Hacker Uses Fake Boarding Pass App To Get Into Fancy Airline Lounges

An anonymous reader quotes a report from Help Net Security: Przemek Jaroszewski, the head of Poland's Computer Emergency Response Team (CERT), says anyone can bypass the security of the automated entrances of airlines' airport lounges by using a specially crafted mobile app that spoofs boarding pass QR codes. He created one for himself, and successfully tried it out on a number of European airports. Usually, to enter these lounges, travelers need to let the scanner at the entrance scan the QR code on their boarding pass, and the doors open automatically. Jaroszewski created an Android app that creates fake but acceptable QR codes. He says that aside from a valid flight number, the QR code doesn't have to include correct information (traveller's name, flight destination, etc.). According to WIRED, the U.S. Transportation Security Administration (TSA) and the International Air Transport Association (IATA) don't consider this particular issue a problem that needs fixing. They said "any such boarding pass security flaw would be the airlines' issue." Here is an unlisted video of the hack in action.

Re:Airport lounges suck

[PPH]

Because nobody could figure out a way to scam freebies off airlines first class programs.

Re: Did he get onboard a flight he didnt pay for?

[_merlin]

I don't know where you live, but around here the food and drinks are free in the airline lounges.

Quick HowTo

[rworne]

Nothing that's a big secret about this.

Download the IATA Resolution 792, you'll see in section 2.5 the data structure of the bar code for a boarding pass. Then generate the necessary barcode from the resulting ASCII string.

You'll probably need to check the Internet archive, because these resolutions were freely downloadable until a couple of years ago and then they were put behind a paywall... Free to $1500-$4500? Really?

You can use this to generate airline boarding passes too, but all the mobile passes I have seen have a digital signature appended to the end of it. The paper ones they hand out at the airport lack a digital signature.

Oh, and United Clubs actually look up your flight info, FYI.

Re:Airport lounges suck

[cliffjumper222]

Yup. I'm lucky that my employer pays for biz class for intl flights over 9 hours, so I see a few of them. IMO, the red carpet club is the worst, usually packed with sweaty folks trying to shovel as many of the trail mix snacks and coffee they can into their gobs. The "bar" is useless and sternly managed by a crone in a vest. Don't forget the obligatory USD 1 tip or she'll get grumpy. Tokyo and SFO are the worst. If you're smart, you'll find another airline's Gold lounge where they let you pour your own and eat real food. ANA is okay and has the magic beer pouring machine, EVA is good and generous with the booze. The best are the first-class lounges though, which I've only been in rarely as a guest of a super-miler. EVA's in Taipei was really good. The best overall lounge so far was Virgin's biz lounge in Hong Kong. I ate everything they had on the menu and their martinis were great.

Re:Unlisted video?

[AK+Marc]

He posted it as "unlisted" in an attempt to reduce legal liability. It won't help, if he gets in legal trouble, but it makes him feel better.

Re:Airport lounges suck

[quenda]

I've been in the "1st class" lounges in the US and Australia,

Not sure where you are, but out West, the lounge that was once full of business travellers in suits is now full of FIFOs (fly-in, fly-out mine workers), many in safety-boots and hi-vis clothing. Times have changed.

Re:Airport lounges suck

[mjwx]

I've been in the "1st class" lounges in the US and Australia, and they lump in all the eligible people into a single lounge. There are some concierge services that require showing higher permissions, but those are few, and inconsistent.

That's US and Australian airlines. People who travel on those airlines are so classless they could be a communist utopia.

Try flying someone like Singapore, they separate their business and first class lounges and their business class lounges are better than any others I've seen, especially in Changi.

Then again, there isn't a credit card I know of that will get you entry (unless it's paying a fee) so you need to have a business class ticket or be a Krisflyer member with status... which you only get with flying Singapore with some regularity.