Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides

A hacker collective has said that it found the private keys for a Manchester bus company’s QR code ticketing app embedded in the app itself – and has now released its own ride-buses-for-free code.

In an interview with The Register, the hacker claiming to be behind the breach of First Buses’ ticketing app said he had noticed how it “would let you purchase a ticket and activate it offline later”.

The hacker, who would only identify himself as “Buspiraten”, said he had become “pissed off with how expensive and messed up the public transport was” and “wanted to do something about it”.

He described how he used Titanium Backup to make a copy of the bus ticket app’s data, which eventually led him down the path of reverse engineering the app – where he discovered “the entire thing was client side”.

Buspiraten told El Reg: “The RSA private keys to sign the QR code were right there as PEM files in the APK.”

In a public statement posted on a Tor site (here, for the curious), the “Public Transport Pirate Association of the United Kingdom” declared that they had released the whole ticket generation routine in JavaScript. Rather than going down the responsible disclosure route and telling app developers Corethree about it, Buspiraten told The Register: “The code is a political statement for public transport reform.”

Buspiraten said he hoped releasing the ticketing app’s innards to world+dog would “accelerate undoing the harms that private control of public transport has done in UK cities… public transport free at the point of use for everybody.” He told El Reg that he had been using the code for over a year before releasing it publicly earlier this week.

“We might do a larger release for more UK cities in time for EMF next year,” Buspiraten added, referring to the Electromagnetic Field Festival, an outdoors hacker festival.

Duncan Brown, Chief Security Strategist EMEA at Forcepoint, told us:

“Our view is that this is symptomatic of the deprofessionalisation of the development community over the last ten years, and the lack of emphasis on security and testing in today’s appdev world. Last year we saw over 21,000 vulnerabilities registered in the CVE database: the industry is churning out poorly tested and poorly secured code, especially in mobile and IoT platforms. The RSA private key inclusion is no worse that hard-coding passwords into set-top boxes and home routers.”

Corethree, developers of First Buses’ app, told The Register: “We are aware of the story and are working with Transport for Greater Manchester, First Bus Manchester and the police to address the issue. As you will understand with a situation like this, we are unable to comment further at this time.”

Transport for Greater Manchester shrugged off our request for comment by batting it to First Buses.

First Buses told us: “We are aware of this claim and are investigating with our suppliers as a matter of priority.” ®

READ MORE HERE