Free Muni Ride Smartphone Hack? Not So Fast.
Seems like quite a lot of work to save $2. And if you can afford an Android phone, you should probably pay for your bus ride, no?
Nevertheless, the security specialists, Corey Benninger and Max Sobell from the Intrepidus Group, have alerted the SFMTA as well as New Jersey’s PATH system, both transit systems that could be vulnerable to this kind of hack.
Intrepidus staffers met with Muni and Path officials last year to notify them of the potential for abuse. The firm also presented the information at a security conference in Europe last week.
“We had hoped this would be fixed on both systems before we released this data, but our understanding is that’s not planned for possibly years down the line,” Benninger said.
Since other transit agencies could adopt a similar payment system, they wanted to highlight the security issues.
A limited version of Intrepidus’ app is available to transit agencies that want to test whether their smart cards are vulnerable. But it doesn’t have the capability to change or reset the cards’ data, Benninger said.
The SFMTA told SFGate that they have not noticed any discernible change in the use of paper Limited Use fare cards. A fix for the security hole could be costly, but one option could be to reduce the 90-day life of these types of tickets to discourage hacking, SFGate reports.