded the app in one night," Benninger said, "and I'm not a coder so if somebody knows what they are doing it is pretty easy to do."
The Mifare Ultralight can work much like a standard punch card system, but instead of punching holes in a paper ticket the card can flip bits on to indicate that a travel unit has been used, the researchers said. Those bits can never be turned back, but in the vulnerable systems user information on the card is checked but the bits are never turned on, which enables exploiters to rewrite the cards, they added.
Other US cities including Boston, Seattle, Salt Lake City, Chicago and Philadelphia also use a contactless ticketing system and those systems could also be vulnerable for the same technique, they said. Those systems, however, were not tested by the researchers, who said they had not been able to travel everywhere.
An adjusted version of the UltraReset app, dubbed UltraCardTester, was made available for download by the researchers on Thursday to enable people to test their local transit system's security. UltraCardTester has the same abilities as UltraReset but isn't able rewrite the card. The function was taken out so people don't abuse it, Benninger said.
The app is, however, able to see if the bits are turned on or not, he added, saying that this gives a good indication whether the system is vulnerable. "But you won't be able to check the back end," Benninger said.
The vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.
"Our purpose is not to rub anybody's nose in," said Sobell. "We just want to raise awareness for an issue that potentially could affect many systems."