ETH researchers tested a specially prepared smartphone on several train journeys from Zurich to the capital of a neighboring state. Their misconduct went unnoticed by ticket inspectors, and there was no further contact from SBB. Rather, SBB calculated the cost of bogus small trips that do not involve public transport. In other words, the researchers were able to travel for free using his EasyRide. They showed the EasyRide QR code to the ticket inspector and emphasized that they also had a valid ticket at all times.
Today's location data is unreliable
Operating a smartphone requires specialized knowledge, which Razavi said is common to students pursuing a bachelor's degree in computer science. With the right criminal ambitions, it is also possible to provide smartphone programs combined with online services to provide false but plausible location data to tricksters who do not have the necessary IT skills.
“The basic truth is that smartphone location data can be manipulated and is not completely reliable,” says Michele Marazzi, a PhD student in Razavi's group. “Therefore, app developers should not treat this data as trustworthy, which is what we wanted to emphasize with our project.” Like the SBB app, location data is the basis for calculating and billing services. This vulnerability requires additional attention when used.
Comparison with reliable data is necessary
Researchers have proposed two ways to solve this problem. Either verify location data using reliable positioning notifications, or design smartphones to make such operations more difficult. The first approach makes it possible to compare data provided by a user's smartphone with location data trusted by the carrier, such as location data provided by mobile devices carried by vehicles or ticket inspectors. Become.
The second approach is trickier. This will require getting smartphone hardware and operating system developers on board and convincing them to introduce new types of tamper-proof localization technologies. “However, until that happens, all services that are required to rely on location information provided by smartphones should do nothing other than validate this data to the extent possible using trusted sources of location data. There is no choice,” says ETH's Professor Razavi.
ETH researchers informed SBB about the vulnerability in the EasyRide function and have been in contact with the company's experts over the past year, presenting solutions to make the function more secure.
SBB emphasizes that using manipulated location data in combination with the EasyRide feature is a violation. According to SBB, the company has improved the validation of location data sent to its servers following information provided by a research team at ETH Zurich. Instances of manipulation are now discovered after the fact and offenders prosecuted. For security reasons, SBB does not disclose exactly how the checks are performed.
