Researchers discover vulnerabilities in Moovit software allowing free subway rides

LAS VEGAS – Cybersecurity researchers at the DEF CON security conference disclosed details this weekend on three vulnerabilities in popular transportation software that could allow people to obtain free public transit rides.

Researchers at cybersecurity firm SafeBreach said they recently disclosed the vulnerabilities to Israeli firm Moovit, which helps users plan routes using public transit networks, including buses, ferries, subways and scooters.

The company — which has been owned by Intel through a subsidiary since 2020 — operates several products and has more than 1.5 billion users in more than 112 countries through a Google Maps-like interface for getting around an area.

In some countries, like Israel, it is also a ticket vendor for the local subway or bus system. Customers in cities like Tel Aviv use the Moovit app to purchase tickets that are scanned both at entrance and exit gates. The fare is calculated based on the distance traveled and users are billed at the end of the month.

SafeBreach’s Omer Attias and Tomer Bar told Recorded Future News that their goal was to see if they could hack the system for free rides in Tel Aviv.

“Eventually we found three different ways to get free rides, but also ways to select a specific user and get them to pay for the ride,” said Bar, vice president of security research at SafeBreach. “We only tried it in Israel but we believe that we can charge anyone in the world for a ride.”

Attias, who discovered the issues and gave a presentation about their findings at DefCon on Sunday, explained that the first issue they found was with the feature allowing users to put an account on a new device.

He was able to use technical tools to essentially figure out numerical identifiers for other accounts and hijack them, allowing him to impersonate others and use their credit cards to charge rides. But Attias noted that this kind of attack was risky for hackers because it would disconnect a user from the account on their phone, tipping them off that something was wrong.

He moved on to another plan of attack that involved using repeated identifiers in every user’s account number to obtain not just access to an account but the person’s phone number as well.

Attias eventually managed to figure out another way in that did not disconnect accounts but simply used their card.

“Now I was able to fully impersonate accounts without disconnecting them from the original device. This also meant I would access all of their personal information. With the information collected through my script, I had the ability to access each of these accounts and retrieve their personal information, including their credit cards and details about their ongoing rides. This would enable me to track the location of users,” he explained, noting that he created a database of the personal information had access to, which included their government ID, email address, phone number, home address, and more.

“Each account also had a discount profile that determined the percentage of discount it received. For example, people over the age of 75 in Israel get free public transportation. If I used such an account to order a train ticket, there would be no charge for the fare.”

Bar showed Recorded Future News a video of the researchers testing their findings, noting that they even created an app called “Ride With SafeBreach” allowing them to effectively automate their exploitation of the Moovit app.

They disclosed their findings to Moovit, which they said took immediate action to patch and remediate all of the issues. No customer action is needed to address the issues.

In a statement to Recorded Future News, Moovit PR manager Sharon Kaslassi said the company is now conducting internal and external audits “regularly to secure user's information and privacy.”

“In September 2022, a security researcher disclosed vulnerabilities which could impact Moovit user accounts for payment and ticket validation for public transport,” she said.

“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue. According to our records, neither SafeBreach or anyone else took advantage of any customer data.”

Bar said their findings would facilitate “the perfect crime” because they could get access to the personal data of billions of people while also getting payment information from a smaller subset of users.

He added that they had multiple sessions with Moovit’s team to address the vulnerabilities they found and verified that fixes for the issues worked.

But Bar warned that other tools may be vulnerable to similar issues. Several cities, including New York, are ditching longtime card or coin-based systems in favor of app-based payment tools.

“We always say, ‘go hack yourself,’” he said. “Because in order to find if you are vulnerable or not, you should test your systems. That's the only way you can know if you're vulnerable or not.”