Security experts hack and refresh US transit cards with Android app

Two researchers have created an Android app that they say can re-program certain NFC-enabled travel-cards, such as those used in the San Francisco Muni and New Jersey PATH transit system.

The researchers, Corey Benninger and Max Sobell of the Intrepidus Group, showed off the tool on Thursday at the EUSecWest security conference in Amsterdam. The flaw they were exploiting can be found in paper-electronic tickets — designed for one-off or limited use — that use a MiFare Ultralight NFC chip from NXP Semiconductors.

The exploit allows the app's users to revert such a ticket to its original state. If the card had been used for all the originally-loaded 10 trips, for example, the hack would make it seem as though the card was freshly bought and fully loaded.

This video shows the UltraReset app, which was running on a Nexus S smartphone, in action:

The original Ultralight chip, which was the version identified by Benninger and Sobell as being used by the affected transit authorities, does not employ the cryptography that 'frequent-rider' plastic cards do.

NXP told ZDNet UK on Friday that the chip does include "basic security features" such as a write-lock feature and one-time-programmable (OTP) bits. The OTP bits are supposed to block anyone from reverting the card to its original state, but it appears that the transit authorities in question have not been turning that feature on.

"Of the US cities we traveled to last year, only the NJ Path and SF Muni systems were using Ultralight cards," Benninger told ZDNet UK. "Both of these systems are not using the security features of these cards correctly, which allows us to easily reset the cards' data. A few online sites report Ultralight cards are in use for transit systems in other towns, both in the United States and other countries. It is possible that these systems could be affected too."

Increased security

NXP's spokesman pointed out that a more recent version of the chip, MiFare Ultralight C, came out in 2008 as the chip company was "anticipating the widespread adoption of NFC-enabled phones and, consequently, attack scenarios". That variant adds Triple DES authentication and one-way counters to the chip's barriers against hackers.

"MIFare Ultralight C was jointly developed with leading transit system solution providers and as far as NXP is informed, many public transport operators are currently adjusting their system designs while keeping service sustainability," the spokesman said.

However, Benninger noted that the Ultralight C variant could also be attacked "if the system is not properly using the one way counter or the access control feature found on the C version of the cards".

ZDNet UK has contacted both the NJ PATH and SF Muni transit authorities to ask whether they really haven't been using the security features made available to them, but had not received a response from either at the time of writing.

UPDATE (Monday morning): The NJ PATH transit authority got back to say: "The PATH rail system has not experienced such fraudulent activity on its SmartLink Cards to date, but we are discussing the issue with our card vendor."