**Reverse Engineering Lyft Bikes for Fun (and Profit?)**
As a journalist, I'm thrilled to share with you the fascinating story of how one individual spent their summer reverse engineering Lyft's private API, bypassing SSL encryption, and even making a profit in the process. Buckle up, folks!
**The Quest Begins**
It all started on a chilly San Francisco morning in Haight-Ashbury, when our protagonist noticed that someone had taken the last Lyft bike – again! "I should just wake up 15 minutes earlier," they thought, before proceeding to spend the next month exploring Lyft's inner workings.
**Goal: Remotely Unlock a Lyft Bike**
The goal was simple: remotely unlock a Lyft bike using nothing but an iPhone and some creative coding. To achieve this, our hero employed Charles Proxy, a tool that allows for SSL traffic decryption and manipulation. With Charles up and running, the app's encrypted requests could be captured, read, and re-encrypted in transit.
**The Ephemeral Certificate Conundrum**
To decrypt the SSL traffic, Charles needed to inject its own ephemeral certificates during the SSL handshake. This ensured that both sides of the communication were signed with keys controlled by Charles, allowing for decryption and re-encryption. Sounds like a man-in-the-middle attack? Well, it's consensual – our hero had explicitly allowed Charles to intercept their traffic!
**Unraveling the Unlock Request**
After capturing the app's requests, our protagonist discovered that the unlock request used a "rent" endpoint with the following structure: ``` { "bikeId": int, "authToken": str, "userLocation": { "lat": float, "lon": float } } ``` **Brute-Force Time!**
With the bike ID structure in hand, our hero realized that brute-forcing was the way to go. Since only IDs between 10000 and 20000 were used, a simple loop could unlock any bike. Of course, this wasn't efficient – a naive implementation would take around 3 hours!
**Asyncio to the Rescue!**
Using asyncio and aiohttp, our hero managed to reduce the time required for brute-forcing from 3 hours to a mere 15 seconds!
**A Word of Caution**
The author notes that vulnerabilities discussed in this article were disclosed to Lyft in 2019, who promptly responded and patched them. This write-up is intended for educational purposes only.
**The Chase Continues...**
As our hero continued to chase the bike IDs, they encountered an issue: generating codes didn't block others from taking bikes at the same station. Undeterred, they tried again the next day, only to find that Lyft had rebranded Ford GoBikes as BayWheels and changed the unlock mechanism.
**QR Codes and Geofencing**
The new system used QR codes on each bike, which could be scanned to unlock them. However, our hero soon discovered that geofencing prevented bikes from being unlocked outside their designated stations.
**Spinning Wheels (and Certificates)**
To capture encrypted iOS traffic, Charles Proxy was employed once more. This time, however, the issue of Certificate Pinning reared its head – some apps come pre-installed with server certificates they expect. After much fiddling, our hero finally managed to bypass this hurdle.
**The Big Reveal**
With the bike ID structure cracked and geofencing bypassed, our hero was able to unlock bikes remotely using their script. But what about multiple unlocks? As it turned out, even after unlocking two bikes, they were still charge-free!
**A Bounty for a Good Report**
After submitting their findings to Lyft's HackerOne platform, our hero received a bounty of $250 (plus an additional $250 bonus) for a "good report." Who knew responsible disclosure could be so rewarding?
**The Postscript**
In the end, our hero threw an epic house party with the Lyft interns and celebrated their newfound freedom – both from being arrested and from using public transportation!
This tale of reverse engineering, creative coding, and (mostly) responsible disclosure is a fascinating case study for anyone interested in security, hacking, or simply enjoying a good story. So go ahead, grab your iPhone, and see what secrets you can uncover!