'RSA private keys' baked into Manchester firm's software
A hacker collective has said that it found the private keys for a Manchester bus company's QR code ticketing app embedded in the app itself – and has now released its own ride-buses-for-free code.
In an interview with The Register, the hacker claiming to be behind the breach of First Buses' ticketing app said he had noticed how it "would let you purchase a ticket and activate it offline later".
The hacker, who would only identify himself as "Buspiraten", said he had become "pissed off with how expensive and messed up the public transport was" and "wanted to do something about it".
He described how he used Titanium Backup to make a copy of the bus ticket app's data, which eventually led him down the path of reverse engineering the app – where he discovered "the entire thing was client side".
Buspiraten told El Reg: "The RSA private keys to sign the QR code were right there as PEM files in the APK."
Buspiraten said he hoped releasing the ticketing app's innards to world+dog would "accelerate undoing the harms that private control of public transport has done in UK cities... public transport free at the point of use for ever ..