This article is more than 1 year old

Perth SmartRider public transport cards popped by student researchers

Hack the Planet uni club lands in court over 'white hat' MiFare probe

WAHckon University students in the Australian city of Perth have landed in hot water, with one charged by Police, after finding and exploiting severe holes to rewind travel charges incurred using the city's SmartRider public transport smart card.

The Murdoch University students reported the flaws to SmartRider operator TransPerth and inflicted what is estimated to be about $18 in losses which were covered in later balance recharges, however local authorities considered the university security research an act of fraud.

One student is appealing a conviction while a second involved only in the earlier parts of the research effort was not charged.

Murdoch University second year student Jack Carruthers pled guilty and was handed a "spent conviction", a type of criminal conviction that does not result in a permanent record that will show up in background checks.

Carruthers and his colleagues undertook the research as part of their university security club Hack The Planet. Carruthers is the club's president.

Members exploited the identified flaws in an effort to demonstrate the vulnerabilities at Perth train stations, in the knowledge that the act could see them breach state laws.

Carruthers and his fellow researchers found still-existing failings in the MIFARE Classic SmartRider system that allowed them to roll-back charges to cards enabling free travel.

"It is possible to replay an autoload (direct debit recharge) and keep getting more credit," Carruthers told the WAHckon security conference in Perth, last Sunday.

"The costs came out to $18 and the smart riders had $20 worth of credit, so I thought we were in the clear but the judge was of the opinion that my damning confession was all that was needed."

Jack Carruthers. Image Darren Pauli / The Register

Jack Carruthers. Image Darren Pauli / The Register

Carruthers says he later considered himself "quite lucky" to have been given only a spent conviction.

Officers showed up on Carruthers' door about two months later, taking his laptop and 'all of his clothes' to prove his was the individual captured in CCTV photos.

The researchers say the project was documented as part of the hacking club in what could conceivably demonstrate the academic intention of the work.

The conviction comes at a time when the Turnbull Government under its Cyber Security Strategy is spending big to in part help lure and train students to information security university courses.

Smart Rider cards. Darren Pauli / The Register.

Smart Rider cards.

Carruthers says TransPerth is planning a fix but will likely must invest in an expensive upgrade of cards to systems including the more secure MiFare DESfire EV2.

He says the agency says it will "remain vigilant" for possible reload attacks until the upgrade.

MIFARE Classic is long known to be vulnerable to compromise. The Christchurch bus system which then operated the platform was popped in similar 2013 research by Melbourne security bod William Turner who found he could load cards with any amount of money. ®

More about


Send us news

Other stories you might like