Pirates board public transport with app hack

Corethree apps that enable digital tickets deemed "laughable" by hacking group

Greater Manchester's Metrolink

Mobile phone apps for public transport could be manipulated to create free tickets, it has emerged, after an activist group hacked two Manchester-based services.

The hackers were able to generate digital tickets by exploiting a security flaw in the QR codes the apps use.

Both the First Bus app and the Metrolink app, called "get me there", were developed by Corethree, a company that makes mobile ticketing apps, such as Transport for London's cycle hire app and also the Arriva bus app.

The group, who call themselves 'The Public Transport Pirate Association of the United Kingdom', released its findings on Reddit and called Corethree's security "laughable at best".

"We could tell you guys really tried, but in the end focused too much on low-tech threats (i.e. taking a screenshot of a ticket and sending it to a friend) to be much of a challenge to even a novice hacker/reverse engineer," the group said.

The apps create QR codes that function as e-tickets, but the apps store the keys used to generate these codes on the apps themselves. "We'd especially like to thank you for including the private RSA keys to sign the QR codes in the First Bus m-ticket app," the group added. 

The group believes that public transport should be free to all and this is the reasoning for going public with the findings, adding that the research is its "contribution to get us closer to that end".

The initial release focuses on the Greater Manchester area, but the group said it can be easily adapted to other transportation networks that use the Corethree middleware for their electronic tickets.

"We've been made aware that there has been attempted fraudulent activity relating to the 'get me there' app and we've reported the matter to the police," Danny Vaughan, Transport for Greater Manchester's Head of Metrolink, told The Telegraph.

"We want to assure customers that the security of customer data is paramount and we've been informed by our suppliers that no personal data has been compromised. Customers will be able to continue to purchase tickets as usual."

A spokesperson for Corethree said: "We are working with Transport for Greater Manchester, First Bus Manchester and the police to address the issue. As you will understand with a situation like this, we are unable to comment further at this time."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

Unilever adopts Google Cloud’s complex data processing for conservation drive
big data analytics

Unilever adopts Google Cloud’s complex data processing for conservation drive

22 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020