Android NFC hack lets subway riders evade fares

Filed Under: Android, Featured, Vulnerability

AndroidSubway riders in the New Jersey and San Francisco transit systems can use near-field communication (NFC) Android smartphones to endlessly replenish their fare cards for free, security researchers demonstrated Thursday at the EUSecWest security conference in Amsterdam.

The researchers, Intrepidus Group's Corey Benninger and Max Sobell, developed an application called UltraReset that allows travelers to read a fare card's balance and to then write the stored data back to the card, resetting the balance to get more free rides.

This Vimeo video shows one of the researchers depleting his pass card at a New Jersey subway turnstile, using the UltraReset application on his Nexus S smartphone to reset the pass, and then using it again as the turnstile affirmed that he had a fresh, albeit bogus, balance of 10 trips.

Benninger said during his talk that he could replenish his card endlessly, according to Computerworld:

"I can do that over and over again if I chose to."

UltraReset works on Android 2.3.3 or later.

Don't bother searching on Google Play for it, though - the researchers aren't in the business of enabling people to rip off transit systems.

Instead, they've put out a tweaked version, called UltraCardTester, to allow people to test their local transit system's security. You can't rewrite your subway card balance, but you can let the transit people know that their system might be insecure.

The researchers said that their application take advantage of a flaw found in some NFC-based cards that rely on Mifare Ultralight chips, used in disposable, contactless NFC cards.

The issue comes from the Ultralight cards' counters, which are trivial to rewrite if you know what you're doing, Benninger said.

Here's how New Jersey and San Francisco's systems incorrectly implement the chips, as the researchers explained in a posting:

While these Ultralight cards don’t have access control features which are found in more expensive NFC cards, they do support a feature called a "One Way Counter" (which was named One Time Programmable or "OTP" in previous documents). These bits are in page 3 of the card’s data and once a bit is turned on, it can never be turned back off. This way, a card could be limited to being used only a limited number of times. These bits are left unchanged by the two transit systems we looked at which used Ultralight cards.

The researchers described the Mifare Ultralight as working like a punch card system that flips bits on to record trips rather than punching holes in a paper ticket.

The bits can't be turned back, but in a system like this one, the card checks the user information but doesn't turn on bits. That allows the cards to be rewritten, the researchers said.

Ticket barriers, courtesy of ShutterstockTo demonstrate how widespread NFC technology is becoming, Benninger and Sobell listed a host of cities whose transit systems rely on it, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia.

Not that using the Mifare Ultralight chip or even NFC is enough to make those cities vulnerable, mind you.

The only two cities they've tested for incorrect Mifare Ultralight card usage and which they've subsequently contacted with remediation details are San Francisco, with its Muni system, and New Jersey, with its Path transit system.

Benninger and Sobell tested those two cities' transit systems, found them exploitable, and told San Francisco about it in December 2011.

Both cities still appear to be exposed to fare ripoff, Benninger said:

"Both systems are still vulnerable as far as we know."

The researchers haven't been able to travel to all the cities that use contactless ticketing.

But with their application, residents of cities relying on NFC/Mifare Ultralight transit cards can determine whether bits have been turned on, which serves as a good indication of whether a given system is vulnerable.

The researchers noted that standard transit system cards typically aren't Ultralights. Ultralights are typically only used for disposable or limited use tickets.

Ticket machine, courtesy of ShutterstockThe researchers described the issue as easy to fix: transit companies could use an alternative, more secure chip, or they could adjust back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.

It sounds like a lot of cities are getting ready to implement these potentially vulnerable contactless cards.

I would have liked to test my local transit system, Boston's MBTA, to determine if it's properly implemented Ultralights, but my Android lacks NFC capability and I'm not even sure if they're using Ultralights in Boston.

So I thought I'd call the MBTA to ask some questions and determine if they at least were aware of the issue.

They hadn't returned my call as of Sunday.

It sounds like this is a simple glitch to fix. I encourage anybody who cares about public transportation in NFC-dependent cities, and who has an NFC-capable Android, to download the application and vet their local metro.

Then, if you find Ultralights implemented insecurely, please talk to your transit authority.

Ticket barriers and ticket machine courtesy of Shutterstock

, , , , , , , , , ,

You might like

7 Responses to Android NFC hack lets subway riders evade fares

  1. Derek Currie · 1070 days ago

    NFC: Not For Consumption.

    Occasionally 'god' provides us with litmus tests for identifying stupid people. NFC is one of those tests.

    Thanks to NFC chips, I am forced to keep my NYS driver's license in a Faraday cage, aka an AFDB, aka the foil envelope NYS sent me with my card. NFC, aka crap technology, no thank you!

  2. Derp · 1070 days ago

    This is one of the few reasons why society should restrict and scrutinize open source operating systems.

  3. bob · 1069 days ago

    Derp - do you want to think about what you have said - the Open Source OS is not the problem, the problem is a flaw in a Chip.

    In fact the open source os has help discovery/highlight this flaw.

    • MisterReson · 722 days ago

      It's not a flaw in the chip, it's a flaw in the implementation.

      • Near Field Cheat · 446 days ago

        It's not a flaw in implementation because the chip implements protection but the subway system isn't using it (they not turned it on)

  4. bob · 1068 days ago

    Also Android is closed source project that is based on open source / releases open source code

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.