Ethical hackers alert Yulu bikes of 'free ride option'

An attempt to white hat hack the city’s popular bike-sharing solution system Yulu by researchers of a Bengaluru-based startup has discovered a “vulnerability” that allows access to the bikes “without paying”.

The bike-sharing system that was set up only a few months ago is gaining popularity in the city with hundreds of customers using them every day. The ethical hackers of the startup on Saturday sounded an alert about the security threat to the system, that was running smoothly so far.

After downloading the Yulu app from Google PlayStore, every user has to first top up the Yulu wallet with a security deposit of Rs 100 to begin a ride, which is mandatory to use the bike. But the researchers of Viga Entertainment Technology Pvt Ltd, a real-time technology company working in advanced filmmaking, as part of ethical hacking, found out a “vulnerability” in the system that will allow access to the bikes without having to pay.

The company claimed that it was an attempt of white hat hacking — purely out of curiosity — helping Yulu improve security of the application by exposing vulnerabilities before malicious hackers (known as black hackers) can detect and exploit them.

Sujay H G, chief operations officer from the company who happened to be a frequent user of Yulu, was curious to understand how the bike-locking system works. Not revealing too many technical details, he explained that the Yulu’s application is a “simple encryption”. “Their system uses a basic encryption that is visible in the logs. It makes it extremely easy to decrypt and gain access to the bike using a Bluetooth stack as the application works based on a GPRS-Bluetooth technology.”

The company has got in touch with Amit Gupta, chief executive officer of Yulu through Twitter. “We will explain to them the technicalities of the flaws and help them fix it,” Gadhadar Reddy, CEO, Viga Entertainment Technology said.

Yulu’s Gupta told DH: “I hope the intention of the specialists who discovered vulnerability in our application is good. I got in touch with them on Saturday. We are yet to discuss the flaws they discovered.”