LAS VEGAS – Cybersecurity researchers on the DEF CON safety convention disclosed particulars this weekend on three vulnerabilities in well-liked transportation software program that might enable individuals to acquire free public transit rides.
Researchers at cybersecurity agency SafeBreach mentioned they just lately disclosed the vulnerabilities to Israeli agency Moovit, which helps customers plan routes utilizing public transit networks, together with buses, ferries, subways and scooters.
The corporate — which has been owned by Intel by way of a subsidiary since 2020 — operates a number of merchandise and has greater than 1.5 billion customers in additional than 112 nations by way of a Google Maps-like interface for getting round an space.
In some nations, like Israel, it is usually a ticket vendor for the native subway or bus system. Clients in cities like Tel Aviv use the Moovit app to buy tickets which are scanned each at entrance and exit gates. The fare is calculated based mostly on the gap traveled and customers are billed on the finish of the month.
SafeBreach’s Omer Attias and Tomer Bar instructed Recorded Future Information that their purpose was to see if they may hack the system without cost rides in Tel Aviv.
“Ultimately we discovered three alternative ways to get free rides, but in addition methods to pick out a selected consumer and get them to pay for the experience,” mentioned Bar, vice chairman of safety analysis at SafeBreach. “We solely tried it in Israel however we consider that we are able to cost anybody on the planet for a experience.”
Attias, who found the problems and gave a presentation about their findings at DefCon on Sunday, defined that the primary difficulty they discovered was with the characteristic permitting customers to place an account on a brand new gadget.
He was ready to make use of technical instruments to primarily work out numerical identifiers for different accounts and hijack them, permitting him to impersonate others and use their bank cards to cost rides. However Attias famous that this sort of assault was dangerous for hackers as a result of it might disconnect a consumer from the account on their telephone, tipping them off that one thing was mistaken.
He moved on to a different plan of assault that concerned utilizing repeated identifiers in each consumer’s account quantity to acquire not simply entry to an account however the individual’s telephone quantity as properly.
Attias finally managed to determine one other method in that didn’t disconnect accounts however merely used their card.
“Now I used to be in a position to absolutely impersonate accounts with out disconnecting them from the unique gadget. This additionally meant I’d entry all of their private data. With the knowledge collected by way of my script, I had the flexibility to entry every of those accounts and retrieve their private data, together with their bank cards and particulars about their ongoing rides. This could allow me to trace the placement of customers,” he defined, noting that he created a database of the private data had entry to, which included their authorities ID, electronic mail handle, telephone quantity, residence handle, and extra.
“Every account additionally had a reduction profile that decided the share of low cost it obtained. For instance, individuals over the age of 75 in Israel get free public transportation. If I used such an account to order a practice ticket, there could be no cost for the fare.”
Bar confirmed Recorded Future Information a video of the researchers testing their findings, noting that they even created an app referred to as “Experience With SafeBreach” permitting them to successfully automate their exploitation of the Moovit app.
They disclosed their findings to Moovit, which they mentioned took fast motion to patch and remediate the entire points. No buyer motion is required to handle the problems.
In an announcement to Recorded Future Information, Moovit PR supervisor Sharon Kaslassi mentioned the corporate is now conducting inside and exterior audits “usually to safe consumer’s data and privateness.”
“In September 2022, a safety researcher disclosed vulnerabilities which might affect Moovit consumer accounts for fee and ticket validation for public transport,” she mentioned.
“Moovit was conscious of and rectifying the problem when it was reported, and took fast steps to complete correcting the problem. In response to our information, neither SafeBreach or anybody else took benefit of any buyer information.”
Bar mentioned their findings would facilitate “the proper crime” as a result of they may get entry to the private information of billions of individuals whereas additionally getting fee data from a smaller subset of customers.
He added that that they had a number of classes with Moovit’s staff to handle the vulnerabilities they discovered and verified that fixes for the problems labored.
However Bar warned that different instruments could also be weak to comparable points. A number of cities, together with New York, are ditching longtime card or coin-based methods in favor of app-based fee instruments.
“We at all times say, ‘go hack your self,’” he mentioned. “As a result of in an effort to discover in case you are weak or not, you must take a look at your methods. That is the one method you’ll be able to know in the event you’re weak or not.”
Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than transferring again to New York Metropolis, he labored for information retailers in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.