Easy way to get to the VIP lounge of a European airport

You do not need to buy a business class ticket; you only need to make a QR code correct for your boarding pass scanner.

Pshemek Yaroshevsky demonstrates a QR code allowing him to get access to the airport's VIP room

The head of the computer emergency response team (CERT) Polish unit (CERT), Przemek Jaroszewski, often travels internationally. Usually he flies by plane, on average 50 - 80 times a year. With such a frequency of flights, the airlines provide the client with many bonuses, including access to VIP lounges. Yaroszewski likes Turkish Airlines hall where you can watch movies, try Turkish pastries and even get a free massage.

In one of the flights, the status of the VIP client was not recognized by the system when scanning the Polish boarding pass. Yaroshevski solved the problem using his skills as an information security specialist. He learned to compose a QR code for the airport system, which enabled him to obtain the status of a VIP client at almost any airport in Europe.

Polyak wrote a special program that used fictitious passenger data and real flight data, forming a QR code for the boarding pass. You can use any name, flight number, destination airport, and ticket class. As it turned out, the system needs only a real flight number. All other data can be taken "from the ceiling." The Android application, created by Yaroshevsky, allows anyone to access the VIP lounge of a number of airlines. Also with the help of this application, you can make purchases in duty free stores.
')
The vulnerability of systems scanning boarding passes is not news. For the first time, it was used by a specialist in cryptography, Bruce Schneier. He described his method in 2003 . Another information security specialist created a website that automatically generated fake boarding passes. The site is still working, but the script that generated the fake boarding passes is not. The site owner was forced to remove this script by the FBI, back in 2006.

Yaroshevsky, with his application, showed that vulnerability exists to this day, ten years later. “In fact, it takes only 10 seconds to create a fake boarding pass,” he says.

The process of creating a QR code was recorded by the Pole on video. Here he uses the name Bartholomew Simpson and generates code. After this code, he registers for the flight and enters the VIP lounge of Turkish Airlines in Istanbul.



Pshemek Yaroshevsky says he didn’t check his application at airports outside of Europe, so he cannot say whether it will work in the United States or other countries. In addition, he never tried to fly under a fake name. In his opinion, this is hardly possible, since when boarding an airplane, one has to undergo a re-check with documents. In addition, this method can only be used by users who are already at the airport after passing all checks, including the “framework”. The trick can only be used to obtain privileges for yourself as a passenger with VIP status. By creating an appropriate QR code, an economy class passenger can easily enter the waiting room for passengers who have bought a much more expensive ticket.

Wired journalists turned to the US Transportation Security Administration and the International Air Transport Association, asking for comments on the situation. Representatives of these organizations responded that they did not view the current situation as a threat. Also, journalists were told that the responsibility for the safety of their passengers lies with the airlines themselves. It seems that the problem is that the scanning systems do not have the opportunity to check the passenger data, their database contains only flight numbers. Connect to the external network to check all the data contained in the QR code such scanners can not.

Pshemek Yaroshevsky, speaking at the Defcon conference, said that he had never tried to get into the halls of airlines, to which he would not have access, as a VIP passenger under his real name. He also did not try using his application to buy goods in duty free stores when he flew within the same country. The expert explained that he didn’t want to break the law. However, once he generated the code for his friend, who was at the airport in Istanbul, waiting for a flight to the flight within 7 hours. He told a friend to use the QR code at his own peril and risk. And it all turned out well.

Yaroshevski said that he was not going to share his application. He argues that for any more or less experienced specialist will not be a problem to create exactly the same application. The program itself is simple - there are only 500 lines of code. And the intentions of a person who decides to do something like this may already be far from the desire to test the idea of ​​the possibility of cheating airport systems.