India’s mass rapid transit systems — or metro, as it’s known locally — rely on commuter smart cards that are vulnerable to exploitation and allow anyone to effectively travel for free.
Security researcher Nikhil Kumar Singh discovered a bug impacting Delhi Metro’s smart card system. The researcher told TechCrunch that the bug exploits the top-up process that allows anyone to recharge the metro train’s smart card as many times as they want.
Singh told TechCrunch he discovered the bug after inadvertently getting a free top-up on his metro smart card using an add-value machine at a Delhi Metro station.
The bug exists, Singh says, because the metro recharge system does not properly verify payments when a traveler credits their metro smart card using a station add-value machine.
He said that the lack of checks means a smart card can be tricked into thinking it was topped up even when the add-value machine says that the purchase failed. A payment in this case is marked as pending, and subsequently refunded, allowing the person to effectively ride the metro for free.