Security flaw lets smartphone users 'hack' transit gates
Published Saturday, April 9, 2016 12:11PM PDT
A smartphone and two free apps can reprogram the chips in paper Compass tickets to give someone a free ride on Vancouver’s transit system.
CTV News was alerted to the “hack” this week, and saw it work on at least four paper Compass tickets, essentially resetting the embedded chips that keep track of how much time a rider has left to ride on the system.
TransLink says only a handful of people have taken advantage of the “hack” to steal rides from the system, and the agency says it still has the capability to detect it, cancel the tickets and charge anyone who pulls it off with fraud.
“It is something we’re aware of,” said Lloyd Bauer, the VP of the Compass Project at TransLink. “We are constantly monitoring for it.”
CTV News is choosing not to reveal the particular method by which the cards can be reset. A reporter did confirm using a phone belonging to a CTV worker that the method is genuine, using a widely available phone and two free apps that were not specific to the Compass Card system. CTV News did not use the method to ride for free.
For critics, this is another blow to a beleaguered Compass Card that is just this week passing the milestone of having its fare gates finally close, years after they were promised, and some $23 million over its $171 million budget.
Burnaby Mayor Derek Corrigan said he wants to know whether this flaw was disclosed by Compass Card system contractor Cubic Transportation Systems when it sold the system to TransLink in 2010.
At the time, the Compass system was sold as a way to stop fare evasion, which was estimated to cost TransLink about $7 million a year. He said the new system costs some $20 million a year to operate.
“It’s no surprise,” Corrigan said. “I’ve been saying all along that people would just be more creative about how they would avoid paying fares.”
“It was a ridiculous idea from the beginning, it preyed on people’s sense that everyone else is being ripped off, but this system is just as easy to rip off in a different way.”
But this is not the first time such a method has been discovered on similar “Smart Card” transit systems – discussion about the problems with the underlying NFC technology have been going on for years.
NFC, or “near field communication,” is the same technology that powers smartphone payment systems like Apple Pay or Google Wallet. It can have strong security, though in the Compass ticket case the card information appears to be unencrypted.
In 2012, two security researchers showed how to use NFC to get a free ride on public transportation systems in New Jersey and San Francisco.
“We knew it exists and we tried to sound the alarm four years ago,” one of those researchers, Max Sobell, told CTV News from New York.
He said that the technology can be secure if implemented in a way that doesn’t allow constant rewriting of the card. A better implementation, he said, would be one that permanently alerted the card every “tap-in”, like a train conductor might punch a physical ticket.
Sobell said when these systems were designed, NFC technology was relatively new and rare. But now that smartphones with NFC technology are ubiquitous, he said the old security assumptions have to change.
“We’re in a totally different environment now where everyone has access to a NFC device. I hope they’re able to deploy an effective fix,” he said.
After that initial discovery, a pair of teenagers discovered a way to cheat the transit system in Turin, Italy. The teens showed off their hacks at a conference so that the companies could fix them. Since then, the problem has been documented in many cities around the world.
Sobell said he hasn’t heard if the transit agencies he notified have changed the way they do business as a result of the revelation.
However TransLink says its current strategy is not to change the technology, but to manage the problem with other security measures.
Bauer said that TransLink’s central Compass office can detect when a ticket has been reset, and can disable the ticket. If someone is caught with a reset ticket, scanners held by Transit Police can detect those tickets, and the agency would crack down.
“We do have multiple layers of security. Tampering with the system is an offense,” he said.
Bauer said that since December, the system has seen only 20 examples of the hack being deployed. It wasn’t readily possible to reconcile that with claims from a person who told CTV News he or she uses this method regularly.
It appears that this method does not allow tickets to be used for more than one day.
Cubic Transportation Systems did not return a request for comment.