Two security researchers have developed an app that could help them score free train rides by exploiting NFC-enabled fare systems.
According to ZDNet, the Android app, developed by researchers Corey Benninger and Max Sobell of the Intrepidus Group, allows users to revert a subway smartcard to its original state, giving the appearance of a fully-loaded pass. These types of tickets use a MiFare Ultralight NFC (near-field communication) chip and are currently being employed by the San Francisco Muni and New Jersey PATH transit systems.
Users running the app can hold their NFC-enabled phones up to the farecard to reset it. Although chip manufacturer NXP told ZDNet that it has security features that are supposed to prevent this, Benninger and Sobell found that the New Jersey and San Francisco transit systems had not yet employed these protections. As a result, the cards are less secure than many smartcards that employ cryptography.
While the threat of lost transit revenue may be relatively minor, and PATH officials have not confirmed any successful breaches to date, the exploit could hint at other vulnerabilities and endpoint security risks regarding NFC technology.
Threats in the NFC-enabled travel future
Apple recently received approval for a patent that would enable a range of NFC applications for air travel and airport security. The patent, reported upon by CNN, included technology that would allow iPhone users to check their bags automatically using NFC-enabled kiosks and pass through security by sending automatic notifications to security agents.
Other NFC technologies such as Google Wallet already allow mobile users to make payments with their phones and use the same NFC-enabled transit systems that the card hack exploits. As NFC-enabled devices inevitably become a part of the travel landscape, security professionals will have to consider the ways in which physical security could be compromised by malicious hackers in addition to those just looking for a free ride.
The hack discovered by Benninger and Sobell could be prevented fairly easily, however, they said. Transit systems would simply need to take advantage of the existing back-end controls at their disposal. Nonetheless, those who do not could remain quite vulnerable. This specific weakness does not require extensive hacking knowledge to exploit.
"I coded the app in one night," Benninger said, presenting it at the EUSecWest security conference in Amsterdam. "And I'm not a coder so if somebody knows what they are doing it is pretty easy to do."
Security News from SimplySecurity.com by Trend Micro