Forgot your password?
typodupeerror
Transportation Security

Hacker Holds Key To Free Flights 144

Posted by Soulskill
from the TSA-bans-cell-phones-and-sitting-down-in-response dept.
mask.of.sanity writes: "A security researcher says he has developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app. The 18-year-old computer science undergrad didn't reveal the 'bypass' which gets the holder of the fraudulent ticket past the last scanner and onto the jetway; he's saving that for his talk at Hack in the Box in Amsterdam next month."
This discussion has been archived. No new comments can be posted.

Hacker Holds Key To Free Flights

Comments Filter:
  • Okay, but... (Score:5, Insightful)

    by broginator (1955750) on Friday April 04, 2014 @08:52AM (#46659923)
    ... how do you deal with the inevitable "Hey, you're in my seat" dilemma?
    • Re:Okay, but... (Score:4, Interesting)

      by Overzeetop (214511) on Friday April 04, 2014 @08:56AM (#46659961) Journal

      "Oh, I'm sorry - I must have grabbed the wrong row."
      "Oh, I'm sorry - they said my seat assignment was provisional because I arrived so late, I'll find another one"

      Board near the end of the boarding time and take a free center seat near the back -unless then plane is 100% full, you're golden.

      • Re:Okay, but... (Score:5, Informative)

        by wonkey_monkey (2592601) on Friday April 04, 2014 @09:03AM (#46660011) Homepage

        Board near the end of the boarding time and take a free center seat near the back -unless then plane is 100% full, you're golden.

        Except for the annoying habbit flight attendants have of counting the number of passengers.

        • Go sit in the bathroom until after they count?
          • Go sit in the bathroom until after they count?

            But don't close the door, else they count the occupied booth.

          • by bondsbw (888959)

            Don't they check bathrooms?

            If they don't... maybe they should.

            • by Fritzed (634646)
              Bathrooms are generally "locked" prior to take-off. But the "lock" is really not a security mechanism and anyone that has paid attention to the procedures when your flight hits 10,000 feet would know how to open them anyway. So, if you're stealthy enough, you could unlock the bathroom and duck in. It wouldn't be checked until somebody went to get in the bathroom after the flight hits 10,000 feet.
        • by N1AK (864906)
          Not in my last 6 flights they haven't, at least not without trying to be incredibly covert about it which I seriously doubt. All these flights were within Europe or SE Asia, I don't know if head counts are more common in other regions.
          • Re:Okay, but... (Score:4, Interesting)

            by Zontar_Thing_From_Ve (949321) on Friday April 04, 2014 @10:14AM (#46660509)

            Not in my last 6 flights they haven't, at least not without trying to be incredibly covert about it which I seriously doubt. All these flights were within Europe or SE Asia, I don't know if head counts are more common in other regions.

            Within the US they definitely count the passengers. I flew between Canada and Asia last year and I don't remember if they counted or not, but on flights within the USA they definitely do count. There was a rather embarrassing incident where a minor without a ticket of any kind got on a plane in the US and nobody ever did anything to make sure he was in the right place or even had a ticket for the flight. I think now all the airlines want to make sure that kind of thing never happens again, because if a kid can do it, an adult with bad intentions may be able to do ti too.

          • Didn't they check that everyone had their seatbelts on, their seats in an upright position, their belongings stowed in the overhead locker and had switched off all electronic devices?

          • by plopez (54068)

            Know the capacity of the aircraft. Count number of empty seats, a much easier task. Passengers=total seats-empty seats. It sounds like you would flunk a flight attendant interview....

            • by Obfuscant (592200)

              Count number of empty seats, a much easier task. Passengers=total seats-empty seats.

              And you'd totally miss lap kids.

          • by BitZtream (692029)

            Its easy to be covert on nearly full flights, you just walk the plane and count empty seats, basic math gives you filled seats.

          • by Mashiki (184564)

            They count in Canada as well. Last time time I flew(dec last year), they deboarded the plane when I was in Calgary, and went through reboarding because there were more people on, than went though the entry kiosk.

        • by Chelloveck (14643)

          Board near the end of the boarding time and take a free center seat near the back -unless then plane is 100% full, you're golden.

          An empty seat? What's that? I don't fly a lot, but whenever I do they're bumping people because the flight's been so horribly overbooked.

          • by kyrsjo (2420192)

            Quite common if you're not picking the most popular flights. Tickets are usually cheaper as well.

            Got my own 3-seater many times that way, rise the armrests it's a quick flight to dreamland :)

        • by dbIII (701233)
          And the even more annoying habit of flights being overbooked in the hope that someone will cancel.
        • by Wootery (1087023)

          Ah yes, the flight manifest [wikipedia.org].

      • Re: (Score:2, Funny)

        by Anonymous Coward

        "Oh, I'm sorry - I must have grabbed the wrong row."
        "Sir, let me confirm your name with the flight manifest."
        "Oh, I...um..."
        (radios for security, man goes to prison under terrorism charges)

        • by Firethorn (177587)

          Terrorism, theft of services, impersonation of a law enforcement officer, impersonation of a federal official, I figure they can find a few more.

      • by RenderSeven (938535) on Friday April 04, 2014 @10:38AM (#46660735)
        Just whisper to them "Im the Sky Marshal watching that passenger over there. For everyone's safety find another seat and tell NO ONE." For bonus points, tap your non-existent shoulder holster under your sport coat.
        • by kyrsjo (2420192)

          Do sky marshals actually carry guns onto planes, loaded, in the passenger compartment?

          • Yep. Or at least the ones I know do.
          • Yes, they are armed. That is their purpose - to be a last line of defense for major threats and to be an early-responder to unruly passenger scenarios.

            They are also well trained.
        • by CKW (409971)

          And then she goes to tell the real sky marshal that there is someone back there claiming to be in posession of a gun, and suddenly you're looking down the barrel of a real gun. Don't make any sudden moves!

          (All flight staff are introduced to the marshal in person prior to the flight.)

          • by kyrsjo (2420192)

            I wonder how the flight staff reacts when a passenger walks up to them and quietly tells that the guy sitting next to them is carrying a gun on the plane...

          • I was under the impression sometimes a second marshal may fly on a flight without notifying staff.
    • by Anonymous Coward

      That wouldn't be an issue on an airline like Southwest.

    • by Kookus (653170)

      get on the plane last...

    • Fly Southwest.

    • by pjt33 (739471)

      I don't think you're familiar with European budget airlines. You can choose your seat when booking if you're willing to pay extra. Maybe a dozen people per flight have reserved seats, and the rest work on the basis of first come, first served.

      • by kyrsjo (2420192)

        Usually you get a seat assigned when you check in. You can often ask for a specific seat (for no extra charge) then also - but of course you won't get first pick.

        • by pjt33 (739471)

          Interesting. Which airlines do you fly with? I mainly fly Ryanair or EasyJet, and they don't assign seats unless you pay. (I'm not sure, but I half suspect it's a ploy to make people get to the gate early so that they can be at the front of the queue). It's a while since I flew Air Nostrum, so I can't remember how they do it.

          • by kyrsjo (2420192)

            Most of the time it's Norwegian out of Oslo, but I also fly Lufthansa/SAS quite a bit, and occasionally KLM. The "premium" airlines are often actually cheaper than the "low cost" ones, you just have to spend 30 minutes comparing prices - expedia is great for this (but not neccessesarily book through them, the airlines are easier to deal with for changes etc. if you go through their system).

            On the self-check-in machines for Norwegian, you can pick your seat, but of course you get 2nd pick after whoever paid

      • I don't think you're familiar with European budget airlines. You can choose your seat when booking if you're willing to pay extra. Maybe a dozen people per flight have reserved seats, and the rest work on the basis of first come, first served.

        Sure, but they will always check if there's an extra passenger on board, because else they may run out of fuel.

        • An extra 150lbs won't make a difference. Besides, they always have extra fuel just in case the plane has to fly some extra time in case of traffic

    • by mpe (36238)
      how do you deal with the inevitable "Hey, you're in my seat" dilemma?

      Not all airlines assign specific seats to specific passengers. Some even charge for specific seats.
      A more obvious question would be if the crews do a "head count" or not.
      Wonder if the article the article should have said "Schengen Area" rather than EU.
  • by Anonymous Coward
    Got to pick your flight carefully if you don't want to end up sitting on someone's lap (or vice versa).
  • by bunyip (17018) on Friday April 04, 2014 @08:59AM (#46659985)

    You might get lucky and get an empty seat. Hint - pick a center seat in the last few rows, these seats suck. However, if you fly into the US or many other countries, they will have received a passenger manifest electronically from the airline. You'll have fun when you get to customs and there's no record of you...

  • Another possible attack vector for terrorists. Unwittingly this guy is now going to make it a living nightmare for people flying around Europe for exposing this security flaw. Prepare for the requisite knee-jerk response from the EU and the US.

    • I'd be more concerned about lax security allowing travel using stolen passports.

      e.g. the two Iranian passengers on the missing Malaysian aircraft, travelling on euro passports stolen a year earlier.

  • You need to do this in two steps

    1) Knowing the name of someone on the flight, get a copy of their boarding pass at one of the omnipresent selfcheckin kiosks in the terminal. This might be a bit tricky, perhaps shoulder surfing or social engineering? Even trash can rummaging (since people often get a new boarding pass when they check bags, etc.).
    That gets you the seat assignment on the plane, and past the scanner.

    2) Bogus boarding pass that matches your ID so you can get past the security checkpoint (the l

  • by Anonymous Coward on Friday April 04, 2014 @09:11AM (#46660081)

    Whoa, talk about floating yourself relative to your original position! If the flight is full can I just sit aligned in the center?

  • He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight.

    • by pla (258480)
      So you mean, he didn't admit to a variety of felonies in public?

      Shocking.
  • Hacker Holds Key To Free Flights

    Until you count the risk-weighted cost of getting arrested for fraud.

  • by ugen (93902) on Friday April 04, 2014 @09:33AM (#46660235)

    Seat maps are now available online realtime for most major airlines. So there is no need to guess - you can pick a right flight and an empty seat, do it right before the departure and it will likely remain empty.

    On the other hand, my impression of gate check was that it checks boarding pass against database record of name/reservation/seat assignment. Certainly any other information maintained by gate agents is in the same remote database (such that any changes they perform at the gate become instantly visible online, for example standby and upgrade list status). So, no matter what the "local hack" is, it would only work if either:
    - He can also hack remote passenger database (unlikely)
    - Specific airline does not check passengers against the database and trusts properly constructed boarding pass (also unlikely, at least in US, as there needs to be positive match between passenger and loaded luggage that has to be performed based on that darn remote record).

    There is also pesky passenger manifest with names, which again comes not from your boarding pass but from the remote system (though they need to reconcile with with reality).

    Let's wait and see. Perhaps some of these conditions don't hold in Europe for whatever reason?

    • by kuiken (115647)

      On the budget airlines there are no seat assignments, you can pay extra to get in the first queue. Once the gate opens its a dash for the 'best' seats

    • by TheCarp (96830)

      > Let's wait and see. Perhaps some of these conditions don't hold in Europe for whatever reason?

      You mean like it is all a bunch of unnecessary hoopla that costs way more than its worth for the nearly non-existent problems it solves?

      • by ugen (93902)

        Which one? Knowing what passenger is in what seat? I dunno, airlines don't do much of anything if it costs extra. Remember the peanuts?

  • This might work fine, but if it didn't work you would probably get arrested, get put on a blacklist and, if it was really your day, get close attention from the likes of the French DGI. There is nothing like a week of interrogation to spice up your vacation.

  • For hackers with balls, try that on Air Force One.

    "Hey, Mr. President, this is my seat!"

  • Who the hell would accept a digital image of a boarding pass? I could make a fake one so easily and just imitate the app. Or I could snap a shot of someone else's pass and then swap out the info. What airport in the world would possibly accept something so unbelievably unreliable?
    • by Teun (17872)
      Uhhh, all airlines I fly with and at virtually all airports accept a digital boarding pass.

      You need to check in on-line, less than 24 hrs. before the flight and in return you get a mail with a QR code.
      At the airport you just show your phone displaying the code, both at immigration, at security and at boarding.

      Also realise there is no Immigration between the EU Schengen countries.

    • Who the hell would accept a digital image of a boarding pass?

      Err, everyone, on every flight I've taken in the last few years (which admittedly isn't many). A QR code in an email sent to my phone is my boarding pass. A scanner reads it, presumably displays my details to the security guy, and he checks my ID.

      I could make a fake one so easily and just imitate the app.

      Off you go then.

      It's not like someone scrawled "Boerd!ng Pars" on the back of an envelope with a crayon.

    • by MrMickS (568778)

      I've not taken a flight in the last couple of years, between a number of European countries, that I've not used a QR code on my phone as the boarding pass. Given that its a QR code even if you take a snapshot of someone else's how are you going know what details to swap out? The other information there is for the user only, its not used by the scanner.

  • Bullshit (Score:5, Informative)

    by aepervius (535155) on Friday April 04, 2014 @11:11AM (#46661039)
    All the CKI system i know of, count the pax boarded against the pax list in the CKI system. If they find a discrepancy, they check the one in addition and ask to check the ticket. Good luck making your explaining.

    The bottom line was that the secure (relatively) thing is not the boarding pass but the ticket. Now if you could free ticket i would be downright impressed. Free boarding pass have long been known to be insecure. They are not there to be secure but to count boarded pax on the system against real boarded on plane, to be able to remove the one which are No-Show and remove their baggage.
    • by aepervius (535155) on Friday April 04, 2014 @11:17AM (#46661107)
      "He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight."

      To that I have to say only "yeah , right" as in very sarcastic. Some airline in europe have spearheaded the interline and ground handling electronic exchange between TKT and CKI systems (using edifact messages TKCREQ, TKCUAC, TKCRES) since.... 2001. Even the medium airline are using the itnerline access. only very very small airline are still using offline process like ETL list.

      That "security" researcher never checked in real life its results.
    • Well that's a problem, then. All you need to get past security is a boarding pass. If it's that insecure, then the lines I spend an hour in are worthless because they don't really stop anyone from getting in to the gates, except my family who wants to send me off. Those lines are also worthless for quite a few other reasons.
    • by hweimer (709734)

      Now if you could free ticket i would be downright impressed.

      Free ticket is easy. Just buy a ticket online and use someone else's bank account data (which should work in most of Europe via SEPA direct debit). Bank account data is widely availabe on the web, as this is generally not thought to be highly sensitive information. If you do it shortly before the flight, the account holder will most likely not notice what's going on to have the ticket cancelled in time.

      For bonus points, you can get the ticket issued under a pseudonym and alter the boarding pass to match you

  • Permanent DNF (Score:2, Insightful)

    by wiredlogic (135348)

    This kid is asking to be put on a permanent Do Not Fly list. Emperors don't like peons who point out their absence of clothes.

  • I guess if he doesn't make the talk then the hack didn't work!
  • next month if he's not in lockup by them and even them he may make the no fly list.

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray

Working...