An NFC mobile app exploiting a transit system loophole has been created that enables users to ride trains for free.
Gizmodo reports that Corey Benninger and Max Sobell of the Intrepidus Group have developed the UltraReset app, which preys on vulnerabilities in a number of public transit systems including the New Jersey Path and San Francisco Muni trains where the app proved its effectiveness.
The app works on any NFC-enabled Android device operating 2.3 or later. By using a train card with zero rides, the app refills the account with rides repeatedly at no cost to the user.
The flaw doesn’t lie with NFC, rather it resides within the transit authority system, which did not enact security measures to effectively lock down the read/write permissions. The app has thus far only been tested in New Jersey and San Francisco, but if the loophole is consistent Boston, Seattle, Salt Lake City Chicago, and Philadelphia could be prone to exploitation as well.
Benninger and Sobell recently presented their creation at a security conference in Amsterdam. Despite being warned back in December of 2011, and the recent wave of recent attention and coverage, authorities are yet to close the loophole.
The app— for rather obvious reasons— is not available to the public, but for the time being those tech-savvy hackers will continue to enjoy the free ride.