Pirates board public transport with app hack

Corethree apps that enable digital tickets deemed "laughable" by hacking group

Greater Manchester's Metrolink

Mobile phone apps for public transport could be manipulated to create free tickets, it has emerged, after an activist group hacked two Manchester-based services.

The hackers were able to generate digital tickets by exploiting a security flaw in the QR codes the apps use.

Both the First Bus app and the Metrolink app, called "get me there", were developed by Corethree, a company that makes mobile ticketing apps, such as Transport for London's cycle hire app and also the Arriva bus app.

The group, who call themselves 'The Public Transport Pirate Association of the United Kingdom', released its findings on Reddit and called Corethree's security "laughable at best".

"We could tell you guys really tried, but in the end focused too much on low-tech threats (i.e. taking a screenshot of a ticket and sending it to a friend) to be much of a challenge to even a novice hacker/reverse engineer," the group said.

The apps create QR codes that function as e-tickets, but the apps store the keys used to generate these codes on the apps themselves. "We'd especially like to thank you for including the private RSA keys to sign the QR codes in the First Bus m-ticket app," the group added. 

The group believes that public transport should be free to all and this is the reasoning for going public with the findings, adding that the research is its "contribution to get us closer to that end".

The initial release focuses on the Greater Manchester area, but the group said it can be easily adapted to other transportation networks that use the Corethree middleware for their electronic tickets.

"We've been made aware that there has been attempted fraudulent activity relating to the 'get me there' app and we've reported the matter to the police," Danny Vaughan, Transport for Greater Manchester's Head of Metrolink, told The Telegraph.

"We want to assure customers that the security of customer data is paramount and we've been informed by our suppliers that no personal data has been compromised. Customers will be able to continue to purchase tickets as usual."

A spokesperson for Corethree said: "We are working with Transport for Greater Manchester, First Bus Manchester and the police to address the issue. As you will understand with a situation like this, we are unable to comment further at this time."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021