Unlimited rides on public transportation? No problem for hackers.
Matteo Collura, 19, and Matteo Beccaro, 18, uncovered two new security loopholes that allow them to timestamp NFC-enabled tickets (MiFare Ultralights) with NFC-enabled Android phones and turn a limited-ride ticket into an unlimited one, according to an article from Mashable. The two Italian teenage hackers claim the hacks are fairly easy to reproduce, as they presented their findings at Def Con on Saturday.
After the city of Turin implemented NFC-enabled cards in January, the two researched how the chips worked. That was the easy part – it was advertised on their website, Mashable reports. The issue is, the cards are not encrypted, so the data inside is readable with any NFC device. At that point, Collura and Beccaro were able to set the cards in a “read-only” format, so the cards could not be stamped and always contained the same number of rides.
The timestamp is valid for 90 minutes, but all the hacker needs to do is re-scan the ticket with an NFC-enabled device and change the date, effectively stamping the ticket by him- or herself.