Sam Blum* says a hacker has exposed a flaw in the archaic technology many airlines still use that could put your private details at risk.
Airlines are more than travel providers.
They’re also giant repositories of customer data — just think how much personal information you provide to book a flight.
If you’re worried that the old technology that powers airlines isn’t up to the task of securing your data, well, maybe you have reason to be.
Noam Rotem, a security researcher based in Israel, recently exposed a flaw in at least one online booking system called Amadeus used to facilitate arrangements between travel agents, booking sites, and upward of 200 major airlines.
The flaw (now said to be fixed) allowed those of nefarious intent to hack into a person’s data using little more than the six-character code printed on a boarding pass.
The problem goes a lot deeper than that.
A clever hack, a worrying weakness
Rotem claims he discovered the flaw on a whim while booking a flight with the Israeli carrier El Al, and a blog post at Safety Detective explains his method: Basically, he discovered he could obtain any passenger’s Passenger Name Record (PNR) — the six-digit codes printed on boarding passes and luggage tickets — by manipulating the source code used to feed information from Amadeus to El Al.
“Just by guessing PNRs I was able to access personal data and change contact details of customers,” Rotem explained to Popular Mechanics in a direct message.
“This was confirmed by both El Al’s VP and the Amadeus team.”
Rotem ran a script that generated random PNR codes, then plugged the individual results into the backend of the website’s booking page.
This way, he says, the site granted him access to the private flight information of scores of passengers.
(Amadeus says it fixed the bug after Rotem disclosed his findings.)
The vulnerability allowed him to make a variety of nefarious moves, including stealing frequent flier miles, changing passenger’s seats and meals, and modifying “the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service,” the blog explains.
Even if the bug truly is fixed, its existence points to a massive problem.
Amadeus serves nearly 200 major airlines, including United Airlines and Lufthansa, and managed 595 million bookings across the greater travel industry in 2016.
And the other IT systems at the heart of the airlines industry aren’t getting any younger, either.
Low-hanging fruit
Amadeus is officially called a Global Distributed System (GDS) and is one of three that fosters communication between airlines and various players in the travel industry.
They share deeply private information including birthdays, addresses, and sometimes passport numbers over this system.
But the core tech at work here first emerged in the 1960s.
Security researchers have repeatedly sounded the alarm in recent years that airline IT is struggling to cope with the demands of modernity.
For example, a 2016 study conducted by the Berlin-based Security Research Labs pointed out many of the flaws with the PNR system.
Among their many shortcomings, PNRs are vulnerable to the kind of brute-force attacks that Rotem used to harvest El Al’s passenger database.
The study also found: “Two of the three main GDSs assign booking codes sequentially, further shrinking the search space.”
“Finally, many GDS and airline websites allow trying many thousand booking codes from a single IP address.”
“Given only passengers’ last names, their booking codes can be found over the Internet with little effort.”
Even without hackers poking holes in the system, there’s a deeper, more systemic problem: the fact that PNR codes are printed on boarding passes and other travel documents.
#BoardingPass is a popular hashtag on Instagram, with a glut of photos uploaded every day that freely advertise PNRs and passenger barcodes.
This is relatively low-hanging fruit for anyone with a dastardly agenda, especially if they have a barcode-scanning app that could purloin sensitive information.
As Security Research Labs explained, obtaining a PNR, even on Instagram, enables a hacker to do any of the things that Rotem managed to accomplish.
Such security holes inspired hackers like Rotem and the folks at Security Research Labs to recommend adding Captchas and limiting retry attempts from a single IP address to hold back brute-force attacks.
The industry, so far, has not done so.
What we don’t know
Any weakness that could affect “tens of millions of travellers,” as the blog post states, sounds dire.
But how worried should you be about a security flaw that’s seemingly hardwired into the greater travel industry?
“If you’d asked me two years ago, I’d have said that airlines were certainly lagging in their informational security apparatus,” says Scott Keyes, who runs the website Scott’s Cheap Flights.
But that’s changed in the last couple years because of a focus on investing in security systems, he says.
Another airline industry analyst, Brett Snyder, points out that airlines rely on a multitude of services to manage their business, many of which are separate from GDS.
He says IT is stronger than it used to be: “Overall, the airlines have started to put a bunch of money into IT and that’s going to pay dividends, but there have been years of underinvestment due to chronic financial problems.”
“So there’s a lot of catching up that needs to be done overall.”
Indeed, Amadeus did fess up to the glitch, writing in a statement that “we have added a Recovery PTR to prevent a malicious user from accessing travellers’ personal information.”
Bogged down in bureaucracy
In its statement to TechCrunch, Amadeus said its systems are subject to approval from the International Air Transport Association (IATA), an industry group.
Because the company “relies on IATA standards that were introduced to improve efficiency and customer service on a global scale,” it argues that fixing the shortcomings with PNR will ultimately require changing industry-wide standards.
One might chalk that up to a deflection of blame, though it’s clear that the problem is more complicated than instituting a simple fix in Amadeus’s source code.
It hinges on a multilayered approach to digital security and IT infrastructure, which is something that airlines have historically let languish.
Maybe now it’s time for that to change.
* Sam Blum is an Associate Editor at Popular Mechanics. He tweets at @Blumnessmonster.
This article first appeared at www.popularmechanics.com.
