Using Android and NFC for fare dodging
Using an NFC-enabled Android smartphone, two security researchers have succeeded in manipulating the contactless ticketing systems used by some pubic transport systems in order to obtain free travel. According to a report from Computerworld, researchers Corey Benninger and Max Sobell from security services specialist Intrepidus Group are able to quickly and easily reset the number of journeys on NFC (near field communication) contactless travel cards. As the cards only store the number of journeys, doing so can give them up to the maximum ten journeys that are allowed for.
Benninger and Sobell created "UltraReset", a mobile app that takes advantage of a flaw in the MIFARE Ultralight chip found in some disposable NFC/RFID-based cards that allows them to reset certain data on the cards. A video created by the researchers demonstrates how a contactless card can be used up and then quickly rewritten to be used again:
The researchers have confirmed that the San Francisco Municipal Railway and the New Jersey PATH transit systems use vulnerable cards. They also note that contactless ticketing systems used by other US cities such as Boston, Seattle and Chicago may be vulnerable to the same technique.
The team, who presented their findings at the EUSecWest security conference in Amsterdam last week, have created a modified version of UltraReset for users to check whether the cards used by their local transit systems are vulnerable; however, unlike UltraReset, UltraCardTester cannot write cards to give users free travel. The UltraCardTester app is available in Google's Play store for devices with built-in NFC support running Android 2.3.3 or later.