Security Flaw in Airline Booking Allows Hackers to Change Ticket Data and MoresteemCreated with Sketch.

in security •  8 years ago  (edited)

Most of the airline booking systems were designed in the 70s and 80s, and have not been updated with newer technology, leaving customers extremely vulnerable to hackers who want to gain access to the system and change the data.

booking-flightad594.jpg
source

Karsten Noh and Nemanja Nikodijevic are two researchers working for the German security firm Security Research Labs. Their findings were presented on Dec. 27th at the Chaos Communication Congress 2016. Their research undertook the task of assessing the security strengths and weaknesses of the three largest airline booking systems. The booking systems are called Global Distribution Systems (GDS).

These old systems from the 70s and 80s that were designed for leased lines, have been interwoven with web services but still lack web security.

The main seurity issues are as follows:

  • Weak authentication
  • Weak web services
  • Abuse potential
  • Invade travelers’ privacy
  • Steal flights
  • Divert miles
  • Conduct phishing/vishing

While the rest of the world is debating which second and third factor authentication systems to use, the old GDS's do not offer even a first authentication factor. This is the main problem that the research uncovered.

A Passenger Name Record (PNR) Locator is a six digit alphanumeric string, like 8EI29V, used to access and change the travelers information.

The problem with these, is that they are a restricted access code, meaning that parts of the sequence of characters must fall within a predetermined range. The customers last names associated with the PNR, which means that hackers can use a travelers common name to run through all the possibilities until they find the proper access code through brute fore attack.

To demonstrate the feasibility of this security flaw, the researchers reassigned a reporter to sit next to a politician on a real flight. They also showed how a hacker can tie their own frequent flyer number to many other flights and give themselves credit for thousands of miles.

plane582b3.jpg
source

The problems don't stop there.

All of this information that they can get about you from your flight records, can be used to track you, get additional information and possibly steal your identity.

All three of the booking systems have been advised of their security flaws, which they are working on. One of them will have corrections out shortly, while the two others have much older systems that require a full rewrite of the system.

In the meantime, you can take measures yourself to ensure that the airline your booking with uses a trusted system. Make sure that the website uses a proper brute force protection, such as captchas and retry limits per IP address. In the mid-term, the researchers say travel bookings need to implement proper secure authentication with a changeable password at the very least.


Thank you for your time and attention! I appreciate the knowledge reaching more people. Take care. Peace.


References:


If you appreciate and value the content, please consider:

Upvoting, Sharing, and Resteeming below.

Follow me for more content to come!


@krnel
2016-12-29, 5pm

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Once again, Wow!, @krnel,

This is incredibly disturbing but actionable information. Thank You! 😄😇😄

@creatr

Thanks for sharing another example of how centralization fails humans.

I'm in the UK and private information isn't so private anymore, seems our Government wants to know everything we do

Indeed they do.

  ·  8 years ago (edited)

Thank you, good information. My personal experience as a traveler for about 15 years is I have never had a hacking or personal data issue using many airlines. That is not to say these issue aren't real or shouldn't be addressed. Constent improvement is what it is all about. Again great article.

Yeah I'm not sure the hackers are doing this, or knew about it, but it's there for now.