Subway riders in the New Jersey and San Francisco transit systems can use near-field communication (NFC) Android smartphones to endlessly replenish their fare cards for free, security researchers demonstrated Thursday at the EUSecWest security conference in Amsterdam.
The researchers, Intrepidus Group’s Corey Benninger and Max Sobell, developed an application called UltraReset that allows travelers to read a fare card’s balance and to then write the stored data back to the card, resetting the balance to get more free rides.
This Vimeo video shows one of the researchers depleting his pass card at a New Jersey subway turnstile, using the UltraReset application on his Nexus S smartphone to reset the pass, and then using it again as the turnstile affirmed that he had a fresh, albeit bogus, balance of 10 trips.
Benninger said during his talk that he could replenish his card endlessly, according to Computerworld:
"I can do that over and over again if I chose to."
UltraReset works on Android 2.3.3 or later.
Don’t bother searching on Google Play for it, though – the researchers aren’t in the business of enabling people to rip off transit systems.
Instead, they’ve put out a tweaked version, called UltraCardTester, to allow people to test their local transit system’s security. You can’t rewrite your subway card balance, but you can let the transit people know that their system might be insecure.
The researchers said that their application take advantage of a flaw found in some NFC-based cards that rely on Mifare Ultralight chips, used in disposable, contactless NFC cards.
The issue comes from the Ultralight cards’ counters, which are trivial to rewrite if you know what you’re doing, Benninger said.
Here’s how New Jersey and San Francisco’s systems incorrectly implement the chips, as the researchers explained in a posting:
While these Ultralight cards don’t have access control features which are found in more expensive NFC cards, they do support a feature called a "One Way Counter" (which was named One Time Programmable or "OTP" in previous documents). These bits are in page 3 of the card’s data and once a bit is turned on, it can never be turned back off. This way, a card could be limited to being used only a limited number of times. These bits are left unchanged by the two transit systems we looked at which used Ultralight cards.
The researchers described the Mifare Ultralight as working like a punch card system that flips bits on to record trips rather than punching holes in a paper ticket.
The bits can’t be turned back, but in a system like this one, the card checks the user information but doesn’t turn on bits. That allows the cards to be rewritten, the researchers said.
To demonstrate how widespread NFC technology is becoming, Benninger and Sobell listed a host of cities whose transit systems rely on it, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia.
Not that using the Mifare Ultralight chip or even NFC is enough to make those cities vulnerable, mind you.
The only two cities they’ve tested for incorrect Mifare Ultralight card usage and which they’ve subsequently contacted with remediation details are San Francisco, with its Muni system, and New Jersey, with its Path transit system.
Benninger and Sobell tested those two cities’ transit systems, found them exploitable, and told San Francisco about it in December 2011.
Both cities still appear to be exposed to fare ripoff, Benninger said:
"Both systems are still vulnerable as far as we know."
The researchers haven’t been able to travel to all the cities that use contactless ticketing.
But with their application, residents of cities relying on NFC/Mifare Ultralight transit cards can determine whether bits have been turned on, which serves as a good indication of whether a given system is vulnerable.
The researchers noted that standard transit system cards typically aren’t Ultralights. Ultralights are typically only used for disposable or limited use tickets.
The researchers described the issue as easy to fix: transit companies could use an alternative, more secure chip, or they could adjust back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.
It sounds like a lot of cities are getting ready to implement these potentially vulnerable contactless cards.
I would have liked to test my local transit system, Boston’s MBTA, to determine if it’s properly implemented Ultralights, but my Android lacks NFC capability and I’m not even sure if they’re using Ultralights in Boston.
So I thought I’d call the MBTA to ask some questions and determine if they at least were aware of the issue.
They hadn’t returned my call as of Sunday.
It sounds like this is a simple glitch to fix. I encourage anybody who cares about public transportation in NFC-dependent cities, and who has an NFC-capable Android, to download the application and vet their local metro.
Then, if you find Ultralights implemented insecurely, please talk to your transit authority.