Hackers Release "Ride Buses For Free" Code After Stealing Private Keys of a Bus Company's QR Code Ticketing App

Hackers Release

'RSA private keys' baked into Manchester firm's software

A hacker collective has said that it found the private keys for a Manchester bus company's QR code ticketing app embedded in the app itself – and has now released its own ride-buses-for-free code.

In an interview with The Register, the hacker claiming to be behind the breach of First Buses' ticketing app said he had noticed how it "would let you purchase a ticket and activate it offline later".

The hacker, who would only identify himself as "Buspiraten", said he had become "pissed off with how expensive and messed up the public transport was" and "wanted to do something about it".

He described how he used Titanium Backup to make a copy of the bus ticket app's data, which eventually led him down the path of reverse engineering the app – where he discovered "the entire thing was client side".

Buspiraten told El Reg: "The RSA private keys to sign the QR code were right there as PEM files in the APK."

In a public statement posted on a Tor site (here, for the curious), the "Public Transport Pirate Association of the United Kingdom" declared that they had released the whole ticket generation routine in JavaScript. Rather than going down the responsible disclosure route and telling app developers Corethree about it, Buspiraten told The Register: "The code is a political statement for public transport reform."

Buspiraten said he hoped releasing the ticketing app's innards to world+dog would "accelerate undoing the harms that private control of public transport has done in UK cities... public transport free at the point of use for ever ..