Stealing Bicycles by Swapping QR Codes

This is a clever hack against those bike-rental kiosks:

They’re stealing Citi Bikes by switching the QR scan codes on two bicycles near each other at a docking station, then waiting for an unsuspecting cyclist to try to unlock a bike with his or her smartphone app.

The app doesn’t work for the rider but does free up the nearby Citi Bike with the switched code, where a thief is waiting, jumps on the bicycle and rides off.

Presumably they’re using camera, printers, and stickers to swap the codes on the bikes. And presumably the victim is charged for not returning the stolen bicycle.

This story is from last year, but I hadn’t seen it before. There’s a video of one theft at the link.

Posted on February 21, 2022 at 6:31 AM25 Comments

Comments

Ted February 21, 2022 8:06 AM

This is very unfortunate. I’m surprised Citi Bike would charge customers $1,200 for a missing bicycle under these circumstances – especially since it’s their system design that opens the door to this sort of abuse. QR codes are known to be tamperable.

It looks like there are other ways to unlock bikes. Knowing what I know, I would not want to scan a QR code, if at all possible.

Here’s someone reporting a vandalized QR code to Citi Bike.

https://twitter.com/richmintz/status/1476949498693931008

John February 21, 2022 8:08 AM

Hmm….

I liked the fake QR code on parking meter scam.

You click, pay for parking to the wrong URL.

I guess that scam is moving up the food chain.

John

Owen February 21, 2022 8:57 AM

They used to do it by peeling off the QR code sticker, which was much simpler. Citibike switched to tamper proof stickers.

Clive Robinson February 21, 2022 8:58 AM

@ ALL,

QR Codes in an uncontroled environment have always been a very bad idea.

Because they lock the human out of the transaction loop, so the human has no ability to tell if they are being defrauded in some way.

Oh the same is true for those payment systems using NFC etc, the human is “not in the loop” thus can and is in some cases being defrauded.

A similar issue exists with “travel cards” where you have to “tap out”.

Transport for London has been making a nice amount of “penalty fares” that are “auto deducted” when you tap out on the wrong point. The problem is in some places you can not tell which are “tap in”, “tap out” or “tap2change” from say trams to trains…

As I identified back in the last century, you MUST KEEP the human in the transaction loop. Failing to do so just opens the door to crime.

Remember no matter how clever you are as a system designer, there is always going to be,

1, Failings in the implemented system.
2, Crooks clever enough to find and exploit them.

Just don’t say you were never warned about it.

Clive Robinson February 21, 2022 9:16 AM

@ ALL,

There is a fundemental failing in humans at all levels and it’s something that compleatly undermines all security systems, oh and gets people killed by meta-data…

There is a fundemental disconnect between,

1, Physical objects.
2, Information objects.

The two are not the same nore ever can be.

Information is “impressed or modulated” on matter or energy for human conveniance as we are physical entities. But information is neither matter or energy.

To see this, your name is an information object, but your body is a physical object. No matter how hard you look, you will find nothing in your body that links you to your name.

The US used to send in drone strikes to where a mobile phone was being used, to unlawfully kill political and other leaders they did not like. The problem a phone and it’s electronic serial numbers are “Not the Person” but also these days those electronic serial numbers are “Not the Phone”.

So remember,

1, The QR code is not the information
2, The sticker/plate the QR code is printed is not the information.
3, The physical object the sticker/plate is attached to is not the information.

So the information object can not be in any way the physical object, and there is no way to actually securely link them. That is they can all be tampered with in some way.

tim February 21, 2022 9:33 AM

Because they lock the human out of the transaction loop, so the human has no ability to tell if they are being defrauded in some way.

Because humans -never- defraud other humans face to face. Humans being so good at detecting fraud face to face it after all.

/s

JonKnowsNothing February 21, 2022 9:34 AM

@Clive @All

re:
The US used to send in drone strikes to where a mobile phone was being used, to unlawfully kill political and other leaders they did not like. The problem a phone and it’s electronic serial numbers are “Not the Person” but also these days those electronic serial numbers are “Not the Phone”.

I don’t think this is “past tense”.

There are US Citizens who have been bombed and US Citizen’s Children who have been bombed from extrajudicial interventions. The CIA is known to be part of or the director of the Kill Teams, using military personnel (Army, Air Force, Navy) but many do not know that the FBI and the DoD also work “over seas” directly for this purpose.

The old school mantra of CIA is overseas, FBI is domestic and the DoD watches for manufacturing defects, is burred for these events.

afaik, A good number of them are unaccounted for or are held by accountable governments in unaccounted prisons.

Which is one reason the current Hole In The Wall is a ridiculous promotion from the US Security Apparatus. We bomb our own children, what’s the difference if we bomb yours?

ymmv You won’t hear the incoming until it arrives.

Clive Robinson February 21, 2022 11:52 AM

@ tim,

Because humans -never- defraud other humans face to face.

They do and have done for many millennia, so we have developed some detection abilities, even though we many not be very good at it[1].

But that is not quite the point.

Keeping humans out of the transaction means they can not see what is being transacted.

Your mobile phone screen says you are paying $5 for a coffee where as the realiry is you’ve just had $50 taken from your account electronically.

In short you could only see what the corrupt system told you, and not what it was saying to the bank. It by design did not alowe you to actually check the transaction to the bank by getting inside the actuall transaction loop.

There is a very big difference between,

1, You over trusting.
2, You being lied to.

[1] Most humans actually “over trust”, it turns out that even though over trusting has downsides especially for individuals, it actually has all sorts of upsides for society, thus survival of the species.

Clive Robinson February 21, 2022 12:07 PM

@ JonKnowsNothing,

I don’t think this is “past tense”.

I can only say what has been admited to and what has been said in the past by senior members of the US Government and the MSM, because it can not be kept hidden (US killing an Iranian Diplomat on their way to peace talks in Iraq).

But that is all past tense…

But what of what they have and will be able to do?

As they say a leopard does not change it’s spots…

moz February 21, 2022 4:50 PM

Not convinced that the problem here is the disconnect between the information object and the real object. The problem is lack of active confirmation. Put a small flashing LED in a known place on the lock that’s holding the bike. Get the customer (or phone camera?) to check that the LED is flashing. Only when confirmed does the lock actually unlock. For extra security maybe flash with a synchronized code but that doesn’t really matter as long as the customer sees their own lock flashing at the right moment they know that their own bike is about to be unlocked.

Impossibly Stupid February 21, 2022 5:35 PM

@moz

Put a small flashing LED…

Just another hackable gatekeeper; look into credit card skimmers to see how creative fraudsters can get. There does need to be some sort of challenge-response process. How involved a human needs to be in that depends on the Citi Bike system, but it appears the bikes themselves are rather dumb (i.e., no direct pairing), so there’s a hard limit as to what kinds of security solutions are possible.

@Owen

Citibike switched to tamper proof stickers.

Hahahahahahaha. It’s a damn QR code! If the best the security wizards at Citibank can come up with to address this is making the sticker itself hard to remove, I plan to never let them near my money.

Clive Robinson February 21, 2022 7:00 PM

@ moz,

Put a small flashing LED in a known place on the lock that’s holding the bike. Get the customer (or phone camera?) to check that the LED is flashing.

Although not a good way to do it, it is “putting the human in the authentication loop”.

A better way would be to have an LCD show a four digit code the user has to type in.

Yes there are ways that this can be got around, but the cost to the attacker would be rather more than the gain of a “$3 ride”, which would probably stop the attacks.

The cost to Citi-Bike to have installed such a display originally would have been around $1 on BOM of components and orobably $2 on the case changes to fit an LCD and protect it from being attacked with the likes of a screwdriver or other “mindless attack”.

As a “retro-fit” you are probably looking at more than $200 just for labour…

Neill February 22, 2022 12:33 PM

A software solution would be to have the headlight blink in a unique pattern ‘morse code’ and have the renter point his smartphone camera at the parked bikes – only the correct one can be pointed out onscreen

Mark Fenech February 23, 2022 1:39 AM

Criminals don’t even need to switch the codes. They simply need to paste the QR code (or copy) of the bike they plan to steal on another bike a few meters away and wait.

Australia February 26, 2022 3:07 PM

The most overt observation is yet to be disclosed here. This sort of theft is reprehensible. These bicycles are a community resource. Some places have cancelled their public bike programs because the users were too immature and selfish, traahing the bikes and acting as a public menace. I get that this is a security blog. But this type of so-called clever attack is just so terribly sad. C’mon people can’t we do better? How far have we come in all these millenia? Oh, look at my clever flashing tech goods. How civilised

Clive Robinson February 26, 2022 4:43 PM

@ Australia,

These bicycles are a community resource.

Err sorry, no they are not.

They are a corporate ownd resource made available to those who can pay via the way the corporate wants to be paid.

The fact the corporate wanted to spend so little money on the resource their parsimony has led to “easy theft” due to their failings.

But… They then blaim a customer for the corporate failure and threaten a huge fine…

As I’ve said above in reply to @moz,

https://www.schneier.com/blog/archives/2022/02/stealing-bicycles-by-swapping-qr-codes.html/#comment-400621

This problem was easily predictable, and if thought through originally quite low cost to prevent.

However now… The cost of labour alone on rectifing the problem, means they are very unlikely to solve the problem correctly.

We’ve seen this before, two prime examples,

1, Banks were warned not to do things a certain way back in the 1990’s… They authenticated the communications channel baddly which alowed MITM attacks, then failed to authenticate the actual transactions with “the human in the loop” so money went missing. Worse, the banks only ever fractionaly increased their srcurity. The result was they “trained their attackers” and the banks customers got to pickup the cost…

2, A well known Satellite television service, that had “set-top boxes” failed to adiquately upgrade the security of their “smart-card” based system over ten times in succession. And it was not the technical people at the company who stopped it, but the police who arrested a couple of people who were alegedly the “brains” behind the “cracks”.

There are many other examples of corporates not taking security of their products seriously. In each case the extra amount of money they would have spent initially, easily gets dwarfed by the subsequent cost, of often impossible to do upgrades to stop attackers…

Australia February 27, 2022 1:04 AM

Thanks Clive. Okay I see your point well.
I am thinking of the other sorts of bicycle programs offered by, for example, local councils. Corporate, yes, but
funded and establishe specifically with a community-ethos in mind.

I lobbied councils in this country not to implement e-scooters.
I’ve witnessed first hand how dangerous they can be, and how irresponsible and reckless the users can be. Fortunately the councils appeared to be on notice the companies offering the e-scooters were on par with Uber and Tesla with their accounting, and business practices. To put it mildly. And continued to reject their licences to operate

JonKnowsNothing February 27, 2022 8:30 AM

@Australia, @Clive, @All

re: Community v Corporate Bikes

There are quite a few problems and serious failures in bike programs and there isn’t any 1-size-fits-all solution.

In the US rules differ by community, rules differ by state and rules differ by federal systems.

Motorcycles aka Hogs are governed by the same rules as Automobiles, Trucks and Semi-Trucks (HGV).

Bicycles, that are person powered, are governed by the same rules and use the same roads and occupy the same traffic patterns.

Cycles that are mix-ed use power like ebikes, golf carts, ATV-UTV all fall into a hodge-podge of rules and restrictions.

In some cases they are not allowed on the street or the designated bike lane and there are prohibitions of use on sidewalks or pedestrian-jogging-horse trails.

  • No mounted horse person has any desire to have a glass-pack motorbike running up towards them or even worse, from behind them.
  • No pedal powered bike wants an encounter with a car, which often is a fatal encounter.
  • No limited mobility person needs a “ticket infraction” for using a electric cart going to and from the grocery-market because they are “not allowed” in either the street, bike lane, or on the sidewalk.

A corporation subscribed bike scheme doesn’t solve any of this.

  • Bikes v Cars = The bike loses every time.
  • Fully Mobile v Less Mobile = The less mobile lose out across the board.
  • Mixed Use Road Systems v Dedicated Road Systems = Dedicated roads may separate traffic types but often have limited destinations.

The ultimate problem is:

How to Get from Here to There and Back Again Alive Using Different Methods of Travel

===

disclosure: pre-COVID I stopped riding my road-bike on the streets, even those that had marked bicycle lanes because it was just too dangerous. Every year the Memorial Ghost Bike Ride was a sober reminder than a nice jaunt out to the countryside and back might not have a “back” part.

I opted for dedicated bike-jogging-walking paths instead (and the rare horse). Fortunately the area where I am has an extensive system of these paths but they are nothing at all like bicycling past miles and miles of orchards in bloom.

Search Terms

Ghost bike, ghostcycle, WhiteCycle

Road bicycle

Fresno County Blossom Trail:
Around mid-February each year, dramatic bursts of pink and white fluttering petals bloom along a driving path of nearly 70 miles. This breathtaking scene is known as the Fresno County Blossom Trail.

JonKnowsNothing February 27, 2022 7:35 PM

@Australia, @Owen, @All

re:… a large cluster of people at a ‘green man’. When a … ploughed into the group

Point to consider:

  • It doesn’t matter how large or small the group is, if you get Run Over it hurts or it kills you
  • It doesn’t matter what sort of machine runs over you it will hurt or kill you. It can even be a horse or herd of cows. (1)
  • Discourteous persons are by definition, not going to think of anyone but themselves. This happens with horse riders, bike groups, sports teams, or anywhere more than 1 person gathers. MMORPG games are notorious for “bad behavior” and “raiding groups” (6,12,24 players) carry the brunt of that notoriety.
  • Drugs, alcohol and impairing products affect everyone around the user. The user may be completely unaware of their surroundings. (2)

It does not excuse the behavior; it shows the scope of the problem is wider than people think. It’s not 1 person, it’s a significant percentage of the population.

fwiw:

  • I’ve been in a fair few horse wrecks and nearly all caused by someone thinking it was great fun to “scare the horse”. The local laws say “slow down for horse and rider”. People speed up. They lean on the horn. The might even try shooting at the horse. (3)
  • I’ve been in near miss bike wrecks too. Some car or truck attempting to “beat the light” stepping on the accelerator and hitting the intersection at 50mph. There’s also some odd magnetic force that a solo biker and a solo car will collide, with the car ending up on the wrong side of the road and the rider in hospital or morgue.

  • I’ve had my share of experience with intoxicated persons too. Even going the other way, doesn’t always work. Horses have 4Wheel Drive. Bikes are still 2Wheel Drive. On a horse, I can move away into rougher terrain, where on a bike my best shelter might be some store or shop (pre COVID) but many stores won’t let you bring a bike inside the mall and walking on bike-cleats makes you walk funny.

Laws by themselves don’t really solve the problem. There are plenty of laws against running lights, driving drunk, harassing and threatening people.

The “green WALK sign” is needed to alert pedestrians that a potential red light runner may happen. The new timing delays (USA) is intended to predict some car running the light and delay the pedestrians from entering the kill box.

People with dedicated walking paths and over or under passes may evade cars but they don’t evade the stalker waiting for a victim.

Society isn’t ready (yet) to counter the common narrative that “everyone should share the road”. People don’t share.

===

1) iirc(badly) one the biggest causes of death for walkers-hikers on UK hiking ramble paths which cross into pasturage, is getting trampled by cows in the field.

2) A very telling indicator of the extent of intoxication dependency, is that as HIP-RIP-LIVID policies roll back, the first places that people packed into were bars. The scope of alcohol dependency is staggering. The personal willingness to contract COVID and Pass It Along to others, in order to drink “plant based beer”, remains a paramount need among many groups. It is global in scope.

3) One of the scariest things you can come across on a horse trail is someone pushing a trail type baby buggy (trail stroller). They are silent, the people are silent, the horse goes into High Alert Mode as this huge unidentified object comes towards them. A prey animals, horses are always looking out for bears and a trail stroller looks like a bear in motion.

Clive Robinson February 27, 2022 11:14 PM

@ JonKnowsNothing, ALL,

It doesn’t matter what sort of machine runs over you it will hurt or kill you. It can even be a horse or herd of cows.

Have you ever considered what happens when a herd of cows, trample a car?

Quite a few years ago now, it happened to somebody I knew.

An aproximate description from what Frankie Loughlin said over two decades ago.

Imagine four fields aproximately in a square divided across by a railway track, and up and down a road. The railway went over a bridge and the road was “cut in” to get under it. As the arch only alowed for a single file of traffic there were traffic lights added.

So Frankie was driving home late one night from a gig he had been doing. He came up to the red light where he stopped and waited. He had heard a train horn as he drew up. Then he heard a druming noise, as a spooked herd of cows went through the fence above and crashed down onto his car.

As wryly noted “One car to pancake by five tonnes of instantly very rare beef”. He was not just trapped inside he had multiple injuries and quite a few broken bones some of which were in his spine.

He was lucky in that somebody else came along almost immediatly and the emergancy services responded very rapidly. Also he was in Northern Ireland where at the time surgical teams were fairly expert with dealing with bombing victims, but even they were taxed by his multiple injuries.

Many thought he would not leave hospital, but Frankie was a bit bl@@dy minded and decided he was not only going to survive but thrive.

The hospital discharged him in a wheel chair, that many would not have got out of in his condition. But again by brut determination he got not just back on his feet but walking short distances. He was seen by other medical experts in London at the turn of the century who in various ways got him mobile on not just crutches, but one, then none over a period of a few years.

He got married and started a family… All against most peoples expectations.

I met Frankie through Pirate Radio and a school friend of mine Roger Howe, who supplied the FM transmitting equipment (at the time considered the best in the UK Pirate World and why he setup a company “Broadcast Warehouse” to sell world wide). Roger also had a determined attitude which is why his transmitter designs were stable, clean and did not cause interferance with aircraft (a false claim repeatedly made by UK and Eira authorities in court back in the “Border-Blaster days from “the mountain site” to try to get false convictions[1]). Roger also had an irreverant streak and called Frankie “Frank the Plank” for reasons not very clear. Frankie got OfCom licences for all of “the north” appart from Belfast and established the Q Network before selling the radio stations on to a major “Commercial Radio Network”. Sadly due to various events that happen in life I’ve lost contact with him, but hope he’s still doing well.

[1] OfCom employed Clive Corrie, who as far as I can tell instigated this perjury policy along with OfCom’s legal representative. Clive Corrie lied so much that eventually it was obvious to enough people that he was not just an embarrassment to OfCom and the UK Government, he was infact a real liability.

JonKnowsNothing February 28, 2022 12:34 AM

@ Clive, @ALL

re: A very lucky fellow!

Car impacts with deer, horses and cattle are very often lethal.

Impacts I have known:

  • A woman was driving home from work thru a rural area. A very panicked deer came barreling over the hill and down to the roadway. The deer T-Boned into the drivers side and the driver and deer were both killed from the impact. (Male deer have horns).
  • A horse in the barn got loose and ran out on the frontage street. Disoriented the horse raced away from the barn and onto the busy transit roads. An on coming car hit the horse square on to the front, flipping the horse onto the hood and thru the windshield, into the interior and then exited the rear window. The driver and horse were both killed.
  • Several friends were riding along a trail. This section of the trail bordered what was developed into a major high speed transit road to a major freeway in Silicon Valley. Originally it was a quiet road that became a central freeway access hub. The people in charge of changing the road from quiet 2 lanes to 8 lanes of high speed traffic refused to move or provide a safer path for the riders. Stanford U also locked their pasture access gates that allowed the riders to avoid that area. So riders had to go along this section for about half a mile until they could exit onto a quieter path. One of the riders was having difficulties with their horse so the friends swapped horses. When they got to this busy section “something” set off the horses. The fractious horse headed away from the road but the safe-and-sane horse jumped into the on-coming traffic. It was hit smack in the chest by a car. The impact and fall broke 2 legs and crushed the rib cage of the horse. The responding police officer with the permission of the owner, used his service revolver. The riders were ok but heart broken over the loss of their horse. The driver was OK too but their car was totaled. In California: horses have the right of way.

If an automated car cannot tell the difference between a person, bicycle, parked car and stalled vehicle, how much testing do you think they do for livestock or rampaging deer?

Clive Robinson February 28, 2022 5:09 AM

@ JonKnowsNothing,

… how much testing do you think they do for livestock or rampaging deer?

How close can you hold your thumb and forefinger together without actually touching?

I’d say “oh a smidgen less” would be overly generous.

The reason is “Lawyers”, if they test for “horses” and say “cows” and you hit a madly runing Ostrich… The owner of the ostrich will go to court… And when “Luxury self drive maker X” lawyer says “Ostriches are not livestock” or equivalent, you just know it’s time to break out the popcorn as that will be followed by “the opening credits” on the show acompaned by the screech of a tourtued fiddle chord of “The Devil went down to …” what ever state it is.

Because someone is about to be played harder than a cheap fiddle at an Ozark Ho-Down.

oanlena April 14, 2022 3:30 PM

Thank you for bringing this up. After a few days of searching for current material on this subject, I came across this page: one page essay and now I’m satisfied because I’ve finally arrived at your destination.
In addition to your basic writing style, I like how you present and discuss all of the facts.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.