A smart card bug lets anyone ride the metro for free
India’s mass rapid transit systems — or metro, as it’s known locally — rely on commuter smart cards that are vulnerable to exploitation and allow anyone to effectively travel for free.
Security researcher Nikhil Kumar Singh discovered a bug impacting Delhi Metro’s smart card system. The researcher told TechCrunch that the bug exploits the top-up process that allows anyone to recharge the metro train’s smart card as many times as they want.
Singh told TechCrunch he discovered the bug after inadvertently getting a free top-up on his metro smart card using an add-value machine at a Delhi Metro station.
The bug exists, Singh says, because the metro recharge system does not properly verify payments when a traveler credits their metro smart card using a station add-value machine. He said that the lack of checks means a smart card can …