Booking a flight has become a simple process thanks to the Internet, and once you have flights secured you can relax, right? Well, for the most part that's true. Your seats are yours, as long as a hacker doesn't decide to stop you flying, which turns out to be very easy to do.
Karstein Nohl and Nemanja Nikodejevic from German security company Security Research Labs have revealed how poorly the travel booking systems we all rely on are protected. In fact, the three largest Global Distributed Systems (GDS) handling flight reservations for travel worldwide are open to abuse in several ways.
Amadeus, Sabre, and Travelport are the three systems that handle over 90 percent of flight reservations. According to the researchers, these systems date back to the 70s and 80s and have only been integrated with the more modern web infrastructure rather than replaced completely. What this means is, authentication on the system is very weak due to it being decades old.
Each traveler on a GDS is identified by a six digit code which is also the booking code (known as a PNR Locator). That ID is printed on boarding passes and luggage tags, meaning anyone near your luggage or who views your pass can see it and easily snap a shot of it with their smartphone. With that one code, all traveler information can be accessed, including home and email addresses, phone numbers, credit card number, frequent flyer number, and the IP address used to make a booking online (see the image below).
It gets worse, though, as you don't even need a specific ID to find valid traveler information. Both GDS and airline websites don't typically limit the amount of times you can check codes, meaning a brute-force approach to finding valid ones can be used. Even finding a specific passenger is relatively easy because the IDs are given out sequentially, which drastically shrinks the amount of IDs a hacker needs to search through given a specific timeframe.
Having your personal details so easily accessible throws the door open for a lot of abuse. Nohl and Nikodejevic explain that it's possible for a hacker to steal your flight, either by changing the flight without your knowledge or canceling it and receiving a voucher usable for a future flight. Any frequent flyer miles you have accrued can also be taken. Add to that the potential for a phishing attack, which could be carried out while the hacker knows you are on holiday if they so wish, and this could be a nightmare scenario.
The solution is a simple one: better security. The researchers recommend online services limit access to travel records per IP address and use Captchas to help stop brute force attacks. A replacement for the six digit code is also well overdue, but that's going to take a lot longer to achieve.
Below is a talk the researchers gave at the Chaos Computer Club regarding the poor security of these systems and the abuse they allow: