For HomeFor BusinessFor Partners
Industry News
1 min read

Buggy San Francisco E-Tickets Let Android Users to Travel for Free

Bogdan BOTEZATU

September 25, 2012

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Buggy San Francisco E-Tickets Let Android Users to Travel for Free

Security researchers from Intrepidus Group have demonstrated a vulnerability at the EUSecWest security conference in Amsterdam that lets San Francisco public transportation users travel for free.

According to the researchers, the contactless fare cards in the New Jersey and San Francisco transit systems use the Mifare Ultralight chip that allows anyone to rewrite the card as needed. The system relies on a series of bits that are flipped whenever a ride is used. Corey Benninger and Max Sobell used a NFC-capable Android smartphone and the “UltraReset” application to rewrite data on the card and restore the fare balance to 10.

I can do that over and over again if I chose to,” Benninger said in a quote for Computerworld. “I coded the app in one night,” Benninger said, “and I’m not a coder so if somebody knows what they are doing it is pretty easy to do.

The same contactless payment system is used in other US cities, such as Boston, Seattle, Salt Lake City, Chicago and Philadelphia, but the researchers were unable to test these systems as of this writing. However, the researchers published a modified version of the UltraReset app, called UltraCardTester, to let other users assess whether their transit system is vulnerable to this type of attack.

Our purpose is not to rub anybody’s nose in,” said Sobell. “We just want to raise awareness for an issue that potentially could affect many systems.

The researchers also claimed that the transit companies could fix this vulnerability by simply switching to a safer breed of RFID chips, or by implementing additional checks in the back-end system to ensure the bits in the cards are turned on when all the fares have been exhausted.

tags

Industry News

Author

Bogdan BOTEZATU

Bogdan BOTEZATU

Bogdan is living his second childhood at Bitdefender as director of threat research.

View all posts

Right now Top posts

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide
Scam Spam

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide

April 19, 2024

5 min read
Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

City street lights "misbehave" after ransomware attack
Industry News

City street lights "misbehave" after ransomware attack
Graham CLULEY

April 24, 2024

2 min read
13 People Involved in Spyware Banned from Crossing US Borders
Industry News

13 People Involved in Spyware Banned from Crossing US Borders
Filip TRUȚĂ

April 24, 2024

2 min read
GitHub Flaw Could Allow Threat Actors to Distribute Malware on GitLab
Industry News

GitHub Flaw Could Allow Threat Actors to Distribute Malware on GitLab
Vlad CONSTANTINESCU

April 24, 2024

2 min read

Bookmarks

loader