India metro smart cards vulnerable to a ‘free top-up’ bug

India’s mass rapid transit (or metro) systems rely on commuter smart cards, which are vulnerable to exploitation and allow anyone to effectively travel for free.

Nikhil Kumar Singh, a security researcher, discovered a flaw in the Delhi Metro’s smart card system. According to the researcher, the bug takes advantage of the top-up process, which allows anyone to recharge the metro train’s smart card as many times as they want. Singh told TechCrunch that he discovered the bug after inadvertently receiving a free top-up on his metro smart card at a Delhi Metro station’s add-value machine.

According to Singh, the bug exists because the metro recharge system does not properly verify payments when a traveller credits their metro smart card at a station add-value machine. He claims that because there are no checks, a smart card can be tricked into thinking it was topped up even when the add-value machine says the purchase failed. In this case, a payment is marked as pending and then refunded, effectively allowing the person to ride the metro for free.