Two Italian hackers have told the Defcon convention about a pair of vulnerabilities in some contactless transportation ticketing systems that allow tickets to be altered by an NFC phone to give unlimited free rides.
Matteo Collura, 19, and Matteo Beccaro, 18, started experimenting after Turin introduced contactless ticketing for its trams, buses and subway earlier this year, reports Mashable.
The pair told attendees at the conference in Las Vegas on Saturday that they used an NFC reader connected to a PC to examine the state of many Mifare Ultralight tickets that have been used in the system and found two exploits:
- One-time programmable bits record individual rides used on a ticket. However, these can be set to be read-only, which prevents usage being recorded by ticket validators, resulting in tickets remaining valid indefinitely.
- The Turin implementation allows tickets to be used for up to 90 minutes after validation. The hackers noticed that this is governed by a timestamp recorded in the clear in the ticket, and that this can be changed easily using an app on an NFC phone, extending the validity of the ticket each time.
Turin has made progress fixing the first exploit, according to Mashable, but is still working on solving the timestamp issue.