Security experts reveal vulnerability with airline reservation systems
December 29, 2016 by Bob Yirka
(Tech Xplore)—A pair of researchers with German security firm Security Research Labs has revealed the results of research they undertook to assess the security strength and weaknesses of airline booking systems. Karsten Noh and Nemanja Nikodijevic have detailed their findings on a company blog post and in a talk they gave at this year's Chaos Communication Congress—and the news is not good for travelers.
Most modern computer systems employ a host of security features designed to make it difficult for hackers to gain access. Unfortunately, according to Noh and Nikodijevic, airline booking systems were designed back in the 1960s and have not been updated—that means that both airlines and the customers who use their services are extremely vulnerable to hackers wishing to gain access.
The main problem, the researchers report, is that the Global Distribution System (GDS) used by the airlines is based on a restricted access code, a six-character Passenger Name Record (PNR), which customers are given when they purchase a ticket—it is also printed on all of their luggage. The restricted part of the code means that the number and types of characters that can be used must fall within a predetermined range—that makes it easier for hackers using computers to run through all the possibilities. Since the customer's last name is associated with the PNR, hackers can simply type in a common name, such as Smith, and then have the computer run through all the GDS character possibilities until a hit is found, allowing access to that person's flight record.
Access to a GDS, the researchers report, allows for changing information on a flight record, which they reportedly demonstrated by reassigning a reporter to a seat next to a politician on a real flight. It could also allow a hacker to tie their frequent flyer number to a host of other flights and giving themselves credit for thousands of miles. They note that a flight record holds information that could be used to create a very effective phishing campaign—and it could also conceivably be used for tracking purposes—a stalker could use such information to follow the itinerary of a celebrity, for example.
The researchers also reported that they have notified the makers of the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, while others may require a full rewrite, obviously taking a lot longer.
Explore further: Computer outage briefly grounds flights on several airlines
© 2016 Tech Xplore