Hacker Holds Key To Free Flights
mask.of.sanity writes: "A security researcher says he has developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app. The 18-year-old computer science undergrad didn't reveal the 'bypass' which gets the holder of the fraudulent ticket past the last scanner and onto the jetway; he's saving that for his talk at Hack in the Box in Amsterdam next month."
... how do you deal with the inevitable "Hey, you're in my seat" dilemma?
s/[stupid comments]/[intelligent discourse]/gi
Got to pick your flight carefully if you don't want to end up sitting on someone's lap (or vice versa).
You might get lucky and get an empty seat. Hint - pick a center seat in the last few rows, these seats suck. However, if you fly into the US or many other countries, they will have received a passenger manifest electronically from the airline. You'll have fun when you get to customs and there's no record of you...
You need to do this in two steps
1) Knowing the name of someone on the flight, get a copy of their boarding pass at one of the omnipresent selfcheckin kiosks in the terminal. This might be a bit tricky, perhaps shoulder surfing or social engineering? Even trash can rummaging (since people often get a new boarding pass when they check bags, etc.).
That gets you the seat assignment on the plane, and past the scanner.
2) Bogus boarding pass that matches your ID so you can get past the security checkpoint (the last time they check id for domestic flights). You could print this anywhere, and for all I know, your name is encoded in the funky barcodes. Or a legit boarding pass for another flight you've booked yourself on, perhaps on standby? (since they don't charge your credit card til you board)
3) A boarding pass with the seat number you have chosen (to be non conflicting with the the seat of the known passenger in #1) would probably be most effective at convincing the flight attendants that you are legit. If you're doing the late boarding, pick an empty middle seat approach, I'll bet "there's an App for that" that can produce a legitimate looking pass.
4) Bear in mind that if they get suspicious, there is a printed passenger manifest at the gate and they can fairly quickly walk down the aisle checking everyone. That's going to be hard to beat.
There's several social engineering steps that will be needed (as with any good con).
Whoa, talk about floating yourself relative to your original position! If the flight is full can I just sit aligned in the center?
When journalist Drew Griffin investigated flaws with the TSA in the US, he ended up on the no-fly list.
Another got raided by the feds: http://yro-beta.slashdot.org/story/13/10/25/1939214/feds-confiscate-investigative-reporters-confidential-files-during-raid
Guess what's going to happen to this guy ...
He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight.
Of course news about a fake are Fake News.
Hacker Holds Key To Free Flights
Until you count the risk-weighted cost of getting arrested for fraud.
Lately, when I checkin for a flight, the software in the ticket scanner checks to see if the seat has already been scanned. If it has, it'll beep, if not then it marks it as now allocated.
Now if there are places in Europe that don't have that sort of checkin system then I can see it being vulnerable...
Seat maps are now available online realtime for most major airlines. So there is no need to guess - you can pick a right flight and an empty seat, do it right before the departure and it will likely remain empty.
On the other hand, my impression of gate check was that it checks boarding pass against database record of name/reservation/seat assignment. Certainly any other information maintained by gate agents is in the same remote database (such that any changes they perform at the gate become instantly visible online, for example standby and upgrade list status). So, no matter what the "local hack" is, it would only work if either:
- He can also hack remote passenger database (unlikely)
- Specific airline does not check passengers against the database and trusts properly constructed boarding pass (also unlikely, at least in US, as there needs to be positive match between passenger and loaded luggage that has to be performed based on that darn remote record).
There is also pesky passenger manifest with names, which again comes not from your boarding pass but from the remote system (though they need to reconcile with with reality).
Let's wait and see. Perhaps some of these conditions don't hold in Europe for whatever reason?
I'd be more concerned about lax security allowing travel using stolen passports.
e.g. the two Iranian passengers on the missing Malaysian aircraft, travelling on euro passports stolen a year earlier.
This might work fine, but if it didn't work you would probably get arrested, get put on a blacklist and, if it was really your day, get close attention from the likes of the French DGI. There is nothing like a week of interrogation to spice up your vacation.
Most airlines have assigned seats. Most airlines have computers that know who's supposed to be in each seat and also know who's bought tickets. So on most airlines, that fake boarding pass is going to be pretty tricky. And using passbook is just a more hip way of the old "print a fake boarding pass" trick.
You could make a "no seat assignment" boarding pass, which often happens when a flight is booked full except for rows that are blocked (exits, front row of economy blocked for the handicapped, etc). Then you go to the gate, ask the gate agent for a seat assignment, all perfectly normal... except that you're not going to be in the computer, so at the very least, there's an element of social engineering.
You could make a "no seat assignment" boarding pass for an earlier/later flight, and if the computer at the gate were so dumb it didn't know about any flight but the current one, you might be able to "stand by."
Making a "no seat assignment" boarding pass for a different airline entirely ... well, they'd probably want to know why you had been sent over to them. And they'd probably want someone at the other airline to sign off on it. Odds might be a tiny bit better if the airline you chose was a partner, but not in a joint venture involving shared access to customer records. If Delta and Alaska both have flights between a pair of cities, make a fake boarding pass for the one that leaves first, show up at the other one after it's left, claiming you missed your flight and asking to stand by.
Of course there's also the non-rev standby category, but for that you need to fake an airline ID and uniform... and that's a lot more risky.
So I'm guessing this guy may be flying an airline that lacks assigned seats, and maybe isn't all that great at IT in general... which means congrats, you're getting flights on either Ryanair or something even worse, for £0 instead of £1 they usually charge. ;)
I don't know when I'll have the opportunity, but next time I'm heading through a certain airport where I have lounge access and am friends with the lounge staff, I'll see if I can make a few "modified" boarding passes and see what happens when they scan them, just for amusement. Like if I'm in economy on a domestic flight to Los Angeles, make one that says I'm in business class on the upper deck of a 747 to Tokyo, and see what they say when it doesn't show up in the computer.
Village idiot in some extremely smart villages.
Of course there's also the non-rev standby category, but for that you need to fake an airline ID and uniform... and that's a lot more risky.
Non-rev standby doesn't work like that. You are thinking more of jump-seating for pilots and flight attendants, who must be in uniform and can just show up at a gate and get listed. Non-revs wear regular clothes and do not need to show ID at the gate, but when they check-in at the airport they need to have already made a reservation through their online company portal, or need to produce an airline ID to the ticket agent if they are booking the flight day of. But trying to fake either of those, especially jump-seating, is a good way to earn yourself a nice little vacation in federal prison.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
For hackers with balls, try that on Air Force One.
"Hey, Mr. President, this is my seat!"
Who the hell would accept a digital image of a boarding pass? I could make a fake one so easily and just imitate the app. Or I could snap a shot of someone else's pass and then swap out the info. What airport in the world would possibly accept something so unbelievably unreliable?
"he's saving that for his talk at Hack in the Box in Amsterdam next month"
He'll be in a CIA torture chamber before then if he's not careful.
Spoiler alert: they don't do the count until everyone's sitting down.
systemd is Roko's Basilisk.
All the CKI system i know of, count the pax boarded against the pax list in the CKI system. If they find a discrepancy, they check the one in addition and ask to check the ticket. Good luck making your explaining.
The bottom line was that the secure (relatively) thing is not the boarding pass but the ticket. Now if you could free ticket i would be downright impressed. Free boarding pass have long been known to be insecure. They are not there to be secure but to count boarded pax on the system against real boarded on plane, to be able to remove the one which are No-Show and remove their baggage.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight."
To that I have to say only "yeah , right" as in very sarcastic. Some airline in europe have spearheaded the interline and ground handling electronic exchange between TKT and CKI systems (using edifact messages TKCREQ, TKCUAC, TKCRES) since.... 2001. Even the medium airline are using the itnerline access. only very very small airline are still using offline process like ETL list.
That "security" researcher never checked in real life its results.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Yeah, wouldn't want a muslim flying for free.
He tried to kill me with a forklift!
This kid is asking to be put on a permanent Do Not Fly list. Emperors don't like peons who point out their absence of clothes.
I am becoming gerund, destroyer of verbs.
Getting on the plane is only part of the "game."
Unless you plan on doing something bad on the plane that will get you arrested or killed anyways, you also have to never be caught, even after the fact. Or at least delay your capture until all relevant criminal and civil statutes of limitations have run out.
Given that there are cameras everywhere these days, "Good luck with that."
Even then you have to worry about countries retroactively extending the statutes of limitations if their Constitutions/Basic Laws/whatever allow for it (In the last 10-20 years, California [USA] retroactively re-instated the right to sue for damages for certain decades-old torts).
To those who say "it's the bad guys who plan on hurting themselves or others once onboard" I say "You are right, that is an issue that needs to be addressed, but that's outside the scope of my comment, please start another thread."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Another possible attack vector for terrorists. Unwittingly this guy is now going to make it a living nightmare for people flying around Europe for exposing this security flaw. Prepare for the requisite knee-jerk response from the EU and the US.
What, for EXPOSING this flaw to the general public, instead of keeping it a secret that only miscreants, terrorists, and airline authorities know about?
You're right. It pulls up the curtain before the security theatre is ready.
legally adult? welcome to jail.
of course, when the talk happens, it will have all been blown out of proportion and it turns out he just found some checksum hack that gets him into the security area, not onto the actual plane in any meaningful way.
note how the article says he can *board* a plane. that's the key to this article. it doesnt say he has any chance of successful travel.
Ah, so it's a bald 18 year old.
I guess if he doesn't make the talk then the hack didn't work!
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
next month if he's not in lockup by them and even them he may make the no fly list.
Yes, they are armed. That is their purpose - to be a last line of defense for major threats and to be an early-responder to unruly passenger scenarios.
They are also well trained.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
I was under the impression sometimes a second marshal may fly on a flight without notifying staff.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
It should be a good step for progress in technology. keep it up. Mobile Phone Solutions