Full Disclosure: Global Transportation Mobile Ticketing Service Compromised
My name is Ryan. I’m a mobile security researcher, white hat hacker, and I enjoy long sits on the train. A little over a year ago I began contacting relevant authorities to report a vulnerability that made it possible to generate infinite valid/functional tickets for a mobile ticketing platform used by numerous major transportation systems throughout the world. I've spent the last year waiting for the issue to be resolved. A couple of months ago I made a final attempt to get through. I emailed the developer to inform them that I was getting ready to publish this. Today I’m fully disclosing a PoC demonstration along with some brief documentation of this exploit.
Who: This software/service is developed by London based Masabi/Justride.
What: Tickets can be easily cloned. I've tested this exploit on the NYC MTA and Boston MBTA versions of their Android app and can confirm it works on both. I’m not going to throw away money buying tickets to prove every deployment is affected. At this stage the burden would be to prove that they aren't.
Where: “Masabi works in partnership with more than 40 leading transport authorities, operators, partners and cities in North America, Europe, Asia and Australia.”
Here are a few examples: (Ridership = Annual)
MBTA — Launched: 2012 Ridership: ~360 Million
MTA — Launched: 2016 Ridership: ~1.757 Billion
RDT — Launched: 2017 Ridership: ~103 million
Los Angeles’ Metrolink — Launched: 2016 Ridership: ~14.01 million
When: This vector has likely existed since launch.
$>> POC & Description
##This information is solely intended for educational purposes. You are responsible for your actions.##
Requirements: Android Device with TWRP (Team Win Recovery Project), installed.
Sorry for the poor video quality, direct screen recording is not possible because the phones need to be reset.
How to replicate exploit:
1. Install Android App.
2. Buy Ticket.
3. Firewall app.
4. Go into recovery mode and create a backup of System/Data/Cache
5. Start phone, enter app, activate ticket.
6. Enter recovery, go to Advanced Format, format Cache/System/Data, and do a Factory Format (Do not to complete format).
7. Restore backup.
8. Start phone, enter app, activate ticket.
These backups can be carried over to other devices, of the same model, to utilize tickets across multiple devices.
This isn't real hacking/This is just a trick.
I don’t want to give anyone the wrong impression. It’s true that this is not StageFright or ROCA. However, it’s also true that this isn't theoretical or esoteric. Anyone can reproduce this with minimal effort. Furthermore, it shouldn't be confused with a trick. People commonly mistake computer security for stage magic. One notable difference is that in security it’s sometimes the lamest tricks the end up being the biggest show stoppers.
%>> Justification for Disclosure
This is the first time I’ve publicly disclosed a vulnerability. Let me take a moment to forfend any confusion about my motivations.
A) I don’t compromise stuff with any expectations of making money. I like money, but I’ve come to accept that 9 out of 10 companies are far more interested in paying for fake twitter followers than security contributions. That’s their prerogative and that’s fine.
B) I don’t have anything to prove. <pro-tip>I don’t rely on other people for validation, nor do I get it from the sound of hearing myself talk. I validate myself by enthusiastically searching for evidence that I’m wrong about stuff.</pro-tip>
C) I don’t act maliciously, I don’t damage anything, I don’t steal anything, and I don’t abuse any gained privileges. Why? Ethics, that and the fact that I assume I’m just as vulnerable as everyone else. You don’t have to be that secure to admit as much, it’s sad how insecure this realization makes the world seem. The reality is that we live in a world filled with unbelievably complex problems where most people are cheap tricks falling over each other trying to sell you some quick fix.
First off, I’ve always made it known that this was the plan. From new diseases to new dimensions, publishing findings has a role to play in advancing legitimate disciplines.
Secondly, A year is a very long time to fix a vulnerability. For context:
“..under Google’s zero-day disclosure policy in which if it believes the flaw is a dangerous enough it will only provide a 7-day deadline for software firms to patch the bug.”
Most importantly, the longer this problem persists the larger the scale of any potential damages. Damages which ultimately fall on tax payers, riders, and transportation authorities due to lost ticket revenue. It would be a refreshing change if in this case the potential losses were officially acknowledged by Masabi; especially considering how they go about marketing themselves.
Growth Stories: To Win The Game, Rewrite The Rules
How does a small British company win major technology contracts with large public authorities in the U.S., against…
I’ll try to sum up a good portion of their marketing as best I can. Masabi only makes money if it succeeds in processing ticket purchases through it’s service. On top of that, it does so with minimal upfront costs/overall financial risk to the public/private transportation authorities. This is admirable enough, and it certainly seems to have worked out quite well.
So, how could it fail?…. Well, for one thing, if Masabi in essence put ticket counterfeiting machines in every user’s hands. Additionally they could ignore the issue completely for a year. I digress.
This problem isn't just a harmless oversight, it isn't very hard to figure out, and you don’t need any special equipment or knowledge to replicate it. Any person or group could have easily worked the system on a massive scale for years now.
What is the bottom line?
Sure, Masabi only profits when people use their service, in theory clients will save money on ticket printing, and it doesn't really cost transportation systems anything if no one uses this mobile ticketing service.
However, this is the crux: Masabi doesn't lose any money when people steal tickets, they just make less money.
&>>> Further Insights
Some additional insights that are worth mentioning, but wouldn't qualify as vulnerabilities per se.
A) “Masabi Beta Labs” previously published a copy of their ticket scanning app JustRide Inspect to Google’s Play Store. It no longer appears on the Play Store. However, through the miracle of regular Google it can still be found on a number of 3rd party Play Store mirrors. Without credentials the app’s features are severely limited. Obviously I don’t have credentials. This might not be apparent to everyone, so let me take a second to explain why I have no interest in credentials. There is a major difference between poking around software on your device and anything involving a private area on another party’s systems. Gaining unauthorized access to an email account, FTP, or a the employee area of a ticket collection service crosses a line. The only time anything in this project touches the network is during the purchase of a legitimate ticket. Fortunately, de-compiling the app and exploring the accessible areas still affords a unique glimpse at the other side of the equation.
I’m not going to get into all of the intricacies of how easily it is to get away with using this exploit. Suffice it to say that a person could spend ~$50 on a cheap device, sufficiently damage the display, and likely never be caught using this method.
B) It appears that back in 2015 someone posted sensitive debug logs from the app to Pastebin. I have no clue why, a few possible scenarios come to mind. Though, there’s really no point in speculating since any differentiation is inconsequential in this context. With that said, these logs are far more revealing than anything that I can replicate. They include, among other things, a rich map of the fields and variables, execution sequence, seed characteristics, and a deeper understanding of the API and file system operations. The consequences of this type of exposure could be far reaching. At a minimum this presents a very alluring foothold to an audience that may have otherwise passed on by. This is the type of thing that could pique the curiosity of someone who ends up discovering and exploiting some completely unrelated vector. Through the miracle of wishful thinking the real range of possibilities comes into focus. What if we were able to glean enough meaningful insight to completely reverse engineer the process of generating valid QR codes? Remember, these QR codes still scan even if the scanner is offline. The scanner isn't holding every possible valid ticket. Case and point, what if you buy a ticket ½ way through the trains route, hop on and the scanner has been offline since the train originally departed? Obviously the ticket still needs to function.
C) A long running theme in cyber-security is to not acknowledge vulnerabilities. For this reason, it’s become my belief that there is no higher honor than when a company destroys their user’s experience in an attempt to address your findings.
This update was pushed to the MBTA app several weeks after I reached out to Masabi. When you see something like this there are two questions you need to ask.
1) Does this actually fix the problem? Nope. I’m honestly not sure if this is a serious attempt to remedy the issue.
2) How much is this going to suck for the users? Overall, probably not much. Even if it does annoy a lot of people just a little bit. However, through the miracle of user feedback/reviews on the Play Store it’s easy to see this change eventually ruining at least one person’s day. Imagine you get on a train heading to work and your phone bill is overdue… That’s right, you played the game by the rules and still you end up being screwed. Meanwhile, people breaking the rules adapted to this change seamlessly and haven’t looked back.
Ultimately, after further testing, I don’t consider this to be an earnest attempt at fixing the problem, so let’s reserve judgment until we see what future updates bring.
I don’t have anything else to add at this time, but will follow-up as appropriate.
Feel free to submit any comments/feedback.
I’m happy to answer any questions.
#>> Special Thanks
Special thanks to the MTA Conductors & Detectives at the MTA PD who took the time to engage with me on this issue, tried helping me get the word out, and being the only ones who actually took this situation seriously.