Hackers Expose Security Holes That Allow 'Free Rides for Life'

What's This?

By Lorenzo Franceschi-Bicchierai2013-08-05 15:40:23 UTC

LAS VEGAS — Last year, two security researchers showed how to hack an NFC-enabled ticket to get free rides on public transportation, taking advantage of a poorly implemented security feature.

Just several months later, two teenage Italian hackers discovered even more ways to hack the same type of ticket for free rides, even against the security feature that the system lacked last year.

These tickets, MiFare Ultralights, are used in many major cities around the world.

See also: Your Smart TV Could Be Hacked to Spy On You

Matteo Collura, 18, and Matteo Beccaro, 19, uncovered two new security holes that allow them to timestamp the ticket with an NFC-enabled Android phone and turn a limited-ride ticket into an unlimited one. They claim the hacks are fairly easy to reproduce.

"You can get free rides for your life," Beccaro said at the hacking conference Def Con on Saturday, where the two teens presented their hack. Conferences like Def Con let hackers expose holes so companies can fix them.

The two decided to study ticket security after the city of Turin implemented NFC-enabled cards in January.

Beccaro and Collura first needed to find out how the chips worked, which turned out to be easy. "They advertise it on their website," Beccaro said in response to a question at the conference about how they discovered the loophole. After the crowd erupted in laughter, he shrugged, and simply added: "Google."

When they started to study the tickets, the teens first tried out last year's hack, which was exposed to the public by Corey Benninger and Max Sobell.

But it didn't, because unlike the tickets in San Francisco and New Jersey, the ones in Turin enabled one-time programmable bits (OTP), which are bytes that turn from zero to one after each ride.

But the two teenagers didn't give up. They stamped a lot of tickets and used their NFC reader, a device that can connect to a computer (and costs less than $50 on eBay), to see what happened inside the chip. This was possible because Mifare Ultralights are not encrypted, so the data inside is readable with any NFC device.

At this point, they noticed a part of the ticket that allowed them to turn the OTP sector in read-only mode, meaning the data can't be modified — so the stamping machine can't change anything on it. They locked the OTP bites into their current state with the number of rides that remained.

"After you lock the OTP sector, you do not have to do anything else to the ticket, ever," Beccaro told Mashable. "So, do it once and you get an unlimited-rides ticket."

Collura and Beccaro also noticed the timestamp, which is used to determine whether the ticket must be stamped again (each stamp is valid for 90 minutes), was stored in a part of the chip set in read and write mode. This meant anyone could read it and write to it, Beccaro told Mashable.

In other words, even after 90 minutes had passed, one simply needed to scan the ticket with an NFC-enabled device (like the Samsung Galaxy S4, among others) and change the date, which is possible with several free apps.

"It's like stamping the ticket by yourself," he said.

The two teens tested the first exploit on the road and proved its success. They couldn't test the date-change hack because they didn't have an NFC phone or tablet, but said that the hack should work, since it's possible to overwrite the data.

Collura and Beccaro offered a straightforward fix for the first issue: A firmware update on the stamping machines that would program them to refuse to validate a locked ticket.

The date-change hack, however, is harder to solve. They said the only solution is to encrypt all data on the ticket, but Mifare Ultralights are typically unencrypted.

Beccaro and Collura already notified Turin's transportation agency, which responded that they fixed the first bug on streetcars and the buses — but not yet on the subway.

Benninger, one of the two researchers who found the first Mifare Ultralight vulnerability last year, was standing in the crowd. He was surprised.

"The systems we were looking at before actually were not making use of OTP bits, which was kind of one of our recommendations to remediate it," he said. "But if [the transportation companies] had set those and never actually read whether of not they successfully set those bits, then again they would run into this issues like they found here today. So not only do they need to set them, but they need to check if they set them probably."

The next stop for Beccaro and Collura is to finish building an app that would automatically lock the OTP sector of the ticket and change the timestamp each time someone scans a ticket.

At that point, anyone with a NFC-enabled Android will be able to test whether his ticket is hackable. And if it is, he won't have to pay for bus rides ever again.

Image: Gareth Cattermole/Getty Images

Topics: Def Con, hackers, Mobile, mobile security, NFC, Tech, transportation, World