TIL Teen Arrested After Uncovering System Bug

This story begins with a startling incident: a young 18-year-old was apprehended in 2017, accused of 'hacking' Budapest public transport e-Ticket system, despite having promptly reported the vulnerability he discovered a week prior.

The incident quickly gained traction online and on social media, sparking intense outrage over the unjust actions of the police. This public outcry manifested in the form of tens of thousands of 1-star reviews flooding the Facebook pages of the entities involved: the Budapest Transport Authority (BKK), the organization operating the new service, and T-Systems Hungary, the developers and maintainers of the e-Ticket System. Notably, T-Systems Hungary is under the ownership of Telekom Hungary, a subsidiary of Deutsche Telekom, making it a significant player with a widespread presence throughout Europe. It's worth mentioning that these reviews were directed at the global/German page, as the Hungarian counterpart lacked the necessary feature to enable such feedback.

The tale commenced in 2017 when the BKK made a surprising announcement: the introduction of a mobile-based e-Ticketing system. This revelation sparked widespread enthusiasm and curiosity, including my own. It was common knowledge that they had been laboring on an NFC/smart card-based system for about four years, but there were no visible outcomes despite the millions of euros invested. This raised questions in my mind: "Why this sudden announcement without prior rumors or news?" and "How do they plan to make it cheat-proof? What sort of copy protection and authentication mechanisms will they implement?"

The answer to the first question, at least partially, revealed itself: they aimed to make it available for visitors attending the FINA World Championships in Budapest. Cleverly, they timed the public launch to coincide with the official opening event on July 14th. However, this decision raised concerns. Firstly, launching such a system in a city with a significant public transport system and a population of 1.7 million without extensive testing seemed imprudent. For instance, the public bike system, also developed by the same company, underwent thorough public beta testing with thousands of users for months, despite having fewer users and less significance. Secondly, launching it during an event that attracted numerous tourists was risky. Thirdly, if the goal was to cater to visitors, making it available a few days before the opening event would have been more practical since many tourists tend to arrive early.

The second question, however, was even more intriguing: how to ensure its security. What we knew beforehand was that the e-Ticket would be web-based, eliminating the need for app installations, which, though user-friendly, posed challenges in combating potential fraudsters.

The events that occurred on the launch day left me, a seasoned software engineer well-versed in the intricacies of technology, utterly flabbergasted. My background in a small Central (or Eastern, if you prefer) European country, shaped during the Soviet era, didn't prepare me for the astonishing lapses in the newly introduced system. We were prepared for minor hiccups and the potential for ticket duplication across devices, but what unfolded exceeded all expectations. Alarming revelations came to light, reported by the independent press:

Firstly, the system shockingly stored passwords in plain text and sent them via email upon users' request for a password reminder. This meant that virtually anyone with system access could potentially breach users' email accounts, especially considering the common practice of password reuse across multiple platforms.

Secondly, once logged in, users could access others' data, possibly through URL manipulation, although the news report didn't provide complete clarity on this issue. The app lacked proper permission handling, allowing some to claim unauthorized access to other users' profiles. During registration, individuals had to provide their real name, address, and an ID number (national ID, driver's license, or passport), as these details might require verification during ticket inspections.

Thirdly, the ticket failed to display correctly on Safari browsers on iPhones.

To make matters worse, it was discovered that the admin password was unbelievably simplistic: "adminadmin." With this basic credential, an intruder gained unauthorized access.

As expected, the tickets were effortlessly copied. A few individuals even created a video demonstrating how they managed to evade ticket control successfully ten times out of ten without being detected. Most ticket controllers lacked QR readers and were unfamiliar with the app. Even when they had the necessary equipment, they failed to apprehend the offenders.

However, the most absurd flaw, and to my knowledge, the first security loophole to be exposed, was the system's allowance for users to arbitrarily set the price for the pass they intended to purchase.

The final flaw, which the 18-year-old I mentioned earlier discovered, was truly astounding. Remarkably, he didn't possess programming skills; he simply utilized the developer tools in the browser, accessible to everyone. He noticed that the price was sent to the server during the purchase process and attempted to modify it. A monthly pass, originally priced at 9500HUF (about 30EUR), was changed to 50HUF. Upon confirming that his trick worked and he could view his pass in the app, he immediately alerted the BKK (Transport Authority) about the serious issue. In response, he received an email stating his pass was invalidated, but no further communication followed. However, when the news leaked to the press and discussions about various system issues ensued, BKK and T-Systems Hungary swiftly embarked on a defensive campaign.

They began discussing alleged hacker attacks, criticized the public's behavior, admitted that every system could be compromised but highlighted their firewall's effectiveness in thwarting numerous attacks. They also claimed people used inappropriate names for registration, which they promptly deleted. During a press conference four days later, a T-Systems Hungary representative mentioned reporting an illegal hacking attempt, insinuating the involvement of an SQL injection attack, which seemed to point directly at the young 'hacker' who had mistakenly emailed them. BKK representatives insisted the system remained under constant attack, all of which were unsuccessful, and reassured the public that their data was secure.

A week later, shocking news emerged: the police stormed the young man's home early in the morning and took him into custody (he was released after a few hours). In any normal, functioning democracy, the person reporting a potential crime isn't held accountable for police actions afterward, although such behavior is unprofessional and offensive. However, in Hungary, this action was essentially illegal. The sole purpose behind this maneuver was intimidation.

Following public outrage, their stance softened, shifting from outright accusations and denials to a sort of begrudging acknowledgment: "We're sorry this happened to him." Even the CEO of T-Systems wrote a somewhat apologetic post, though he never conceded that reporting the young man was a misguided decision (instead attributing it to internal policies). He discussed the controversy and pointed out the lack of a universally accepted consensus on ethical hacking. Curiously, they had previously argued that this wasn't ethical hacking since no one had authorized the young man's actions. However, the reactions from IT professionals made it abundantly clear that a strong consensus existed within the tech community.

When you start piecing together the events, the situation appears incredibly dire for all parties involved.

Firstly, BKK accepted a system riddled with amateurish errors. It's not an exaggeration to say that a fresh graduate straight out of a coding bootcamp could have crafted a better solution within a few weeks. Even if that seems like a stretch, it should have been well within the capabilities of an experienced engineer to deliver something vastly superior.

Then there's T-Systems Hungary, who agreed to develop a solution (likely under an unrealistic deadline) that couldn't have been satisfactory even if properly executed. It appears they failed to consider how to make the tickets resistant to copying or cheating. And yet, they proceeded with the flawed implementation. Some manager evidently greenlit the release.

Strangely, BKK pays T-Systems Hungary a whopping 80kEUR/month to operate this system. This amount seems excessive, considering it could have covered the entire development cost of a robust implementation of the idea. Perhaps it would have been 2-3 times the 80k if you factored in managerial expenses, extra testing, and a hint of corruption. (I haven't accounted for the QR readers and mobile devices used by some ticket controllers, but these seem to be relatively scarce.)

The question arises: why the urgent rush for a release during the FINA championship? They claimed it was for testing and gathering feedback to perfect the system by September when the public transport high season begins. But let's set aside BKK's motivations, given that it's a politically controlled organization. How did any competent professional manager allow this disastrous system to go live? Did none of the engineers on the team raise concerns with their managers? It's truly baffling.

Was the rush connected to the FINA event? Why are these parties vehemently covering up the situation? In Hungary, admitting mistakes isn't common, especially in political contexts. Add to this the unwarranted arrest of the individual who reported the bug. They could, and according to some legal experts, should have simply issued a citation. Moreover, what he did likely wasn't even illegal according to the law. He was accused of 'unauthorized influence' on the system, falling under 'fraud committed using information systems.' However, the specific conditions outlined in the law weren't met, making it hard to believe the police conducted their investigation properly (or that T-Systems Hungary provided all the necessary information).