A new vulnerability has been found on the subway travel cards in the US that enables users to travel around free forever. An Android application called UltraReset enables users to reset the data on the travel cards which makes it usable again and again.
The application takes advantage of a flaw found in particular NFC-based cards, the researchers said, adding that these cards are used in the San Francisco Muni and the New Jersey Path transit systems.
Both systems were tested by the researchers and both cities were informed about the possible abuse of the system, they said. “Both systems are still vulnerable as far as we know,” said Benninger, who added that San Francisco was informed in December 2011.
The hack exploits the Mifare Ultralight chip used in disposable contactless NFC cards, the researchers said. This type of chip allows anyone who has the know-how to rewrite data to the NFC chip, they said. “I coded the app in one night,” Benninger said, “and I’m not a coder so if somebody knows what they are doing it is pretty easy to do.”
The Mifare Ultralight can work much like a standard punch card system, but instead of punching holes in a paper ticket the card can flip bits on to indicate that a travel unit has been used, the researchers said. Those bits can never be turned back, but in the vulnerable systems user information on the card is checked but the bits are never turned on, which enables exploiters to rewrite the cards, they added.
Other U.S. cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, use contactless ticketing and those systems could be vulnerable to the same technique, they said. Those systems, however, were not tested by the researchers, who said they had not been able to travel everywhere.
Here’s a video demonstration of the vulnerability using UltraReset app with Samsung Galaxy Nexus’s NFC.
[vimeo 49664045 500 450]