A hacker has created an application that allows you free travel on the Moscow metro and surface transport
The user of the resource “Habrahabr” told about the vulnerability in the system the card, and created an application that allows free recharge balance. The “hacked” card can be used for fare payment in public transport.
Developed by Igor Shevtsov explained that the purpose of his study was to test the security system against counterfeiting of balance and safety assessment of infrastructure, working with a map. All work was conducted without the use of special technical means — he only needed a smartphone with NFC-chip. To search vulnerability it took him 15 days. To crack the system Igor Shevtsov used the mobile application “My travel”, through which he was able to access the memory card and to study the structure of data storage.
“Most of the time took up the study of the structure of the data in the memory card. This was possible due to the fact that data is stored unencrypted. In case, if the data in the memory card have been encrypted, most likely, would require physical penetration into the system working with the map, making the attack significantly more difficult,” writes Shevtsov.
As a result, found the “hole” in the system allowed to perform a fake balance, which is recorded in the electronic purse card “Troika”. The programmer has also created an app called TroikaDumper, which you can download from GitHub, and gave recommendations on how to avoid financial blocking. He noted that providing these materials for informational purposes only.
“Do not operate with amounts of balance over $ 100. Never go to the subway two times with the same time last pass. After recording the dump will update the current time on the map using the validator in land transport. That is, before each pass in the subway you need to perform the cancellation through the yellow validator on the bus or tram,” said hacker.
As stated by the developer, to correct the shortcomings of the system “it is necessary to upgrade the data storage format in memory card and software update of all systems working with map. The representative of the Department of transportation and development of road-transport infrastructure, said that about the vulnerabilities they don’t know anything.