Pirates board public transport with app hack

Corethree apps that enable digital tickets deemed "laughable" by hacking group

Greater Manchester's Metrolink

Mobile phone apps for public transport could be manipulated to create free tickets, it has emerged, after an activist group hacked two Manchester-based services.

The hackers were able to generate digital tickets by exploiting a security flaw in the QR codes the apps use.

Both the First Bus app and the Metrolink app, called "get me there", were developed by Corethree, a company that makes mobile ticketing apps, such as Transport for London's cycle hire app and also the Arriva bus app.

The group, who call themselves 'The Public Transport Pirate Association of the United Kingdom', released its findings on Reddit and called Corethree's security "laughable at best".

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"We could tell you guys really tried, but in the end focused too much on low-tech threats (i.e. taking a screenshot of a ticket and sending it to a friend) to be much of a challenge to even a novice hacker/reverse engineer," the group said.

The apps create QR codes that function as e-tickets, but the apps store the keys used to generate these codes on the apps themselves. "We'd especially like to thank you for including the private RSA keys to sign the QR codes in the First Bus m-ticket app," the group added. 

The group believes that public transport should be free to all and this is the reasoning for going public with the findings, adding that the research is its "contribution to get us closer to that end".

The initial release focuses on the Greater Manchester area, but the group said it can be easily adapted to other transportation networks that use the Corethree middleware for their electronic tickets.

"We've been made aware that there has been attempted fraudulent activity relating to the 'get me there' app and we've reported the matter to the police," Danny Vaughan, Transport for Greater Manchester's Head of Metrolink, told The Telegraph.

"We want to assure customers that the security of customer data is paramount and we've been informed by our suppliers that no personal data has been compromised. Customers will be able to continue to purchase tickets as usual."

Advertisement - Article continues below

A spokesperson for Corethree said: "We are working with Transport for Greater Manchester, First Bus Manchester and the police to address the issue. As you will understand with a situation like this, we are unable to comment further at this time."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020