To Hack an Uber
by Armando Pantoja
Despite the security concerns with hacked accounts and lackluster security that have plagued Uber for most of the past year, surprisingly more and more people are joining.
One big reason is due to the fact that Uber gives new users $25 to $50 in free rides on their first use of the system.
One afternoon, I decided to take advantage of this offer and took a ride from my home to the gym. It was pretty cool - the driver who picked me up was a younger guy and we spent the ride talking about the future of technology (one of my favorite subjects). I actually love the concept of Uber. I cannot say this about its security.
Being a software engineer and being obsessed with security, I could not stop thinking about Uber's offer. How did they uniquely identify each user and stop one from using the free rides over and over? When I got home, I started researching.
The Uber app, like most applications, uses an International Mobile Equipment Identity (IMEI), a unique 15-digit number assigned to all cellular devices. Unfortunately for Uber, this number can be changed/spoofed programmatically.
One needs a rooted Android and three applications: the Xposed Framework, CardGen, and IMEI changer (all available on Google Play).
After downloading all three, install each and restart the phone.
Open the IMEI changer. This will allow modification of the exposed IMEI number at will, allowing one to change it to a random number.
The last number of the IMEI is a check-digit calculated according to Luhn formula, but from my research as of this article, Uber does not even check the validity of the IMEI, although this may change in the future.
If a valid IMEI is needed, one can go online and find an IMEI generator.
Now, all that remains is clearing the Uber app's data cache and registering a new account.
At adding payment methods, choose the credit/debit card option. Open CardGen and generate a new card number. Enter any valid year, month, and CVV code. Uber does not check the validity of this either, which I found strange.
Find a Promo Code, claim it in the app, and one will have a free ride every time.
As I have not tried this method with Uber, in theory this entire process can be repeated unlimited times.
In my opinion, Uber needs much better security as it grows. Two simple checks would make it harder to complete this hack: Validating the IMEI number and validating the credit card number, which Uber does not do.
It seems lazy and scary that a company does not have these basic security checks as it grows fast and is storing millions of user records. One can assume that Uber is plagued with security concerns, if even the smallest of validation is left unchecked.