NFC is a great technology, but like anything in this digital age security is perhaps the most important element of all. A group of hackers at the EUSecWest security conference in Amsterdam showed how it was possible to manipulate some NFC-based fare cards to allow a metro rider to get free rides.
Using an app called “UltraReset,” riders can roll their balance back up to, say, ten rides should they use all of them up. The way that it works is that the application reads a balance of ten rides from the initial card you purchase.
Once you’ve used all those rides up, your Android phone will write that information back to the fare card and use it as if you’ve purchased another ten rides — and you can keep doing this as much as you want to. Apparently this works for NFC-enabled subway systems in New Jersey and San Francisco, and it may work for even more that have yet to be tested.
One of the presenters, Corey Benninger, demonstrated an ability to read the card’s data using a modified version of “UltraReset” called “UltraCardTester.” The latter only demonstrates the ability to read, not write.
The full app is not being released for fear of abuse by those looking to save some bucks, but Benninger notes that it is so easy to code an app to manipulate the metro cards that someone with little programming experience can just as easily make their own app.
The reason for bringing this up is not to dangle some desirable functionality in our faces, of course — they simply want these cities to get the message and plug up holes that could eventually cost them hundreds of thousands of dollars in revenue due to false rides. Benninger says the fix is easy, and that it simply requires a more secure NFC chip or a better way of handling the “on/off” bits that represent each ride in the back-end.
Both cities confirmed to be vulnerable are said to be using Mifare Ultralight chips, and unless other cities have a more secure and practical back-end to handle the “bits” there’s a good chance they could be just as vulnerable if they employ these chips.
It’s an interesting development that has us wondering if many of these industries are ready for NFC. Whether it be due to lack of competence by engineers or lack of understanding of what, exactly, NFC is providing in terms of the balance between convenience and security, one thing is for sure — it’s still a relatively new technology that could mean dire financial consequences for a government or business if they’re not on their P’s and Q’s.
Unless those who are employing it completely understand what they’re doing with it we could see NFC failing fast if it happens to become an economically-taxing fumble. Let’s get it together, guys. [via Computerworld]