Tech experts point to Ventra app vulnerability

A weak spot in Metra's Ventra app could result in lost revenues from free rides if not remedied, a Chicago high-tech security firm warns.

How does Chi Networks know this? Staff experts cracked the app and informed Metra about the flaw recently, said the firm's CEO Sanjiv Bawa.

A solution was already in the works and no fares have been stolen, Metra spokesman Michael Gillis said Wednesday.

Only those with significant expertise could hack into the app, which allows riders to purchase and display virtual tickets on their smartphones, Metra and Chi Networks said.

"It's a fairly technical exploit but it's something you cannot allow to exist," said Bawa, a Wheaton resident and Metra commuter, explaining hackers could access unlimited free rides and distribute the technology.

"We were contacted by a representative of Mr. Bawa who told us that his company had discovered a very technical vulnerability," Gillis said. "We then called him to learn more and relayed the information to (app developer) GlobeSherpa. It was an issue for which a fix was already under way and will be made soon."

Chi Networks, which provides cloud services and security, conducts "research work on a wide variety of products out there," Bawa said. "One of our engineers took (the Ventra app) apart and looked at how it worked, how it stored data and transmitted data, and what it did with the data."

Financial information appeared secure. "We did not see anything with respect to credit card numbers," Bawa said.

The engineers experimented with the app and developed tickets extending out to 2023, which Metra does not sell, he noted.

Once the defect is corrected, Chi Networks would happily test it again, Bawa offered.

Metra debuted the app in November. For riders, it includes security features such as a moving screen and changing colors that verify it's a bona fide ticket and prevents images being photographed.

The app also lets riders check their Ventra accounts. Ventra is a cooperative effort with Metra, the CTA and Pace. The CTA and Pace share a Ventra card system.

Tickets? Metra working toward an app for that

Metra smartphone app should be ready in May

Wanted: App testers Metra seeking volunteers to try ticketing app for smartphones

Mobile ticketing available on Metra trains starting Thursday

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.