DEFCON 24: “How to take the best seats in the security theater, or hack boarding passes for fun and profit"
My name is Pržímek Jaroszewski, I lead the Current Threat Analysis team and the Polish National Computer Security Research Group CSIRT, which is part of the academic CERT Polska computer network. I have been programming for more than 10 years, but that was a long time ago. I have 15 years experience in IT security, I am a master of social psychology and I understand social engineering. I also love everything related to flying on airplanes. It can be said that an unrealized air flight controller lives in me. I like to study how the air travel support system works and what happens outside the visible side of this process.
I often fly by airplanes both as a private person and for work, so I take advantage of a regular passenger. The number of miles for a regular passenger is important, as it gives discounts and status. I enjoy such privileges as a rest room and a fast track - a quick passage of controls without queues. They significantly save time and provide a comfortable stay at the airport, unless someone tries to fix something that does not need any repairs, after which these privileges stop working.
')
Last year, at the airport of my native Warsaw, an automatic self-service gate was installed, designed to speed up the process of passing control during landing. Instead of waving the boarding pass in front of the controller, you just need to scan your ticket and the gate will let you through. However, the problem was that my fast-track function was not read by the scanner correctly, he believed that it was a privilege only for business class passengers, and I prefer to fly in economy class. At the same time, I use fast-track only due to the fact that I have a “golden” status. And this gate provided fast-track only for passengers with business class tickets, and the scanner could not read my status correctly.
Therefore, I still had to find a guy from the airport staff who came with me to the gate, scanned my ticket two or three times, which is completely unproductive. Instead of saving, I, on the contrary, lost a few minutes of my time.
Let's see if I can fix this problem. Let me explain what is actually being discussed. The boarding pass is a piece of paper with a barcode printed on it. This code was approved in 2005 by IATA Resolution No. 792 - the International Air Transport Association. According to this resolution, all processes of passenger transport on air transport should be marked with such a bar code, and this code can be of four types.
If you have a paper ticket, then it has a PDF417 bar code in the triangle, if you use an electronic ticket on a mobile device, then there should be a two-dimensional bar code like QR, Aztec or DataMatrix.
To facilitate my task, I found a mobile application for reading bar codes on Google Play, there are several dozen of them. I like Barcode Scanner from Geeks.Lab most of all, but you can use any one you like. So you get a tool that will help you read what is written in the barcode.
So, the bar code on the ticket is encrypted in the PCBP standard and, in decrypted form, looks like the one shown on the slide. It is a group of numbers, symbols and letters.
If it doesn’t allow me to read my status correctly, I have to find where the class is indicated here. So I’ll need a second tool - a barcode generator, which is also sufficient in the Google mobile app store.
With his help, I found a letter that mistakenly defines a class - this is the letter M.
The remaining data describe the passenger's name, airport of departure and arrival, flight number. Let's see if I can change this letter M (economy class) to C (business class). I managed to do this without problems, and now I can save half a minute on each pass of the gate, as the scanner now sees the fast-track service.
Having done this with your ticket, each passenger will be able to use the privileges of the business class for free by changing the bar code in this way.
Then I wondered what else can be changed here. For example, the name and surname is also easy for me. The only thing that cannot be easily changed is the reservation code, because it is associated with the reservation system, and it must match your boarding pass.
That is, it provides information to the system whether you are traveling or not, book a place or not. I thought about how to change this data, and a little confused. I found out that instead of a free fast-track service for everyone, you can generally provide free access to the airport for everyone.
Let me explain what I mean. My experience concerns the Warsaw airport, in the USA there is a slightly different system. But what I tell you is related to any airport, regardless of its location. This is not just access to fast-track, it is access to all airport services. It surprises me that of the millions of passengers visiting the airports every day, nobody thought of that.
Let me remind you the facts known to all, some of which occurred before the widespread introduction of bar codes on tickets:
In 2003, Bruce Schneer made a flight on the ticket of another person, having made it on a home printer.
In 2005, Andy Bowers discovered a gaping gap in the airport security system.
In 2006, Bruce Schneer repeated his action, since nothing was done in the system during this time to prevent such incidents.
In 2007, Christopher Sogoyan posted an Internet page on which everyone could create a fake ticket for himself, for which he received a lot of trouble for himself. The FBI agents came to his house, and TSA sent him a letter describing the violated rules of the air transport regulations and asking him not to do so again.
In 2008, Jeffrey Golberg published an article about the possibility of transporting dangerous baggage.
In 2011 and 2012, also with the participation of Bruce Schneier, articles by Charles Mann and John Butler on the gaps in the flight safety system were published.
John Butler described how you can trick the preliminary control system. In some technical details he was mistaken, but the idea itself was stated correctly. So, as in 2003, there was a procedure for boarding a flight of a person who was not on the passenger list:
bought a ticket to a fake person;
boarding pass printed on a home printer;
a copy of the boarding pass was created with your real name, which was not on the passenger list;
TSA employee was provided with a fake boarding pass with your name and this document proving your identity. The problem was that this employee did not have access to the booking system and therefore could not check on whose name the ticket was bought. He simply checked the match of the last name on the ticket and on your identity card or passport, the boarding pass controller showed the correct boarding pass, which could be checked in the ticket reservation system, the passenger got on the plane.
As I said, this method worked in 2003, but it could be repeated in 2006, and in 2007, when there were already bar codes. Consider how this method of entry into Europe in 2016 works:
buy a ticket to a fake person;
boarding pass printed on home printer;
the passenger gets on board the aircraft.
From your reaction, I see that you have appreciated the improvement in airport security in recent years!
Firstly, it became possible due to the rules of access to the aircraft of specific airlines. The fact is that this is not the task of the airport, but serves the task of the airline, which is only interested in protecting its business interests. They do not care who bought the ticket, as long as there were no fare dodgers. There are very few airlines checking your ID; for most it is enough to check only the ticket.
Secondly, this is possible due to episodic security checks. For 2 or 3 years, your documents are not checked at all if you fly by local lines or fly within the Schengen countries. In my opinion, now 26 countries are in Schengen, it’s not like the European Union, which includes 46 countries. Other countries have strengthened controls at the Schengen border and are sharing databases of immigrants. Officials of the Schengen zone explain this by the fact that they do not need to check the ID, since the general security is ensured by checking the physical security of a specific person for others.
Let's go back a bit. As it turned out, I did not need to decipher the entry form of the boarding pass, it is available in the public domain, for example, on the IATA website page. Here is how it looks in its entirety. In the upper part are the data required for entry into the boarding pass. The problem is that only this data is mandatory: the passenger's name, departure and arrival airport codes, class and flight number, date, and no more data is required to be entered in the ticket. This is only 60 characters.
There is nothing that allows you to authenticate a passenger and nothing that allows him to check. At the bottom of the form are additional data, including 4 rows of data for security. They are like an electronic signature of your ticket. They may be included in the ticket, but this feature is optional and optional.
Consider where the passenger data is stored. Passenger verification can be performed using the ticket booking system. This is a CRS computer reservation system that stores and processes the passenger name register PNR. It contains personal information (last name, first name, contacts), reservations (airplanes, hotels, cars), issued tickets, special requirements (for example, special needs for disabled people, a special diet like a Muslim or a Jew), data from loyalty programs and contacts of persons with whom you need to contact in case of a plane crash.
Dozens of CRS exist in GDS global booking systems (Saber, Amadeus, Galileo, Worldspan), but they mostly work with private operators. One reservation can create multiple PNRs in different CRS. Access to data is restricted not only in one CRS, but also between its various parts, because it refers to personal information.
The problem is that you need to know where to look in order to track down this data, since CRS is very much. By default, airports do not have access to this database. For example, I fly Polish airlines, then I transfer to another company, and my booking is duplicated in both systems. If I use the services of a travel agency, they also create their own booking record, and so on.
As you know, the barcode usually contains more information than what is printed, and if you can decipher this code, you will get access, including personal data.
In addition to booking systems, some data also goes to other systems:
data for checking tickets - to the DCS flight control system, it is checked here that the person listed on the ticket is on board;
enhanced passenger information API - to the border guard service, which should know who flew into the country, screenshots of documents and so on may be needed;
PRNGOV data is received by government systems, it is not very common and is used for statistics;
data for the safety program of flights, I will tell about them a little later.
Again, I note that this information is not intended for airports, it is used by the air transportation agency.
For myself, I compiled a Java Script program for generating Aztec Shrikh code in the form of a web form that works offline, that's how it looks.
I enter the necessary data in it, including class, date, last name, place, security number and it generates a bar code. The main thing that is needed for this to work is the flight number and date. The flight number is the same as the one indicated in the airport departure schedule.
Working with the paper form of the ticket is not so exciting. Regular MS Word has a good tool for editing the pdf format, so it’s easy to make changes and print such a ticket. You convert pdf to doc, make changes and save again to pdf.
The main thing is that the information printed on it should correspond to the information encoded by the bar code, so it is scanned everywhere. Thus, you can get a lot of extra entertainment for free, for example. Visiting a business lounge-zone, which are contractual for airlines, will be completely safe, because their administration does not have access to the register of passengers and personal information and simply believes what the bar code on the ticket informs. The only thing you should not use the services of the "golden" class, because you may be asked to present a physical "golden" card of the passenger, which you do not have. If you have a card that has expired, they can also check it online.
A bit harder with rest rooms that are operated by the carrier. They may have access to the passenger registry, but only those who fly this particular airline. Some companies allow business class passengers to their rooms who have tickets for a flight of another airline, so in this case it is even easier to secure access to services. Recently, the passage to the recreation area occurs through automatic doors, as in the Copenhagen airport, so your trick with a fake boarding pass can pass.
Once I used the services of Brussels Airlines, which has a slightly different booking system, and my ticket trick worked. However, there are several systems that work incorrectly in this regard. In particular, one of the best in the world, it is located in Istanbul and is operated by Turkish Airlines. I thought that it would be difficult to hack this system, because 99% of flights at this airport are operated by Turkey, and there are only a few Star Line flights that are operated by other European operators. How did I act in this case? I launched my program on a smartphone and entered data from one of the Turkish flights into it. I looked at the timetable board and chose a random Istanbul-London flight, filled out the data on Bartholomew Simpson, he was a good pranker, and then the program generated a matrix bar code in full accordance with the fake ticket data.
As you can see, I am shooting with a hidden camera, which is in my shoulder bag. I walk up to the automatic doors, attach my smart phone with a bar code to the scanner and calmly walk into the chic lounge. Now I will show what I could use for free.
As I have already said, you do not need to fly anywhere, it is enough just to come to the airport and use all its services, for example, such a pleasant thing as the duty-free trade of duty free. In many countries, the goods in Duty Free are sold only to passengers of the flight (while alcohol is packaged in plastic bottles), but for this you do not have to go somewhere for real. For EU countries there are higher prices, that is, if you fly outside the EU, you can buy goods cheaper.
Having a fake ticket in your hands, you get access to all the attractions of the airport, Fast Track service, easy access to rest rooms and duty free shops.
How can this be prevented? On this occasion, the IATA website has a useful half-page document on fraud protection. It describes the risks that fraud is fraught with.
For example, if the controller detects two copies of the same ticket, he must withdraw the second copy, stop its owner and certify his identity. If the data in the ticket is changed, you need to check the passenger on the basis of the names of the passengers of this flight PLN and attach a certificate proving that the bar code on the ticket has been changed. If a fake barcode is detected, you also need to check the passenger in PLN and attach a certificate that proves that the barcode is not genuine. A certificate is an electronic signature.
Consider what constitutes such an electronic signature.
In 2008, IATA distributed the standard BCBP v.3 (tickets with a bar code) with digital signature support based on PKI - the encryption public key infrastructure. A public key means that the authenticity of a digital signature can check the scanner of any checkpoint.
Many airlines still use BCBP v.1, which does not support digital signatures. This means that the control must have additional devices to check them.
The flight safety system in the USA is better developed than in Europe, where automatic gates have been used everywhere.
Unfortunately, I have no time left to answer your questions. I want to share with you a link to the materials of my report, which will also be included in the final presentation of DEFCON on the DVD.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you:The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).