Trainhack: Students crack ticketing system


blog Forget Black Hat in Las Vegas. Australia’s Ruxcon is where it’s at, complete with public transport ticketing hacks and shadow figures involved in advanced network security exercises. SC Magazine reports from the sidelines of the conference over the weekend, where a number of Australian students demonstrated how they had hacked an un-named public transport ticketing system. The publication reports (we recommend you click here for the full article):

“An Australian state public transport system has been cracked by a group of security researchers who were able to replicate cards to enable free travel.”

The Ruxcon precis of the group’s speech (they describe themselves under the team name ‘Trainhack’) states: “This talk will look at different techniques used in black-box reverse engineering of data storage formats, focusing on a case study of an outdated mass transit ticketing system which employed custom cryptography.”

Trainhack describes itself as “a group of security hobbyists currently studying computer science” … who enjoy “sunsets, French films, and coding in dark rooms while listening to repetitive electronic music”. Sounds like the ideal renaissance geek lifestyle partner. One only hopes that the public transport organisation with the weak security has patched its holes following the responsible disclosure of this issue. And that Trainhack stays out of the hands of law enforcement so that it can enjoy the odd Jean-Pierre Jeunet.

Image credit: Benjamin Diehl, royalty free


  1. First prize for anyone who can hack into the Myki system and change the “CSC Pass” message which displays when a card is read at the entry gates to something rather more friendly like … maybe … “welcome” … or something. Seriously … “CSC Pass”? I realise this is probably not high on the priority list of the Myki team, but really. After all these years we have to put up with a message that looks like it was part of a pre-production system testing protocol. Like … is anybody awake at Myki?

  2. What;s the point in hacking a ticket for a system that isn’t fully gated and there’s no way of ensuring people are even buying the correct ticket and not abusing concessions unless they are physically caught with the wrong or no ticket? It’s a technical skite of little real value.

Comments are closed.