The app is, however, able to see if the bits are turned on or not, he added, saying that this gives a good indication whether the system is vulnerable. "But you won't be able to check the back end," Benninger said.
The vulnerability could be fixed relatively easy, according to the researchers. Transit companies could use a more secure chip, or adjust their back-end systems to make sure the bits in the cards are turned on when travel units are used, they said.
"Our purpose is not to rub anybody's nose in," said Sobell. "We just want to raise awareness for an issue that potentially could affect many systems."
Sign up for Computerworld eNewsletters.