Pirates board public transport with app hack

Corethree apps that enable digital tickets deemed "laughable" by hacking group

Greater Manchester's Metrolink

Mobile phone apps for public transport could be manipulated to create free tickets, it has emerged, after an activist group hacked two Manchester-based services.

The hackers were able to generate digital tickets by exploiting a security flaw in the QR codes the apps use.

Both the First Bus app and the Metrolink app, called "get me there", were developed by Corethree, a company that makes mobile ticketing apps, such as Transport for London's cycle hire app and also the Arriva bus app.

The group, who call themselves 'The Public Transport Pirate Association of the United Kingdom', released its findings on Reddit and called Corethree's security "laughable at best".

"We could tell you guys really tried, but in the end focused too much on low-tech threats (i.e. taking a screenshot of a ticket and sending it to a friend) to be much of a challenge to even a novice hacker/reverse engineer," the group said.

The apps create QR codes that function as e-tickets, but the apps store the keys used to generate these codes on the apps themselves. "We'd especially like to thank you for including the private RSA keys to sign the QR codes in the First Bus m-ticket app," the group added. 

The group believes that public transport should be free to all and this is the reasoning for going public with the findings, adding that the research is its "contribution to get us closer to that end".

The initial release focuses on the Greater Manchester area, but the group said it can be easily adapted to other transportation networks that use the Corethree middleware for their electronic tickets.

"We've been made aware that there has been attempted fraudulent activity relating to the 'get me there' app and we've reported the matter to the police," Danny Vaughan, Transport for Greater Manchester's Head of Metrolink, told The Telegraph.

"We want to assure customers that the security of customer data is paramount and we've been informed by our suppliers that no personal data has been compromised. Customers will be able to continue to purchase tickets as usual."

Advertisement - Article continues below

A spokesperson for Corethree said: "We are working with Transport for Greater Manchester, First Bus Manchester and the police to address the issue. As you will understand with a situation like this, we are unable to comment further at this time."

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019