Tech experts point to Ventra app vulnerability

  • Metra is fixing a technical vulnerability in its smartphone Ventra app.

    Metra is fixing a technical vulnerability in its smartphone Ventra app. Daily Herald File Photo

Updated 4/20/2016 7:43 PM

A weak spot in Metra's Ventra app could result in lost revenues from free rides if not remedied, a Chicago high-tech security firm warns.

How does Chi Networks know this? Staff experts cracked the app and informed Metra about the flaw recently, said the firm's CEO Sanjiv Bawa.


A solution was already in the works and no fares have been stolen, Metra spokesman Michael Gillis said Wednesday.

Only those with significant expertise could hack into the app, which allows riders to purchase and display virtual tickets on their smartphones, Metra and Chi Networks said.

"It's a fairly technical exploit but it's something you cannot allow to exist," said Bawa, a Wheaton resident and Metra commuter, explaining hackers could access unlimited free rides and distribute the technology.

"We were contacted by a representative of Mr. Bawa who told us that his company had discovered a very technical vulnerability," Gillis said. "We then called him to learn more and relayed the information to (app developer) GlobeSherpa. It was an issue for which a fix was already under way and will be made soon."

Chi Networks, which provides cloud services and security, conducts "research work on a wide variety of products out there," Bawa said. "One of our engineers took (the Ventra app) apart and looked at how it worked, how it stored data and transmitted data, and what it did with the data."

by signing up you agree to our terms of service

Financial information appeared secure. "We did not see anything with respect to credit card numbers," Bawa said.

The engineers experimented with the app and developed tickets extending out to 2023, which Metra does not sell, he noted.

Once the defect is corrected, Chi Networks would happily test it again, Bawa offered.

Metra debuted the app in November. For riders, it includes security features such as a moving screen and changing colors that verify it's a bona fide ticket and prevents images being photographed.

The app also lets riders check their Ventra accounts. Ventra is a cooperative effort with Metra, the CTA and Pace. The CTA and Pace share a Ventra card system.

Go to comments: 0 posted
Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.