When you fly 50 to 80 times a year like Przemek Jaroszewski— head of Poland’s Computer Emergency Response Team — frequent flyer lounges are no longer a luxury solely reserved for the one percent, but an expectation. When his gold status was mistakenly rejected by an automated boarding pass reader at a lounge in his home airport in Warsaw, Jaroszewski decided to apply his cybersecurity background to the task and hack his way in. He quickly wrote up an Android program and generated a QR code under the pseudonym “Bartholomew Simpson,” a business-class traveler on a departing flight, and was promptly let in.
The exploit, which Jaroszewski demonstrated on Sunday, August, 7th at the annual Defcon security conference in Las Vegas, resides in a simple 600-line JavaScript code that generates a fake QR code to spoof a boarding pass with any name, flight number, destination, and class. After testing out the app in the wild, Jaroszewski observed that the nearly none of the airline lounges compare the generated details against the actual ticket information from the airline’s database; the only verified detail is whether or not the flight number included in the QR code actually exists. It’s a glaring loophole that grants access to exclusive airline lounges and duty-free shopping without the added cost of an international ticket.
Jaroszewski’s not the first person to dupe boarding passes; cryptographer Bruce Scheier documented a separate technique back in 2003. Later, in 2006, privacy activist Chris Soghoian even created a website that generated fake passes with the click of the mouse, an action placed him under investigation by the FBI. Unlike his predecessors, Jaroszewski’s refrained from sharing the app; instead, he’s just wants emphasize that nearly the same boarding pass security issues persist even a decade later. In fact, airlines’ use of automated QR-code readers has made exploitation even easier.
“Literally, it takes 10 seconds to create a boarding pass” on a smartphone, says Jaroszewski. “And it doesn’t even have to look legit because you’re not in contact with any humans.”
Fortunately, the trick possess no actual security threat, as travelers must still pass through a number of physical security checkpoints where the ticket and passport are substantiated by human beings. The real utility lies in accessing hip and otherwise unreachable airport lounges, not illegally boarding an airplane.
Jaroszewski confesses that he’s never actually exploited the authentication of airport lounges he didn’t already have the right to access, or to buy duty free goods when he wasn’t traveling aboard, as both actions may be illegal. What’s more, fake QR codes might not actually work in American airports, something he hasn’t tried for himself, as they’re known to sometimes use improved boarding pass authentication systems in the lounges.
Source: Wired and Boingboing.net
Advertisement
Learn more about Electronic Products Magazine
