The public transport system in the city of Manchester, England, has been hacked. According to cybersecurity services specialists, a group of unidentified threat actors hacked the mobile app of the transportation system to generate free subway and bus tickets.
Exploiting a known vulnerability in the QR codes used by the two applications used for this service, hackers managed to generate digital tickets to use the public transportation service without having to pay. Both mobile apps were created by developer Corethree, which provides services for transport systems in other cities, such as London, as well as for some private companies.
So far, cybersecurity services experts only know that the hacker group responsible is self called “The Public Transport Pirate Association of the United Kingdom”. The group of threat actors published their findings in multiple Reddit forum groups, where they also mocked the company’s “ridiculous” security measures. “The app prevents users from taking screenshots of travel tickets and send them to others, and that’s the only security feature that actually works,” the hackers said.
Compromised apps create QR codes that function as electronic tickets, but the keys used to generate and authenticate these tickets are stored within the very same app. “We especially want to thank Corethree for facilitating access to private RSA keys to sign QR codes,” the hackers ironically mentioned in their Reddit post, which has already been removed.
In their post, hackers also mentioned that the main motivation for the attack was the protest against charging for the use of public transport in the city, as they consider it should be a free service.
Although the intrusion has already been corrected and the company is working on providing greater protections against cyberattacks, experts in cybersecurity services from the International Institute of Cyber Security (IICS) mention that this method of attacking could be easily adaptable for other transport systems in the UK that use similar mobile apps.