On the Struggle Bus: A Detailed Security Analysis of the m-tickets App

Jorge Sanz Maroto; Haoyu Liu; Paul Patras

doi:10.1007/978-3-030-62974-8_14

On the Struggle Bus: A Detailed Security Analysis of the m-tickets App

Jorge Sanz Maroto, Haoyu Liu, Paul Patras

Research output: Chapter in Book/Report/Conference proceeding › Chapter

Abstract

The growing shift from private to public transportation and the increasing use of smartphones have lead to the development of digital transport ticketing systems. Such systems allow transport operators to enhance their services and income, therefore are important assets that require secure implementation and protocols. This paper uncovers a range of vulnerabilities in the m-tickets app used by Lothian Buses, one of the leading transport operators in the United Kingdom (UK). The vulnerabilities identified enable attackers to predict, reactivate and modify tickets, all of which can have damaging consequences to the operator’s business. We further reveal poor implementation of encryption mechanisms, which can lead to information leakage, as well as how adversaries could harness the operator’s infrastructure to launch Denial of Service attacks. We propose several improvements to mitigate the weaknesses identified, in particular an alternative digital ticketing system, which can serve as a blueprint for increasing the robustness of similar apps

Original language	English
Title of host publication	Information Security (ISC 2020)
Editors	Willy Susilo, Robert H. Deng, Fuchun Guo, Yannan Li, Rolly Intan
Publisher	Springer
Pages	234-252
Number of pages	17
ISBN (Electronic)	978-3-030-62974-8
ISBN (Print)	978-3-030-62973-1
DOIs	https://doi.org/10.1007/978-3-030-62974-8_14
Publication status	Published - 25 Dec 2020
Event	23rd Information Security Conference - Virtual Conference Duration: 16 Dec 2020 → 20 Dec 2020 https://isc2020.petra.ac.id/

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	12472
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	23rd Information Security Conference
Abbreviated title	ISC 2020
City	Virtual Conference
Period	16/12/20 → 20/12/20
Internet address	https://isc2020.petra.ac.id/

Keywords / Materials (for Non-textual outputs)

Mobile app security
Reverse-engineering
Information leakage

Access to Document

10.1007/978-3-030-62974-8_14Licence: All Rights Reserved

m_tickets_ISCAccepted author manuscript, 959 KB

https://link.springer.com/chapter/10.1007/978-3-030-62974-8_14Licence: All Rights Reserved

Cite this

@inbook{6aab65bd137140b5b1b60bfb7527024d,

title = "On the Struggle Bus: A Detailed Security Analysis of the m-tickets App",

abstract = "The growing shift from private to public transportation and the increasing use of smartphones have lead to the development of digital transport ticketing systems. Such systems allow transport operators to enhance their services and income, therefore are important assets that require secure implementation and protocols. This paper uncovers a range of vulnerabilities in the m-tickets app used by Lothian Buses, one of the leading transport operators in the United Kingdom (UK). The vulnerabilities identified enable attackers to predict, reactivate and modify tickets, all of which can have damaging consequences to the operator{\textquoteright}s business. We further reveal poor implementation of encryption mechanisms, which can lead to information leakage, as well as how adversaries could harness the operator{\textquoteright}s infrastructure to launch Denial of Service attacks. We propose several improvements to mitigate the weaknesses identified, in particular an alternative digital ticketing system, which can serve as a blueprint for increasing the robustness of similar apps",

keywords = "Mobile app security, Reverse-engineering, Information leakage",

author = "{Sanz Maroto}, Jorge and Haoyu Liu and Paul Patras",

year = "2020",

month = dec,

day = "25",

doi = "10.1007/978-3-030-62974-8_14",

language = "English",

isbn = "978-3-030-62973-1",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "234--252",

editor = "Willy Susilo and Deng, {Robert H.} and Fuchun Guo and Yannan Li and Rolly Intan",

booktitle = "Information Security (ISC 2020)",

address = "United Kingdom",

note = "23rd Information Security Conference, ISC 2020 ; Conference date: 16-12-2020 Through 20-12-2020",

url = "https://isc2020.petra.ac.id/",

}

Sanz Maroto, J, Liu, H & Patras, P 2020, On the Struggle Bus: A Detailed Security Analysis of the m-tickets App. in W Susilo, RH Deng, F Guo, Y Li & R Intan (eds), Information Security (ISC 2020). Lecture Notes in Computer Science, vol. 12472, Springer, pp. 234-252, 23rd Information Security Conference, Virtual Conference, 16/12/20. https://doi.org/10.1007/978-3-030-62974-8_14

On the Struggle Bus: A Detailed Security Analysis of the m-tickets App. / Sanz Maroto, Jorge; Liu, Haoyu; Patras, Paul.
Information Security (ISC 2020). ed. / Willy Susilo; Robert H. Deng; Fuchun Guo; Yannan Li; Rolly Intan. Springer, 2020. p. 234-252 (Lecture Notes in Computer Science; Vol. 12472).

Research output: Chapter in Book/Report/Conference proceeding › Chapter

TY - CHAP

T1 - On the Struggle Bus: A Detailed Security Analysis of the m-tickets App

AU - Sanz Maroto, Jorge

AU - Liu, Haoyu

AU - Patras, Paul

PY - 2020/12/25

Y1 - 2020/12/25

N2 - The growing shift from private to public transportation and the increasing use of smartphones have lead to the development of digital transport ticketing systems. Such systems allow transport operators to enhance their services and income, therefore are important assets that require secure implementation and protocols. This paper uncovers a range of vulnerabilities in the m-tickets app used by Lothian Buses, one of the leading transport operators in the United Kingdom (UK). The vulnerabilities identified enable attackers to predict, reactivate and modify tickets, all of which can have damaging consequences to the operator’s business. We further reveal poor implementation of encryption mechanisms, which can lead to information leakage, as well as how adversaries could harness the operator’s infrastructure to launch Denial of Service attacks. We propose several improvements to mitigate the weaknesses identified, in particular an alternative digital ticketing system, which can serve as a blueprint for increasing the robustness of similar apps

AB - The growing shift from private to public transportation and the increasing use of smartphones have lead to the development of digital transport ticketing systems. Such systems allow transport operators to enhance their services and income, therefore are important assets that require secure implementation and protocols. This paper uncovers a range of vulnerabilities in the m-tickets app used by Lothian Buses, one of the leading transport operators in the United Kingdom (UK). The vulnerabilities identified enable attackers to predict, reactivate and modify tickets, all of which can have damaging consequences to the operator’s business. We further reveal poor implementation of encryption mechanisms, which can lead to information leakage, as well as how adversaries could harness the operator’s infrastructure to launch Denial of Service attacks. We propose several improvements to mitigate the weaknesses identified, in particular an alternative digital ticketing system, which can serve as a blueprint for increasing the robustness of similar apps

KW - Mobile app security

KW - Reverse-engineering

KW - Information leakage

U2 - 10.1007/978-3-030-62974-8_14

DO - 10.1007/978-3-030-62974-8_14

M3 - Chapter

SN - 978-3-030-62973-1

T3 - Lecture Notes in Computer Science

SP - 234

EP - 252

BT - Information Security (ISC 2020)

A2 - Susilo, Willy

A2 - Deng, Robert H.

A2 - Guo, Fuchun

A2 - Li, Yannan

A2 - Intan, Rolly

PB - Springer

T2 - 23rd Information Security Conference

Y2 - 16 December 2020 through 20 December 2020

ER -

On the Struggle Bus: A Detailed Security Analysis of the m-tickets App

Abstract

Publication series

Conference

Keywords / Materials (for Non-textual outputs)

Access to Document

Fingerprint

Cite this