India metro smart cards vulnerable to ‘free top-up’ bug • TechCrunch
Smart card error lets anyone ride the metro for free
India Fast Block Transportation systems – or the metro, as it’s known locally – rely on exploit-vulnerable passenger smart cards and allow anyone to travel effectively for free.
security researcher Nikhil Kumar Singh Discovered a bug affecting the smart card system of Delhi Metro. The researcher told TechCrunch that the bug exploits a top-up process that allows anyone to recharge a metro train smartcard as many times as they want.
Singh told TechCrunch that he discovered the error after inadvertently obtaining a free top-up on his metro smart card using a value-added machine at a Delhi metro station.
Singh says the error is there, because the metro recharge system does not properly verify payments when a traveler credits his metro smart card using a value-added machine for the station. The lack of checks, he said, means the smart card can be tricked into believing it has been credited even when the value-adding machine says the purchase has failed. The payment in this case is marked as pending, and is subsequently refunded, allowing a person to effectively ride the metro for free.
“I tried it on the Delhi metro system and was able to get a free recharge,” Singh told TechCrunch. “I still have to start the recharge by paying with PhonePe or Paytm, but since the recharge is still pending, it will be refunded after 30 days. That is why it is technically free.
Singh shared with TechCrunch a proof of concept video he recorded in February showing how a smart card can be tricked into adding value to a Delhi metro card. After a better understanding of the bug researcher arrived with it To Delhi Metro Rail Company (DMRC) the next day. In response, the DMRC asked Singh to share details of the error via email, which he did, along with a technical report and log file showing the error in action, which TechCrunch has seen. On March 16, Singh received a standard response acknowledging receipt of his email, but received no further responses.
Singh told TechCrunch that the unfixed problem is with the smart cards themselves. Delhi Metro is based on MiFare DESFire EV1 smart cards manufactured by Dutch chip maker NXP. Other metro systems are also used, including Bengaluru The same smart card system.
“If the technical infrastructure is the same on other government metro trains, this bug will work there as well,” Singh told TechCrunch.
This is not the first time that security researchers have discovered problems with the same brand of smart cards. previous search have found Similar vulnerabilities affect the same DESFire EV1 smart cards used by Delhi Metro, among others European mass transit systems. In 2020, MiFare inserted DESFire EV3 is the contactless solution with better security.
Singh suggested that the smart card error could be fixed if metro systems moved to DESFire EV3 cards.
Three DMRC spokesmen did not respond to multiple emails seeking comment. When accessed, an NXP spokesperson (via the agency) was unable to provide a comment by press time. The Bengaluru Metro Rail Corporation, the body responsible for the city’s metro service, also did not comment.