India's mass rapid transit systems — or metro, as it's known locally — rely on commuter smart cards that are vulnerable to exploitation and allow anyone to effectively travel for free.
Security researcher Nikhil Kumar Singh discovered a bug impacting Delhi Metro's smart card system. The researcher told TechCrunch that the bug exploits the top-up process that allows anyone to recharge the metro train's smart card as many times as they want.
Singh told TechCrunch he discovered the bug after inadvertently getting a free top-up on his metro smart card using an add-value machine at a Delhi Metro station.
The bug exists, Singh says, because the metro recharge system does not properly verify payments when a traveler credits their metro smart card using a station add-value machine. He said that the lack of checks means a smart card can be tricked into thinking it was topped up even when the add-value machine says that the purchase failed. A payment in this case is marked as pending, and subsequently refunded, allowing the person to effectively ride the metro for free.
"I tried it on Delhi Metro's system and was able to get a free recharge," Singh told TechCrunch. "I still have to initiate a recharge by paying for it using PhonePe or Paytm, but because the recharge still remains pending, it will be refunded after 30 days. That is why it is technically free," he said.
Singh shared with TechCrunch a proof-of-concept video he recorded in February showing how a smart card can be duped into adding value to a Delhi Metro card. After better understanding the bug, the researcher reached out to the Delhi Metro Rail Corporation (DMRC) a day later. In response, the DMRC asked Singh to share the details of the bug over email, which he did, along with a technical report and a log file demonstrating the bug in action, which TechCrunch has seen. On March 16, Singh received a boilerplate reply, acknowledging the receipt of his email, but did not receive any further responses.
Singh told TechCrunch that the issue, which has not been fixed, exists in the smart cards themselves. Delhi Metro relies on MiFare DESFire EV1 smart cards manufactured by Dutch chipmaker NXP Semiconductors. Other metro systems, including Bengaluru, also use the same smart card system.
"If the technical infrastructure is the same in other state metro trains, then this bug will work there too," Singh told TechCrunch.
It's not the first time security researchers have found issues with the same brand of smart cards. Past research found similar vulnerabilities affecting the same DESFire EV1 smart cards that Delhi Metro uses, as well as other European mass transit systems. In 2020, MiFare introduced the DESFire EV3 as its contactless solution with better security.
Singh suggested that the smart card bug could be fixed if the metro systems migrate to DESFire EV3 cards.
Three DMRC spokespeople did not answer multiple emails seeking comment. When reached, a spokesperson for NXP (via agency) was unable to provide comment by the time of publication. Bengaluru Metro Rail Corporation, the body responsible for the city's metro service, also did not comment.