these Swiss managed to fool the Easyride function

these Swiss managed to fool the Easyride function
these Swiss managed to fool the Easyride function

By fooling the SBB and Easyride, ETH researchers were able to travel for free.

Researchers from ETH Zurich have succeeded in fooling SBB’s Easyride function. They tampered with location data without the company’s controllers realizing it. The latter has since reacted and promises to review the reliability of its controls.

05/16/2024, 11:5005/16/2024, 2:07 p.m.

The controller saw nothing but fire: researchers from ETH Zurich have succeeded in thwarting the SBB’s Easyride function by manipulating location data on certain smartphones. When the tickets were checked, the fraud was not detected, the experts explain in a press release. The CFF never contacted them about this, so their trip was free.

How to explain it? A year ago, computer security professor Kaveh Razavi and his team hypothesized that it was possible to cheat the Easyride feature. They wanted to test it by altering the location data of smartphones. Thus, GPS coordinates were substituted with falsified, but realistic, information.

The Easyride function is indeed location-dependent: instead of purchasing a traditional ticket, passengers can “check in” on the SBB app before a public transport journey and “de-register” at the end of it. . They present the controller with a QR code which confirms the activation of Easyride. During the journey, the application constantly sends location data to a server. This then calculates the distance traveled and the cost of the journey is then billed to the user.

A bachelor’s degree in computer science is enough

ETH researchers managed to manipulate data to pretend that a user was only traveling in the city center, without using public transport, when in fact he was sitting on the train taking him to a other locality. The researchers point out that during all the tests, they also had a valid ticket on them, but that they showed the controller the Easyride QR code on the tampered phones.

The experts took two approaches: either a program generated the falsified location data directly on the smartphone, or the smartphone was connected to a server running the SBB app. This server produced the falsified location data in the form of a QR code, which was then sent to a mobile phone.

Manipulation certainly requires specialized knowledge, those responsible for the test recognize.

“However, computer science students have these skills from the bachelor level”

Kaveh Razavi

Going further, one could even consider a smartphone program and online service that would provide falsified, but realistic, location data. These would allow people without any knowledge in the matter to commit fraud.

The CFF has updated its application

“Developers should not consider location data from a smartphone as reliable data,” explains doctoral student Michele Marazzi, who participated in this research.

“This is what we wanted to highlight with our work”

To solve this problem, ETH scientists offer two solutions: verify the location using reliable geographic markers. Or fundamentally change the way phones transmit their location, in order to make manipulations much more complex.

The researchers reported this vulnerability to SBB and were in contact with their specialists last year. Following these discussions, the SBB declares having strengthened the control of location data. They also want to point out that defrauding Easyride is subject to sanctions.

According to the company, manipulations are now detected a posteriori and are the subject of legal proceedings. However, for security reasons, SBB has not disclosed the precise details of this verification process.

(Translated and adapted by Valentine Zenker)

More articles about SBB



PREV “Senegal risks not being able to feed itself in 2050,” warns the deputy general director of the PSS project – VivAfrik
NEXT What to remember from the initial contact visit of its new CEO Cheikh Dieng