Published on September 5th, 2019 📆 | 3978 Views ⚑0
Hackers controlled public transport ticket system to get free rides
The public transport system in the city of Manchester, England, has been hacked. According to cybersecurity services specialists, a group of unidentified threat actors hacked the mobile app of the transportation system to generate free subway and bus tickets.
Exploiting a known vulnerability in the QR
codes used by the two applications used for this service, hackers managed to
generate digital tickets to use the public
transportation service without having to pay. Both mobile apps were
created by developer Corethree, which provides services for transport systems
in other cities, such as London, as well as for some private companies.
So far, cybersecurity services experts only know that the hacker group responsible is self called “The Public Transport Pirate Association of the United Kingdom”. The group of threat actors published their findings in multiple Reddit forum groups, where they also mocked the company’s “ridiculous” security measures. “The app prevents users from taking screenshots of travel tickets and send them to others, and that’s the only security feature that actually works,” the hackers said.
Compromised apps create QR codes that function
as electronic tickets, but the keys used to generate and authenticate these tickets
are stored within the very same app. “We especially want to thank
Corethree for facilitating access to private RSA keys to sign QR codes,”
the hackers ironically mentioned in their Reddit post, which has already been
In their post, hackers also mentioned that the
main motivation for the attack was the protest against charging for the use of
public transport in the city, as they consider it should be a free service.
Although the intrusion has already been
corrected and the company is working on providing greater protections against
cyberattacks, experts in cybersecurity services from the International Institute
of Cyber Security (IICS) mention that this method of attacking could be easily
adaptable for other transport systems in the UK that use similar mobile apps.