According to his post, Igor Shevtsov, all work was carried out without the use of special technical means – it only needed a Android-smartphone with NFC-chip. Search Vulnerability it took him 15 days. To crack Igor Shevtsov system using the mobile application “My travel” through which he was able to gain access to the memory card and explore the storage structure.
Most of the time taken to study data structures in memory card. This was possible due to the fact that the data is stored unencrypted. In case, if the data in the memory card has been encrypted, most likely, would have required the physical penetration of the system working with a map that makes the attack much more difficult.
As a result, found “holes” in the system allowed to fulfill the balance of forgery, which is recorded on an electronic wallet card “Troika”. The programmer also created Android app called TroikaDumper, which can be downloaded from the GitHub, and made recommendations on how to avoid financial block.
Do not operate the balance sheet total of more than 100 rubles. Never pass on the subway twice with the same time last pass. After recording dump refresh the current time on the map using the validator in land transport. That is, before each passage in the subway have to perform a write-off by yellow validator on a bus or tram.
According to the developer, to correct defects of the system “must improve its data storage format in the memory card and software update ensure all systems operating with the card. ” The representative of the Department of Transportation and Development of road transport infrastructure stated that the vulnerabilities they do not know.
Cristina Ulasovich
No comments:
Post a Comment