News

Pirates board public transport with app hack

Corethree apps that enable digital tickets deemed "laughable" by hacking group

4 Sep 2019

Mobile phone apps for public transport could be manipulated to create free tickets, it has emerged, after an activist group hacked two Manchester-based services.

The hackers were able to generate digital tickets by exploiting a security flaw in the QR codes the apps use.

Both the First Bus app and the Metrolink app, called "get me there", were developed by Corethree, a company that makes mobile ticketing apps, such as Transport for London's cycle hire app and also the Arriva bus app.

The group, who call themselves 'The Public Transport Pirate Association of the United Kingdom', released its findings on Reddit and called Corethree's security "laughable at best".

"We could tell you guys really tried, but in the end focused too much on low-tech threats (i.e. taking a screenshot of a ticket and sending it to a friend) to be much of a challenge to even a novice hacker/reverse engineer," the group said.

The apps create QR codes that function as e-tickets, but the apps store the keys used to generate these codes on the apps themselves. "We'd especially like to thank you for including the private RSA keys to sign the QR codes in the First Bus m-ticket app," the group added.

The group believes that public transport should be free to all and this is the reasoning for going public with the findings, adding that the research is its "contribution to get us closer to that end".

The initial release focuses on the Greater Manchester area, but the group said it can be easily adapted to other transportation networks that use the Corethree middleware for their electronic tickets.

"We've been made aware that there has been attempted fraudulent activity relating to the 'get me there' app and we've reported the matter to the police," Danny Vaughan, Transport for Greater Manchester's Head of Metrolink, told The Telegraph.

"We want to assure customers that the security of customer data is paramount and we've been informed by our suppliers that no personal data has been compromised. Customers will be able to continue to purchase tickets as usual."

A spokesperson for Corethree said: "We are working with Transport for Greater Manchester, First Bus Manchester and the police to address the issue. As you will understand with a situation like this, we are unable to comment further at this time."