Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free.
The security flaws in the contactless bus ticketing system -- some known to operator ECan since 2009 -- allowed an attacker with trivial effort to lookup the details of travellers via the Metro transport website.
The site also lacked identity validation and mechanisms to prevent bots allowing an attacker to lookup and register users' Metro cards at scale.
Similar flaws meant an attacker could also write a script to erase all bus cards in Christchurch.
To demonstrate the flaws, software developer and security hobbyist William Turner had taken advantage of security weaknesses and hacked a transport card to boost its monetary value to a staggering $167,769.85, and by the same means ran it into the red to the tune of nearly three million dollars.
"If we have physical access to a card we can reprogram it with a balance (because) they are using old standards, default keys and there's no encryption stored on the data on the cards," Turner told delegates at Kiwicon in Wellington.
"We noticed that there was no verification so you can [write a] script pulling most people's addresses out of Christchurch and phone numbers and their dates of birth and ... that's your identity."
He said Kiwis "probably shouldn't use a Metro card" and instead opt for cash. Those who did have a card should register it to prevent attackers stealing their details. Unless they sought free travel.
"... perhaps if your hat is a darker colour, you should be using them: free bus rides, right?"
Turner was able to sniff traffic between a card and the reader using a small device which fit in his wallet enabling him to add new travel cards to the system.
By taking advantage of poor security controls including the absence of device whitelisting -- which would allow only cards generated by ECan -- Turner could create $20 rechargeable cards that could be loaded with any amount of money.
In the event that a card with huge amounts of cash was blocked, it could be reactivated by manipulating an etch number stored on the cards.
"You only need one because you can re-program it," Turner said. "There is no way that they can detect this in the system."
Turner told ECan about the flaws he discovered in order to improve security of the transport system and went public after it was downplayed and the necessary upgrades delayed.
"They planned to upgrade to (the more secure) DESFire in 2011 ... they said they wanted a new flashy-looking website so upgrade of the cards was given low priority," he said.
"I'm kinda hoping that after this is will prompt them to do something."