An adjusted version of the UltraReset app, dubbed UltraCardTester, was made available for download by the researchers on Thursday to enable people to test their local transit system's security. UltraCardTester has the same abilities as UltraReset but isn't able rewrite the card. The function was taken out so people don't abuse it, Benninger said.
The app is, however, able to see if the bits are turned on or not, he added, saying that this gives a good indication whether the system is vulnerable. "But you won't be able to check the back end," Benninger said.
The vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.
"Our purpose is not to rub anybody's nose in," said Sobell. "We just want to raise awareness for an issue that potentially could affect many systems."