Abstract
The growing shift from private to public transportation and the increasing use of smartphones have lead to the development of digital transport ticketing systems. Such systems allow transport operators to enhance their services and income, therefore are important assets that require secure implementation and protocols. This paper uncovers a range of vulnerabilities in the m-tickets app used by Lothian Buses, one of the leading transport operators in the United Kingdom (UK). The vulnerabilities identified enable attackers to predict, reactivate and modify tickets, all of which can have damaging consequences to the operator’s business. We further reveal poor implementation of encryption mechanisms, which can lead to information leakage, as well as how adversaries could harness the operator’s infrastructure to launch Denial of Service attacks. We propose several improvements to mitigate the weaknesses identified, in particular an alternative digital ticketing system, which can serve as a blueprint for increasing the robustness of similar apps.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
dex2jar Github, https://github.com/pxb1988/dex2jar.
- 2.
Java Decompiler, http://java-decompiler.github.io/.
- 3.
- 4.
dotPeek – Free .NET Decompiler and Assembly Browser, https://www.jetbrains.com/decompiler/.
- 5.
Fida analyzer, https://frida.re/docs/android/.
- 6.
Burp analyzer, https://portswigger.net/burp.
- 7.
- 8.
Magisk, https://magiskmanager.com/.
References
Corethree Website. https://www.corethree.net/
Unpacking Xamarin mono DLL from libmonodroid\_bundle.app.so. https://reverseengineering.stackexchange.com/a/17330
Accenture: Why humans are still security’s weakest link (May 2019)
Doomun, R., et al.: AES-CBC software execution optimization (August 2012)
Edinburgh News: Edinburgh commuters face more ticket app failures (September 2018)
Edinburgh Trams: TfE mtickets (August 2018). https://edinburghtrams.com/news/tfe-mtickets
Google Play Store: Lothian buses m-tickets
Lindenberg, C., Wirt, K., Buchmann, J.: Formal proof for the correctness of RSA-PSS. IACR Cryptology ePrint Archive (January 2006)
Lothian Buses Limited: Consolidated financial statements 2018, 1st edn. (2019)
OWASP: Secure coding practices. https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Reddit: Activists release code to generate free public transportation tickets (2019). https://www.reddit.com/r/manchester/comments/cyefu5/activists_release_code_to_generate_free_public/
Statista: Number of smartphone users worldwide from 2016 to 2021. https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/
The Business Research Company: Transit and ground passenger transportation (public transport) global market briefing 2018, 1st edn. (2018)
The Telegraph: Public transport apps hacked to create free tickets and defraud operators (September 2019)
Wired: Hackers crack London tube’s ticketing system (June 2008). https://www.wired.com/2008/06/hackers-crack-l/
Xu, Q., Erman, J., Gerber, A., Mao, Z., Pang, J., Venkataraman, S.: Identifying diverse usage behaviors of smartphone apps. In: ACM SIGCOMM IMC (2011)
Zalewski, J., et al.: Can we measure security and how? In: Proceedings of the Annual Workshop on Cyber Security and Information Intelligence Research (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Sanz Maroto, J., Liu, H., Patras, P. (2020). On the Struggle Bus: A Detailed Security Analysis of the m-tickets App. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-62974-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62973-1
Online ISBN: 978-3-030-62974-8
eBook Packages: Computer ScienceComputer Science (R0)