Flight data belonging to millions of airline passengers in Europe could be accessed due to online security gaps.
Getting into an airplane without paying for the ticket: What IT security researchers have now found could become a big problem for airlines.
By Peter Onneken and Hakan Tanriverdi
It takes a few minutes, then Karsten Nohl is satisfied. In front of him a computer spits every second. It is a six-digit sequence of numbers and letters, which has an arbitrary effect on the observer. But then the machine gives a low sound. The calculator scored a goal. “Berlin-Frankfurt, Friday at 11.45 am,” says Nohl. He clicks through the flight offer of the Lufthansa website, until he finds a time that fits him into the calendar. “We’re just going to book it,” he says. “I’ll change the e-mail address for a while, so no one gets anything.”
Nohl can print out the ticket. He can check in online, go to the airport and board the plane. Within Europe, in the Schengen area, nobody will ask for his passport. Nobody will know that he has paid for the ticket a penny. Instead, he hacked and changed the air ticket of another person by hacker attack; Directly on the servers of the airline. Nohl flies one day earlier than the person who paid the ticket. The email address has been changed, so the probability is large that the person does not know about it.
The manipulation is simple, but also illegal
Nohl is the founder and CEO of Security Research Labs (SR Labs). What he demonstrates to the WDR and the Süddeutsche Zeitung is an attack. Responding to his severity, he says, “Everyone is going to get it.” If you have computer skills, you will be able to use it. It is simple, but also illegal. For the demonstration, Nohl manipulated a ticket from the reporter.
The weak spot, which Nohl and his employees were aware of, is at the same time a buying process, which customers should feel comfortable: the tickets come via the six-digit booking code. “Booking systems lack a security feature that we know from all other computer systems, namely the password,” says Nohl. As soon as passengers have booked a flight, they are notified of this six-digit combination. If the booking is to be changed later, for example, a hire car is added, passengers do not have to enter a password at any point. They identify themselves with their name and this code. This is unquestionably comfortable, but also has a drawback: Just as the system is rebuilt, modern computers can guess the combination within minutes.
Booking systems have an important function. They connect (online) travel agencies with airlines and these in turn with the passengers. Prices and availabilities are coordinated in Europe mainly through the system of the company Amadeus. A system that many providers have access to. Lufthansa is also using Air Berlin as well. It is a business that is worthwhile. The profit of the company amounted to 752 million euro in the year 2015. In 1987 the airline Lufthansa, Air France, Iberia and SAS founded this provider. Five years later began a “new era,” as Amadeus writes. Passenger name records (PNRs) have been introduced, records that occur during a flight booking, such as name, telephone and frequent flyer number, credit card data, and information about fellow travelers.
Amadeus advertises that their systems served a total of 747 million passengers in 2015 (for example, this figure also includes train travel). According to Nohl, who has analyzed the system for several weeks, Amadeus allocates one to two million booking codes per day for air passengers. “And we know almost exactly which numbers are because they are forgiven forever.” In order for the hacker attack to take place, SR Labs IT security researchers must have two pieces of information: the name of the person to be removed from the ticket, and the booking period.
Source: Sueddeutsche Zeitung
Original Source: SR Labs