A weak spot in Metra's Ventra app could result in lost revenues from free rides if not remedied, a Chicago high-tech security firm warns.
How does Chi Networks know this? Staff experts cracked the app and informed Metra about the flaw recently, said the firm's CEO Sanjiv Bawa.
A solution was already in the works and no fares have been stolen, Metra spokesman Michael Gillis said Wednesday.
Only those with significant expertise could hack into the app, which allows riders to purchase and display virtual tickets on their smartphones, Metra and Chi Networks said.
"It's a fairly technical exploit but it's something you cannot allow to exist," said Bawa, a Wheaton resident and Metra commuter, explaining hackers could access unlimited free rides and distribute the technology.
"We were contacted by a representative of Mr. Bawa who told us that his company had discovered a very technical vulnerability," Gillis said. "We then called him to learn more and relayed the information to (app developer) GlobeSherpa. It was an issue for which a fix was already under way and will be made soon."
Chi Networks, which provides cloud services and security, conducts "research work on a wide variety of products out there," Bawa said. "One of our engineers took (the Ventra app) apart and looked at how it worked, how it stored data and transmitted data, and what it did with the data."
Financial information appeared secure. "We did not see anything with respect to credit card numbers," Bawa said.
The engineers experimented with the app and developed tickets extending out to 2023, which Metra does not sell, he noted.
Once the defect is corrected, Chi Networks would happily test it again, Bawa offered.
Metra debuted the app in November. For riders, it includes security features such as a moving screen and changing colors that verify it's a bona fide ticket and prevents images being photographed.
The app also lets riders check their Ventra accounts. Ventra is a cooperative effort with Metra, the CTA and Pace. The CTA and Pace share a Ventra card system.