cybersecurity

Booz Allen says former staffer downloaded employees’ personal data • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in Booz Allen Hamilton, cybersecurity, data breach, defense contractors, government contracts, SecurityNo Comments

U.S. government contractor Booz Allen Hamilton has disclosed that a former staffer downloaded potentially tens of thousands of employees’ personal information from the company’s internal network. The government and defense contractor said that one of its staffers, while still employed by the company, downloaded a report containing the personal information of “active employees as of March 29, 2021.” A copy of Booz Allen’s website archived in March 2021 said the company had 27,600 employees, many of which are contracted to U.S. government, military and intelligence agencies and hold high-level security clearances. The notice said that the report downloaded by the employee contained, “your name, Social Security number, compensation, gender, race, ethnicity, date of birth, and U.S. Government security clearance eligibility and status as of March 29, 2021.” Booz Allen said the report containing the personal information was “improperly stored on an internal SharePoint site,” but did not say what circumstances led to the discovery of the data, only that it “recently learned” of the staffer’s activity. The data breach notice, filed with the California attorney general’s office this week, said Booz Allen discovered the data exposure on April 14, 2022. The data breach notice said the now-former staffer acted “in direct contradiction” of the company’s policies, but that the company does “not believe that the individual intended to misuse any of the personal information in the report to cause harm to Booz Allen employees.” It’s not clear if the individual has been charged with any criminal offenses.

India’s securities depository CDSL says malware compromised its network • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in cybersecurity, india, SecurityNo Comments

India’s leading central securities depository, Central Depository Services Limited, or CDSL, says its systems have been compromised by malware. On Friday, the securities depository said in a filing with India’s National Stock Exchange that it detected malware affecting “a few of its internal machines.” “As a matter of abundant caution, the company immediately isolated the machines and disconnected itself from other constituents of the capital market,” the filing said. CSDL said it continues to investigate, and that it has so far “no reason to believe that any confidential information or the investor data has been compromised” due to the incident. CDSL has not yet revealed the exact details of the malware. At the time of writing, the company’s website was down. The company declined to say if the two are related. Banali Banerjee, an agency spokesperson, said CDSL also declined to answer our other questions, including if the company stores logs that would allow it to determine what, if any, data was exfiltrated from its network. “We are working towards resolutions,” the spokesperson said. Mumbai-based CDSL claims to maintain and service nearly 75 million trader accounts — locally called demat accounts — of investors across the country. The company also counts Bombay Stock Exchange, Standard Chartered Bank, and Life Insurance Corporation among its significant shareholders. Founded in 1999, CDSL is India’s only publicly listed and the country’s second-largest depository after the National Depository Services Limited, or NDSL, the oldest securities depository. CDSL allows the holding of securities and their transactions in electronic form and facilitates trade settlements on stock exchanges. “The CDSL team has reported the incident to the relevant authorities and is working with its cyber security advisors to analyze the impact,” the company said in its stock exchange filing.

A simple Android lock screen bypass bug landed a researcher $70,000 • ZebethMedia

By zebethcontrolPosted on November 14, 2022Posted in Android, cybersecurity, Google Pixel 6, lock screen, Security, security vulnerabilityNo Comments

Google has paid out $70,000 to a security researcher for privately reporting an “accidental” security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device’s data without having to enter the lock screen’s passcode. Hungary-based researcher David Schütz said the bug was remarkably simple to exploit but took Google about five months to fix. Schütz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android’s operating system’s lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schütz described how he found the bug accidentally, and reported it to Google’s Android team. Android lock screens let users set a numerical passcode, password, or a pattern to protect their phone’s data, or these days a fingerprint or face print. Your phone’s SIM card might also have a separate PIN code set to block a thief from ejecting and physically stealing your phone number. But SIM cards have an additional personal unlocking code, or PUK, to reset the SIM card if the user incorrectly enters the PIN code more than three times. PUK codes are fairly easy for device owners to obtain, often printed on the SIM card packaging or directly from the cell carrier’s customer service. Schütz found that the bug meant that entering a SIM card’s PUK code was enough to trick his fully-patched Pixel 6 phone, and his older Pixel 5, into unlocking his phone and data, without ever visually displaying the lock screen. He warned that other Android devices might also be vulnerable. Since a malicious actor could bring their own SIM card and its corresponding PUK code, only physical access to the phone is required, he said. “The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” said Schütz. Google can pay security researchers up to $100,000 for privately reporting bugs that could allow someone to bypass the lock screen, since a successful exploit would allow access to a device’s data. The bug bounty rewards are high in part to compete with efforts by companies like Cellebrite and Grayshift, which rely on software exploits to build and sell phone cracking technology to law enforcement agencies. In this case, Google paid Schütz a lesser $70,000 bug bounty reward because while his bug was marked as a duplicate, Google was unable to reproduce — or fix — the bug reported before him. Google fixed the Android bug in a security update released on November 5, 2022 for devices running Android 10 through Android 13. You can see Schütz exploiting the bug in his video below.

Hackers start leaking health data after ransomware attack • ZebethMedia

By zebethcontrolPosted on November 9, 2022Posted in Australia, cybersecurity, health insurance, medibank breach, ransomware, SecurityNo Comments

Medibank has urged its customers to be on high alert after cybercriminals began leaking sensitive medical records stolen from the Australian health insurance giant. A ransomware group with ties to the notorious Russian-speaking REvil gang began publishing the stolen records early Wednesday, including customers’ names, birth dates, passport numbers, and information on medical claims. This comes after Medibank said it would not pay the ransom demand, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.” The cybercriminals selectively separated the first sample of Australian breach victims into “naughty” and “good” lists, with the former including numerical diagnosis codes that appeared to link victims to drug addiction, alcohol abuse, and HIV, according to Agence France-Presse. For example, one record carries an entry that reads “F122,” which corresponds with “cannabis dependence” under the International Classification of Diseases published by the World Health Organization. It’s also believed the leaked data includes the names of high-profile Medibank customers, which likely includes senior Australian government lawmakers, like prime minister Anthony Albanese and cybersecurity minister Clare O’Neil. The portion of data leaked so far, seen by ZebethMedia, also appears to include correspondence of negotiations between the cybercriminals and Medibank CEO David Koczkar. Screenshots of WhatsApp messages suggest that the ransomware group also plans to leak “keys for decrypting credit cards” despite Medibank’s assertion that no banking or credit card details were accessed. “Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” Medibank spokesperson Liz Green told ZebethMedia in an emailed statement on Wednesday, who deferred to its blog post. The cybercriminal gang behind the Medicare ransomware attack, whose identities are not known but has relied on a variant of REvil’s file-encrypting malware, has so far leaked the personal details of around 200 Medibank customers, a fraction of the data that the group claims to have stolen. Medibank confirmed on Tuesday that the cybercriminals had accessed roughly 9.7 million customers’ personal details and health claims data for almost 500,000 customers. What should victims do? In light of the data leak, which exposed highly confidential information that could be abused for financial fraud, Medibank and the Australian Federal Police are urging customers to be on high alert for phishing scams and unexpected activity across online accounts. Medibank is also advising users to ensure they are not re-using passwords and have multi-factor authentication enabled on any online accounts where the option is available. Medibank also launched a “cyber response support package” for affected customers, Medibank’s Green told ZebethMedia. This includes hardship support, identity protection advice and resources, and reimbursement of government ID replacement fees. The health insurance giant is also providing a wellbeing line, a mental health outreach service, and personal duress alarms. Australia’s federal police are investigating the breach in collaboration with agencies from around the Commonwealth, as well as from the other members of the “Five Eyes” group of intelligence-sharing governments, including the U.K., U.S., Canada, and New Zealand. Operation Guardian, the Australian government’s response to the recent wave of cyberattacks that began with the data breach at telco giant Optus, will be extended to Medibank to protect its customers from “financial fraud and identity theft.” “Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” said AFP Assistant Commissioner Cyber Command Justine Gough. “Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank Private data.” What’s next? In its latest update, Medibank is bracing for the situation to worsen, saying that it “expects the criminal to continue to release files on the dark web.” On its dark web leak site, the cybercriminals said they planned to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.” Medibank says it will continue to contact all affected customers with specific advice and details of what data the attackers have accessed. However, customers at a heightened risk of being targeted by fraudulent emails should ensure that emails are coming from Medibank. Medibank said it would not ask for personal details over email. If in doubt, don’t click any links. It’s not yet known whether Medibank customers will receive compensation following the breach or whether Medibank will face action for failing to protect users’ confidential medical data. The breach comes just weeks after Australia confirmed an incoming legislative change to the country’s privacy laws, following a long process of consultation on reforms. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches and greater powers for the Australian information commissioner. Two law firms also said on Tuesday that they are investigating whether Medibank had breached its obligations to customers under the country’s Privacy Act. The firms, Bannister Law and Centennial Lawyers, will investigate whether Medibank breached their privacy policy and the terms of their contract with customers and will also assess whether damages should be paid as a result of the breach.

H-1B worker layoffs, cyber risk quantification, SaaS whiplash • ZebethMedia

By zebethcontrolPosted on November 8, 2022Posted in cybersecurity, EC roundup, immigration law, Layoffs, Startups, TechCrunch Disrupt 2022, VentureNo Comments

Dear Sophie, I was laid off and I’m on an H-1B. I have enough savings to survive for a while. What should I do if I have been let go from my job? I am on an H-1B, have an approved I-140 and an I-797 that expires in March 2024. If I have to leave the U.S., can my current I-797 be transferred to my next employer? Are there any issues I should be aware of? — Upended & Unemployed The seasons won’t change for another 43 days, but in San Francisco, it already feels like winter. As an offshore weather system brings gusts and downpours, local employers like Twitter, Lyft, Stripe, Brex, Opendoor and Chime are laying off thousands of employees. This week, Meta will reportedly announce the first large-scale staff cuts in its history. Full ZebethMedia+ articles are only available to membersUse discount code TCPLUSROUNDUP to save 20% off a one- or two-year subscription For tech workers who are immigrants, this is an especially fraught time, as their ability to remain in the U.S. is conditional on their employment. Most visa holders have a 60-day grace period after an unexpected layoff, but with thousands of skilled workers hitting the market at once, the clock is ticking. We usually run Silicon Valley-based immigration attorney Sophie Alcorn’s column on Wednesday, but in light of current events, we ran it yesterday (without a paywall). First order of business: if you’ve been impacted, don’t delay. Start looking now for a new position, and tell everyone in your network that you’re open to work. “At a job interview, be direct about your need to transfer your H-1B to a new employer. If the company is not willing to sponsor you, move on,” advises Sophie. “Ideally, you should accept a job offer no more than 45 days into your 60-day grace period unless you have applied for another fallback status because it can take several weeks to prepare and file the H-1B transfer.” Brace yourself: more layoffs are coming. Update your resume, save as much money as you can, and most importantly — don’t panic. Thanks for reading, Walter ThompsonEditorial Manager, ZebethMedia+@yourprotagonist 2023 will be the year of cyber risk quantification Image Credits: Olemedia (opens in a new window) / Getty Images Myriad factors determine a company’s valuation, and cybersecurity is one of them. Public companies that experience a breach tend to see a -3.5% drop in stock value after the news goes public. That’s why cyber-risk quantification (CRQ) “has slowly grown from a nice-to-have to become the foundation for addressing the most critical concerns about a business’ cybersecurity posture,” writes John Chambers, founder and CEO of JC2 Ventures. How ButcherBox bootstrapped to $600M in revenue Mike Salguero at ButcherBox’s dry ice factory Grocery delivery service ButcherBox ran a Kickstarter campaign in 2015 to identify customers who wanted to receive 100% grass-fed beef. Since then, the company “has seen $600 million worth of revenue without taking a penny of external investment,” reports Haje Jan Kamps, who spoke to CEO and co-founder Mike Salguero about how the founding team bootstrapped their D2C startup. “I was meeting meat farmers in parking lots, buying a couple of trash bags full of meat — I’m sure that didn’t seem sketchy at all,” he said. “But it was too much meat for my freezer, so I ended up selling the excess meat to friends or people I was working for.” New data show how SaaS founders have been dealing with whiplash from public markets Image Credits: puruan / Getty Images According to OpenView Venture Partners’ 2022 SaaS benchmarks report, “an overwhelming majority of respondents are slashing spending regardless of cash runway.” In this year’s survey, which covered 660 companies, OpenView operating partner Kyle Poyar and senior director of growth Curt Townshend found that “the rule of 40 is back,” as the need to generate profits has overtaken investors’ obsession with growth. “Achieving 40 each quarter is not required,” they concluded. “But it is required to have a grasp on what caused a drop or spike, and what can be done to get to 40 long term.” How to land investors who fund game-changing companies Image Credits: Kelly Sullivan / Getty Images A SaaS startup can conceivably find product-market fit within a few months of launching, but companies that work with hardware and robotics may wander in the pre-revenue wilderness for years. To learn more about how investors approach risk when it comes to emerging technology, Tim De Chant moderated a panel at ZebethMedia Disrupt with Milo Werner (general partner, The Engine), Gene Berdichevsky (co-founder and CEO, Sila) and Erin Price-Wright (partner, Index Ventures). “Hire people to do the technical stuff,” said Berdichevsky. “Keep an eye on it, but then go learn the other pieces.”

Security automation startup Veriti launches out of stealth with $18.5M • ZebethMedia

By zebethcontrolPosted on November 8, 2022Posted in AI, cybersecurity, Enterprise, funding, Security, startup, StartupsNo Comments

Veriti, a platform for unifying cybersecurity infrastructure, today emerged from stealth with $18.5 million in funding, a combination of $12 million from Insight Partners and a $6.5 million round led by NFX and Amiti. According to CEO Adi Ikan, the newly announced capital is being put toward scaling Veriti’s business operations and developing its product suite. Veriti’s launch comes as VCs continue to show enthusiasm for cybersecurity startups despite the generally unfavorable funding climate. According to PitchBook data, venture capital investments in the security sector this year eclipsed $13.66 billion — up from $11.47 billion in 2020. And the global cybersecurity market is projected to be worth over $500 billion by 2030. Founded in 2021 by Ikan and Oren Koren — both ex-Check Point executives — Veriti integrates with a company’s existing security stack to evaluate risk posture by analyzing security configurations, logs, sensor telemetries and threat intelligence feeds. The platform taps AI to identify which events might be impacting business uptime and present the root cause, as well as which security policy improvements need to be taken to remediate the impacts. “Enterprise security posture is usually sub-optimal. This is due to many reasons, including tool sprawl, increased complexity, massive amounts of data and limited resources,” Koren told ZebethMedia in an email interview. “This is what inspired us to build Veriti’s platform — to address these complexities and help IT and security stay on top of this challenge.” Koren makes the case that Veriti can augment security teams’ efforts in spotting security gaps, ultimately reducing the time spent on monitoring and maintenance tasks. The growing number of security solutions in organizations can introduce complexity because each solution has its own functions and tools to learn, he argues, while the volume of alerts issued by the solutions end up creating murky visibility into the actual security posture. Koren isn’t exactly an unbiased source. But he’s not the only one who’s observed these troubling trends in enterprise security. One recent survey of over 800 IT professionals found that almost 60% were receiving over 500 cloud security alerts per day, and that the alert fatigue created by the volume caused 55% to miss critical alerts on either a daily or weekly basis. “While affording more expansive security capabilities, the proliferation of security solutions creates room for misconfigurations that can result in inadvertent security gaps and adversely impact the business by blocking legitimate applications and users,” Ikan said via email. “IT and security leadership today have a poor idea of the true utilization of security investments and of the effective security posture of their organizations.” Veriti’s challenge will be demonstrating that its approach is superior to the other security posture-analyzing platforms on the market. Rival vendor Secureframe provides a service that integrates with cloud providers and apps to understand its customers’ security postures. Hunters, another competitor, aims to automate the threat-hunting process by taking in data from networking and security tools to detect stealth attacks. It’s very early days for Veriti — Koren wouldn’t reveal the size of the company’s customer base or current revenue. But he’s betting that Veriti’s tech expertise will help it stand out from the pack. “By leveraging modern techniques like machine learning, focusing on automation, we aim to provide a way for modern teams to maximize security posture while minimizing issues that impact business uptime,” he said. As the idiom goes: time will tell.

UK government is scanning British internet space for zero-day threats • ZebethMedia

By zebethcontrolPosted on November 7, 2022Posted in cybersecurity, NCSC, Security, UK government, Vulnerabilities, zero dayNo Comments

The U.K.’s National Cyber Security Centre has launched a new program that will continually scan every internet-connected device hosted in the United Kingdom for vulnerabilities to help the government respond to zero-day threats. The NCSC, part of the Government Communications Headquarters that acts as the U.K.’s public-facing technical authority for cyber threats, says it launched the initiative to build a data-driven view of “the vulnerability and security of the U.K.” It’s similar to efforts by Norway’s National Security Authority, which last year saw the agency look for evidence of exploitation of Microsoft Exchange vulnerabilities targeting internet users in the country. Slovenia’s cybersecurity response unit, known as SI-CERT, also said at the time that it was notifying potential victims of the Exchange zero-day bug in its internet space. The NCSC’s scanning activity will cover any internet-accessible system that is hosted within the U.K., the agency explains, and will hunt for vulnerabilities that are common or particularly important due to widespread impact. The NCSC says it will use the data collected to create “an overview of the U.K.’s exposure to vulnerabilities following their disclosure and track their remediation over time.” The agency also hopes the data will help to advise system owners about their security posture on a day-to-day basis and to help the U.K. respond faster to incidents, like zero-day vulnerabilities that are under active exploitation. The agency explains that the information collected from these scans includes any data sent back when connecting to services and web servers, such as the full HTTP responses, along with information for each request and response, including the time and date of the request and the IP addresses of the source and destination endpoints. It notes that requests are designed to collect the minimum amount of information required to check if the scanned asset is affected by a vulnerability. If any sensitive or personal data is inadvertently collected, the NCSC says it will “take steps to remove the data and prevent it from being captured again in the future.” The scans are performed using tools running from inside the NCSC’s dedicated cloud-hosted environment, allowing network administrations to easily identify the agency in their logs. U.K.-based organizations can opt out of having their servers scanned by the government by emailing the NCSC a list of IP addresses they want excluded. “We’re not trying to find vulnerabilities in the U.K. for some other, nefarious purpose,” explained Ian Levy, the NCSC’s outgoing technical director, in a blog post. “We’re beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we’re doing (and why we’re doing it).”

2023 will be the year of cyber-risk quantification • ZebethMedia

By zebethcontrolPosted on November 7, 2022Posted in Column, cyber risk quantification, cybersecurity, EC Column, EC Cybersecurity, Security, StartupsNo Comments

CRQ is the hottest thing in cybersecurity right now John Chambers Contributor John Chambers is the founder and CEO of JC2 Ventures. Previously, he served as executive chairman and CEO of Cisco. Geopolitical tensions, supply chain challenges, an economic slowdown, an ongoing pandemic and more have meant that companies and people have been impacted in ways that will change how business will be conducted for many years to come, and the ripple effects of these converging variables will be felt for a long time. As headlines continue to be dominated by increasing interest rates, businesses must ensure their budget is being spent efficiently. But despite the economic downturn, the cybersecurity and AI industries have grown steadily over the past 18 months or so. Cybersecurity is critical to businesses’ revenue, growth, reputation and overall function. But are we doing everything to manage the level of risk that exists in our hyperconnected world, or is there a missing link? Cybersecurity is growing more crucial every year A Nasdaq report suggests that 14 market days after a breach becomes public, the average share price of a company bottoms out and underperforms by -3.5% on the stock exchange. An even more alarming data point is that businesses accrue more than 50% of post-breach damages as long-tail costs. More specifically, 31% of expenses are accrued in the second year, and 24% are accrued more than two years after the breach in highly regulated industries. Still, 29% of CEOs and CISOs and 40% of Chief Security Officers admit their organizations are unprepared for the rapidly changing threat landscape.

AstraZeneca password lapse exposed patient data • ZebethMedia

By zebethcontrolPosted on November 3, 2022Posted in astrazeneca, cybersecurity, data security, healthcare, SecurityNo Comments

Pharmaceutical giant AstraZeneca has blamed “user error” for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told ZebethMedia that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. ZebethMedia provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told ZebethMedia: “The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations.” Barth declined to say for what reason patient data was stored on a test environment, and if AstraZeneca has the technical means, such as logs, to determine if anyone accessed the data and what, if any, data was exfiltrated. Credentials, like usernames and passwords, that are exposed or inadvertently published to sites like GitHub are an increasingly common discovery for security researchers like SpiderSilk’s Hussein. In the past few years, the startup has discovered exposed data belonging to Samsung, the controversial facial recognition startup Clearview AI; and the since-rebooted movie subscription MoviePass. In August, Hussein discovered credentials belonging to Microsoft employees that had been posted inadvertently to GitHub, which Microsoft owns. “This isn’t the first time we’ve come across leaked credentials put on Github by engineers due to human error, and it just keeps happening across the board,” Hussein told ZebethMedia. “The risk in these accidental leaks is that they occur randomly, and the exploitation path is often straightforward (i.e. making threat actors’ jobs easier).”

India metro smart cards vulnerable to ‘free top-up’ bug • ZebethMedia

By zebethcontrolPosted on November 3, 2022Posted in cybersecurity, india, metro, Security, smart cards, TransportationNo Comments

A smart card bug lets anyone ride the metro for free India’s mass rapid transit systems — or metro, as it’s known locally — rely on commuter smart cards that are vulnerable to exploitation and allow anyone to effectively travel for free. Security researcher Nikhil Kumar Singh discovered a bug impacting Delhi Metro’s smart card system. The researcher told ZebethMedia that the bug exploits the top-up process that allows anyone to recharge the metro train’s smart card as many times as they want. Singh told ZebethMedia he discovered the bug after inadvertently getting a free top-up on his metro smart card using an add-value machine at a Delhi Metro station. The bug exists, Singh says, because the metro recharge system does not properly verify payments when a traveler credits their metro smart card using a station add-value machine. He said that the lack of checks means a smart card can be tricked into thinking it was topped up even when the add-value machine says that the purchase failed. A payment in this case is marked as pending, and subsequently refunded, allowing the person to effectively ride the metro for free. “I tried it on Delhi Metro’s system and was able to get a free recharge,” Singh told ZebethMedia. “I still have to initiate a recharge by paying for it using PhonePe or Paytm, but because the recharge still remains pending, it will be refunded after 30 days. That is why it is technically free,” he said. Singh shared with ZebethMedia a proof-of-concept video he recorded in February showing how a smart card can be duped into adding value to a Delhi Metro card. After better understanding the bug, the researcher reached out to the Delhi Metro Rail Corporation (DMRC) a day later. In response, the DMRC asked Singh to share the details of the bug over email, which he did, along with a technical report and a log file demonstrating the bug in action, which ZebethMedia has seen. On March 16, Singh received a boilerplate reply, acknowledging the receipt of his email, but did not receive any further responses. Singh told ZebethMedia that the issue, which has not been fixed, exists in the smart cards themselves. Delhi Metro relies on MiFare DESFire EV1 smart cards manufactured by Dutch chipmaker NXP Semiconductors. Other metro systems, including Bengaluru, also use the same smart card system. “If the technical infrastructure is the same in other state metro trains, then this bug will work there too,” Singh told ZebethMedia. It’s not the first time security researchers have found issues with the same brand of smart cards. Past research found similar vulnerabilities affecting the same DESFire EV1 smart cards that Delhi Metro uses, as well as other European mass transit systems. In 2020, MiFare introduced the DESFire EV3 as its contactless solution with better security. Singh suggested that the smart card bug could be fixed if the metro systems migrate to DESFire EV3 cards. Three DMRC spokespeople did not answer multiple emails seeking comment. When reached, a spokesperson for NXP (via agency) was unable to provide comment by the time of publication. Bengaluru Metro Rail Corporation, the body responsible for the city’s metro service, also did not comment.