Skip the navigation

Android NFC hack enables travelers to ride subways for free, researchers say

The researchers who developed the application said transit systems in U.S. cities could be vulnerable

By Loek Essers
September 20, 2012 12:29 PM ET

IDG News Service - Contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated Thursday at the EUSecWest security conference in Amsterdam.

An NFC (near field communication) Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the "UltraReset" application, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application's developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said.

"I can do that over and over again if I chose to," Benninger said during his talk. UltraReset works on Android 2.3.3 or later. (See a video of the researchers demonstrating the NFC hack in this Vimeo clip.)

The application takes advantage of a flaw found in particular NFC-based cards, the researchers said, adding that these cards are used in the San Francisco Muni and the New Jersey Path transit systems.

Both systems were tested by the researchers and both cities were informed about the possible abuse of the system, they said. "Both systems are still vulnerable as far as we know," said Benninger, who added that San Francisco was informed in December 2011.

The hack exploits the Mifare Ultralight chip used in disposable contactless NFC cards, the researchers said. This type of chip allows anyone who has the know-how to rewrite data to the NFC chip, they said. "I coded the app in one night," Benninger said, "and I'm not a coder so if somebody knows what they are doing it is pretty easy to do."

The Mifare Ultralight can work much like a standard punch card system, but instead of punching holes in a paper ticket the card can flip bits on to indicate that a travel unit has been used, the researchers said. Those bits can never be turned back, but in the vulnerable systems user information on the card is checked but the bits are never turned on, which enables exploiters to rewrite the cards, they added.

Other U.S. cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, use contactless ticketing and those systems could be vulnerable to the same technique, they said. Those systems, however, were not tested by the researchers, who said they had not been able to travel everywhere.

An adjusted version of the UltraReset app, dubbed UltraCardTester, was made available for download by the researchers on Thursday to enable people to test their local transit system's security. UltraCardTester has the same abilities as UltraReset but isn't able rewrite the card. The function was taken out so people don't abuse it, Benninger said.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies