Slashdot Mirror
Hacker Holds Key To Free Flights
mask.of.sanity writes: "A security researcher says he has developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app. The 18-year-old computer science undergrad didn't reveal the 'bypass' which gets the holder of the fraudulent ticket past the last scanner and onto the jetway; he's saving that for his talk at Hack in the Box in Amsterdam next month."
who?
... how do you deal with the inevitable "Hey, you're in my seat" dilemma?
s/[stupid comments]/[intelligent discourse]/gi
Got to pick your flight carefully if you don't want to end up sitting on someone's lap (or vice versa).
You might get lucky and get an empty seat. Hint - pick a center seat in the last few rows, these seats suck. However, if you fly into the US or many other countries, they will have received a passenger manifest electronically from the airline. You'll have fun when you get to customs and there's no record of you...
the ticket was a punch card.
Another possible attack vector for terrorists. Unwittingly this guy is now going to make it a living nightmare for people flying around Europe for exposing this security flaw. Prepare for the requisite knee-jerk response from the EU and the US.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
You need to do this in two steps
1) Knowing the name of someone on the flight, get a copy of their boarding pass at one of the omnipresent selfcheckin kiosks in the terminal. This might be a bit tricky, perhaps shoulder surfing or social engineering? Even trash can rummaging (since people often get a new boarding pass when they check bags, etc.).
That gets you the seat assignment on the plane, and past the scanner.
2) Bogus boarding pass that matches your ID so you can get past the security checkpoint (the last time they check id for domestic flights). You could print this anywhere, and for all I know, your name is encoded in the funky barcodes. Or a legit boarding pass for another flight you've booked yourself on, perhaps on standby? (since they don't charge your credit card til you board)
3) A boarding pass with the seat number you have chosen (to be non conflicting with the the seat of the known passenger in #1) would probably be most effective at convincing the flight attendants that you are legit. If you're doing the late boarding, pick an empty middle seat approach, I'll bet "there's an App for that" that can produce a legitimate looking pass.
4) Bear in mind that if they get suspicious, there is a printed passenger manifest at the gate and they can fairly quickly walk down the aisle checking everyone. That's going to be hard to beat.
There's several social engineering steps that will be needed (as with any good con).
Whoa, talk about floating yourself relative to your original position! If the flight is full can I just sit aligned in the center?
When journalist Drew Griffin investigated flaws with the TSA in the US, he ended up on the no-fly list.
Another got raided by the feds: http://yro-beta.slashdot.org/story/13/10/25/1939214/feds-confiscate-investigative-reporters-confidential-files-during-raid
Guess what's going to happen to this guy ...
He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight.
Of course news about a fake are Fake News.
Hacker Holds Key To Free Flights
Until you count the risk-weighted cost of getting arrested for fraud.
Guess who just made it onto a whole bunch of lists!
I forsee many small rooms in this guys future. Filled with unhappy people with guns and badges wanting to talk to him.
Lately, when I checkin for a flight, the software in the ticket scanner checks to see if the seat has already been scanned. If it has, it'll beep, if not then it marks it as now allocated.
Now if there are places in Europe that don't have that sort of checkin system then I can see it being vulnerable...
Seat maps are now available online realtime for most major airlines. So there is no need to guess - you can pick a right flight and an empty seat, do it right before the departure and it will likely remain empty.
On the other hand, my impression of gate check was that it checks boarding pass against database record of name/reservation/seat assignment. Certainly any other information maintained by gate agents is in the same remote database (such that any changes they perform at the gate become instantly visible online, for example standby and upgrade list status). So, no matter what the "local hack" is, it would only work if either:
- He can also hack remote passenger database (unlikely)
- Specific airline does not check passengers against the database and trusts properly constructed boarding pass (also unlikely, at least in US, as there needs to be positive match between passenger and loaded luggage that has to be performed based on that darn remote record).
There is also pesky passenger manifest with names, which again comes not from your boarding pass but from the remote system (though they need to reconcile with with reality).
Let's wait and see. Perhaps some of these conditions don't hold in Europe for whatever reason?
So exactly how many years of experience does this gent have as a, um, "researcher"? 18 year old comp sci "undergrad"? I.e.-- freshman? Ah, the innocence of the naive inexperienced youth!
This might work fine, but if it didn't work you would probably get arrested, get put on a blacklist and, if it was really your day, get close attention from the likes of the French DGI. There is nothing like a week of interrogation to spice up your vacation.
Most airlines have assigned seats. Most airlines have computers that know who's supposed to be in each seat and also know who's bought tickets. So on most airlines, that fake boarding pass is going to be pretty tricky. And using passbook is just a more hip way of the old "print a fake boarding pass" trick.
You could make a "no seat assignment" boarding pass, which often happens when a flight is booked full except for rows that are blocked (exits, front row of economy blocked for the handicapped, etc). Then you go to the gate, ask the gate agent for a seat assignment, all perfectly normal... except that you're not going to be in the computer, so at the very least, there's an element of social engineering.
You could make a "no seat assignment" boarding pass for an earlier/later flight, and if the computer at the gate were so dumb it didn't know about any flight but the current one, you might be able to "stand by."
Making a "no seat assignment" boarding pass for a different airline entirely ... well, they'd probably want to know why you had been sent over to them. And they'd probably want someone at the other airline to sign off on it. Odds might be a tiny bit better if the airline you chose was a partner, but not in a joint venture involving shared access to customer records. If Delta and Alaska both have flights between a pair of cities, make a fake boarding pass for the one that leaves first, show up at the other one after it's left, claiming you missed your flight and asking to stand by.
Of course there's also the non-rev standby category, but for that you need to fake an airline ID and uniform... and that's a lot more risky.
So I'm guessing this guy may be flying an airline that lacks assigned seats, and maybe isn't all that great at IT in general... which means congrats, you're getting flights on either Ryanair or something even worse, for £0 instead of £1 they usually charge. ;)
I don't know when I'll have the opportunity, but next time I'm heading through a certain airport where I have lounge access and am friends with the lounge staff, I'll see if I can make a few "modified" boarding passes and see what happens when they scan them, just for amusement. Like if I'm in economy on a domestic flight to Los Angeles, make one that says I'm in business class on the upper deck of a 747 to Tokyo, and see what they say when it doesn't show up in the computer.
Village idiot in some extremely smart villages.
Of course there's also the non-rev standby category, but for that you need to fake an airline ID and uniform... and that's a lot more risky.
Non-rev standby doesn't work like that. You are thinking more of jump-seating for pilots and flight attendants, who must be in uniform and can just show up at a gate and get listed. Non-revs wear regular clothes and do not need to show ID at the gate, but when they check-in at the airport they need to have already made a reservation through their online company portal, or need to produce an airline ID to the ticket agent if they are booking the flight day of. But trying to fake either of those, especially jump-seating, is a good way to earn yourself a nice little vacation in federal prison.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
For hackers with balls, try that on Air Force One.
"Hey, Mr. President, this is my seat!"
Who the hell would accept a digital image of a boarding pass? I could make a fake one so easily and just imitate the app. Or I could snap a shot of someone else's pass and then swap out the info. What airport in the world would possibly accept something so unbelievably unreliable?
"he's saving that for his talk at Hack in the Box in Amsterdam next month"
He'll be in a CIA torture chamber before then if he's not careful.
This trick only works with 18 year olds. Only they are at the age when they can pretend to be younger and thus not have an ID and then say things like, "I was just waiting for my parents!" and "my phone must be broke!". LOL. That is the "trick". Its just all social engineering.
This kind of shit won't fly (pun intended) internationally, where every passenger list is carefully checked. At the very least, you'd be stopped at the destination airport; they'd probably notice a seat that's supposed to be empty too.
Also, to everyone worried about terrorism: You still need to go through security. The only difference this makes is whether you have to pay for a ticket to get on the flight. That is not commonly an impediment to terrorists.
We'll make sure to write to you in Gitmo.
All the CKI system i know of, count the pax boarded against the pax list in the CKI system. If they find a discrepancy, they check the one in addition and ask to check the ticket. Good luck making your explaining.
The bottom line was that the secure (relatively) thing is not the boarding pass but the ticket. Now if you could free ticket i would be downright impressed. Free boarding pass have long been known to be insecure. They are not there to be secure but to count boarded pax on the system against real boarded on plane, to be able to remove the one which are No-Show and remove their baggage.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight."
To that I have to say only "yeah , right" as in very sarcastic. Some airline in europe have spearheaded the interline and ground handling electronic exchange between TKT and CKI systems (using edifact messages TKCREQ, TKCUAC, TKCRES) since.... 2001. Even the medium airline are using the itnerline access. only very very small airline are still using offline process like ETL list.
That "security" researcher never checked in real life its results.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Yeah, wouldn't want a muslim flying for free.
He tried to kill me with a forklift!
This kid is asking to be put on a permanent Do Not Fly list. Emperors don't like peons who point out their absence of clothes.
I am becoming gerund, destroyer of verbs.
Getting on the plane is only part of the "game."
Unless you plan on doing something bad on the plane that will get you arrested or killed anyways, you also have to never be caught, even after the fact. Or at least delay your capture until all relevant criminal and civil statutes of limitations have run out.
Given that there are cameras everywhere these days, "Good luck with that."
Even then you have to worry about countries retroactively extending the statutes of limitations if their Constitutions/Basic Laws/whatever allow for it (In the last 10-20 years, California [USA] retroactively re-instated the right to sue for damages for certain decades-old torts).
To those who say "it's the bad guys who plan on hurting themselves or others once onboard" I say "You are right, that is an issue that needs to be addressed, but that's outside the scope of my comment, please start another thread."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
No.. your method doesn't account for zero, one, or three legged pax.
I propose: count hairs on heads, then estimate statistics for hairs/person, then develop a model for hair distribution, use that to estimate population based on number of hairs.
There's somebody in the US already doing this with Delta boarding passes - https://www.netspi.com/blog/entryid/208/sky-prioritize-yourself
legally adult? welcome to jail.
of course, when the talk happens, it will have all been blown out of proportion and it turns out he just found some checksum hack that gets him into the security area, not onto the actual plane in any meaningful way.
note how the article says he can *board* a plane. that's the key to this article. it doesnt say he has any chance of successful travel.
People like him don't give a fuck about emperors like coward bitches such as yourself.
He's in it to make a change/difference - you're in it to serve your masters.
So be a good little slave and kiss your emperors taint.
I guess if he doesn't make the talk then the hack didn't work!
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
next month if he's not in lockup by them and even them he may make the no fly list.
Yes, they are armed. That is their purpose - to be a last line of defense for major threats and to be an early-responder to unruly passenger scenarios.
They are also well trained.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
I was under the impression sometimes a second marshal may fly on a flight without notifying staff.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
There are three major manufacturers of intelligent BGR (boarding gate reader) primarily in use around the world - manufactured by Access, Desko, and IER. A boarding gate reader is plugged into a computer, which is either dedicated use (provided by the airline themselves), or Common Use (provided by a Common Use vendor - ARINC, SITA, Ultra, RESA). Different Common Use vendors require different firmware, and different airlines may also utilise different firmware.
The boarding gate reader should send the barcode data to the Airline application (either directly, or via the Common Use platform) - the airline application then has to acknowledge to the reader whether the user is "good to board" (a green light displays) or "not good to board" (a red light displays). A message is often sent to the boarding gate reader as well, with information about the passenger's name, seat number, alerts about exit rows or seat changes etc...
If there was a vulnerability, I would imagine it affects a single device manufacturer, or a single Common Use vendor, or a single airline, or even more likely, a single combination of all three. His assertion "he said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database"" is completely false - there isn't a single model used in all EU airports, and the vast majority of airlines automatically reconcile against a passenger list at the boarding gate.
What he may be talking about is use of specialised standalone boarding gate readers at security positions - the data in the 2D barcode on a boarding pass can be digitally signed, and the contents of the barcode alone can then be used for a degree of validation - whether the passenger is on a valid flight, from this terminal, from this airport, on this day, that hasn't already departed and the passenger hasn't already been through security. If one particular variant of reader isn't properly validating the digital signatures (using the certificates published by the airlines) then it may be possible to create a boarding pass with valid (unsigned) data on it to get through security - it shouldn't be possible to board a flight though.
Finally, being caught doing anything of this kind is a one way ticket to a criminal record, and probably being treated as a terrorist until you can prove otherwise. It's just not worth it.
It should be a good step for progress in technology. keep it up. Mobile Phone Solutions
In the not so distant pass it was common to use open source hash generators to create credit card #'s that would return a Boolean valid or invalid when parsed for viability. The merchant processing systems didn't validate the account number against a creditor account, they simply calculated a hash against the credit card # and returned a valid or invalid base on the result of the hash. This was/is enough for a hotel, for example, to grant you checkin and charging privileges.
Perhaps the jetways systems of cattle car airlines simply ask of the scanned boarding pass: "Are you valid" versus "Who are you? "Are you on the right flight? " Have you checked in already?..."
If you think of the layers of security employed in a defense in depth model and the fact that passengers are in a sterile area, perhaps the requirements of the system assume that the dude standing in line and the person looking at the moving cell phone is good enough.