2 weeks ago

How Hackers Use Hidden Data on Airline Boarding Passes to Hack Flights « Null Byte :: WonderHowTo

Millions of travelers pass through airports each day without understanding how powerful in addition to insecure a boarding pass can be. Anyone can scan the boarding pass barcode which has a mobile app, allowing access to frequent-flyer accounts in addition to even a passenger’s temporary airline account. In This kind of guide, we will explore how hackers scan in addition to decode the information contained in a boarding pass barcode in addition to why.

The average airline boarding pass contains a wealth of information of which a hacker could potentially take advantage of in two primary ways. How they take advantage of the idea mostly depends on whether the target includes a frequent-flyer account or not.

Airlines have two types of accounts. One will be temporary in addition to will be created when you buy a ticket of which isn’t affiliated with an airline miles program, such as when you use Google Flights or Expedia. The different type will be a permanent account, which often comes from the form of a frequent-flyer program.

Don’t Miss: How to Track ADS-B Equipped Aircraft on Your Smartphone

You might think of which just not having a frequent-flyer account could keep you coming from being compromised, although when you don’t, your miles are up for grabs. Hackers can use information gleaned coming from any boarding passes not connected which has a frequent-flyer program to go to the airline’s website in addition to claim the victim’s miles for themselves. By walking through an airport in addition to photographing boarding passes, an attacker could earn thousands upon thousands of rewards miles, which can be used for free flights in addition to upgrades to a paid flight.

Those passengers of which do have frequent-flyer accounts could have their accounts compromised. Access to these accounts could give the attacker the ability to view passport information, change passwords, in addition to even cancel future flights.

With the temporary account, an attacker could only cancel the fight or legs of the trip of which are on the boarding pass of which was scanned. With access to the frequent-flyer account, they can cancel different flights of which are months away in addition to not associated with the current trip.

We’ll be looking at how a hacker would certainly acquire a target’s boarding information.

Step 1: Find a Boarding Pass

The first step will be finding a boarding pass to scan. Specifically, the hacker needs a clear image of a PDF417 barcode on a boarding pass to scan the idea in addition to capture the information on the idea. You might think you need to head to an airport to find some boarding passes, although in reality, social media will be full of them.

Method 1: Use Social Media

Head to Instagram in addition to search #boardingpass to find a plethora of images. When I conducted my search, the idea yielded approximately 95K results. Obviously, not every single one of those will be going to be a scannable boarding pass, in addition to some will contain boarding passes of which aren’t all of which scannable or readable because they are at odd angles or blurry.

the idea’s mind-boggling the amount of personal information This kind of represents encoded in boarding passes in addition to how blasé people are about sharing the idea.

Method 2: Use Google Images

Another amazing resource will be Google image search. Below, you can see the image of a boarding pass of which I found during my search where the photographer attempted to obfuscate what they deemed important information. However, they left the barcode revealed, which I blacked out before posting the image below. The rest of the results are low enough resolution as to be unscannable.

Using of which barcode, I was able to reveal all of the information the photographer had attempted to obscure, plus even more information of which isn’t on the pass in plain text. This kind of demonstrates people’s misunderstanding of how a boarding pass fundamentally works in addition to will be the reason I’m writing This kind of article.

Out from the real world, a bounty of codes can be found at an airport. Methods for finding them range coming from techniques of which are very suspicious to methods indistinguishable coming from normal airport behavior.

Method 3: Find the idea in Real Life

The first in addition to least suspicious tactic would certainly simply be walking around the airport recording video. A high-quality video camera or DSLR — or even a modern smartphone — can record in HD without standing out. A hacker could walk around the airport recording, capturing people with boarding passes in hand waiting to board or just outside TSA screening. Once done, the hacker could search the video frame by frame for boarding pass QR codes — a process of which could grow tedious.

A hacker could employ social engineering to come up which has a reason to take pictures of people’s boarding passes. Perhaps they could pretend to be a videographer wanting to make a time-lapse of the flight attendant scanning all the boarding passes or a photographer doing a portrait series of various families in addition to where they’re traveling to. Either way, This kind of will be naturally more suspicious than the passive video technique, yet could potentially be more useful if the hacker was attempting a targeted attack on the particular individual or wanted a less tedious approach than scanning videos.

The most suspicious tactic would certainly be to attempt to come into physical possession of the boarding pass by digging through trash cans or asking people for their old boarding passes after a flight. of which’s pretty unnecessary, though, since all they need will be the image of the barcode, not the actual pass.

Step 2: Scan the Boarding Pass Barcode

There are two ways a hacker can scan a boarding pass. The first will be to use a free mobile application on a smartphone, while the second uses a web-based tool to accomplish the same function. While I’ll teach you to use both, the web-based interface has more functionality in addition to tends to work better.

Method 1: Use a Mobile Application

Once someone includes a clear image of your boarding pass barcode, the idea’s a simple matter to scan the idea. There are a variety of ways to approach This kind of. Of course, if you wanted to get into the nitty-gritty code side of scanning barcodes, a not bad place to get started off would certainly be BarcodeSanner on GitHub. the idea could be implemented into a program of which scans video for these barcodes, such as from the example we discussed above.

With physical access to the boarding pass, any number of free QR in addition to barcode scanner apps coming from the Google Play Store or iOS App Store make the idea super simple to scan barcodes. For our example, we used Lightning QRcode Scanner. Open the app, in addition to then give the idea permission to use your camera. Point the phone at the barcode on the boarding pass to scan the barcode. The app will spit out a long string of formatted text, looking something like the image below.

Don’t Miss: The 7 Best completely new Camera Features in iOS 11 for iPhone

Method 2: Use a Web Tool

Additionally, a web tool such as Free Online Barcode Reader by Inlite can be used. the idea would certainly most likely be used if the hacker were doing the internet scavenging technique we first talked about. They would certainly only need to download the image, then re-upload the idea to the website to see the encoded data.

Upon a successful scan, a string of data should appear. At first, This kind of might look like gibberish. What does “M1LEOPOLD/EMR EZQ7o92 GVALHRBA 00723319C002F00009100” even mean? from the next step, we will look at how precisely This kind of can be decoded to glean valuable information.

Because the Inlite tool will be the only one of which I know every reader will have access to, let’s quickly cover how to use the idea. Begin by selecting the barcode type. of which will be most likely going to be PDF417 from the case of a physical boarding pass or QR code if the idea’s coming from a smartphone.

The web tool allows you to select multiple types simultaneously. After of which, click “Choose File” in addition to select the image. Make sure the idea’s in one of the acceptable formats. Most cameras use JPEG, so they should be fine just for This kind of. Lastly, click “Read” to attempt to read the selected barcode.

Below will be what a successful read looks like. This kind of tool will be quite not bad in addition to has worked on some images of which different apps struggled with.

Step 3: Decode the Boarding Pass

The International Air Transport Association (IATA) will be the international body of which creates guidelines in addition to standardization for the airline industry. Naturally, they’re the ones of which created the current boarding pass standardization (Bar Coded Boarding Pass Implementation Guide) of which hackers can take advantage of.

The guide below denotes what each character from the string of data contained within the barcode means. There will be quite a lot of information of which can potentially be stored from the 30 fields. However, the most interesting to us will be the first block, the mandatory items, as This kind of contains all of the identifying information such as passenger name in addition to flight information.

If you look closely at the mandatory items, you’ll notice of which there’s no integrity check on the data required. of which means there will be no way to check if the information has been changed since the idea was printed. As if of which wasn’t bad enough, the authentication for the boarding pass will be not listed as a mandatory item, which means This kind of will be commonly not used in addition to also represents a gaping security flaw. In practical terms, This kind of means an attacker could essentially insert false information into the data string, generate a completely new barcode, in addition to still have a valid boarding pass. We’ll look at This kind of in greater detail in a future article.

currently, let’s take an example of a British Airways flight in addition to see what information we can parse coming from the idea. Let’s use of which string of gibberish coming from before.


Looking at the chart above, we can see the field size allocated for each element. The first two are an individual character each, which tells us of which the form code will be “M” in addition to the flight will be “1” leg. After of which, there will be room for a last in addition to first name 19 characters in length. the idea would certainly be 20, although one will be used for a backslash separating the first in addition to last name. If the first in addition to last name exceeds 19 characters in length, the idea’s truncated to save space.

Here you can see the name will be Emr Leopold. Following of which will be “EZQ7092”, which will be the passenger name record (PNR) code, also referred to as the booking reference. This kind of will be one of the most valuable pieces of information on the boarding pass.

Don’t Miss: How To Hack Any Account of which Has Recovery via Phone Option Enabled (SMS) On Android

This kind of PNR code will be a temporary password used often in conjunction with the passenger’s last name, although This kind of can vary coming from airline to airline. Because of way code-sharing agreements between airlines work, This kind of PNR code can be used to gain access to a target’s frequent-flyer account, which we will look at from the next step.

After the PNR code will be the departing in addition to arriving airport, followed by the air carrier. In This kind of example, we have “GVALHRBA” which would certainly translate as Geneva (GVA) to London Heathrow (LHR) via British Airways (BA). Each of these codes will be easy to search for on Google if you don’t already know them. A full list of all the airport codes will be also publically available.

In a real-world boarding pass, there would certainly be substantially more information for us to read. As you can imagine, the idea would certainly become very tedious to parse the idea all by hand, which will be why a hacker would certainly likely make a simple Python script to do so, such as the IATA-Parser on GitHub.

Step 4: Gain Access to a Target’s Account

The last step for a hacker will be to input the data on an airlines website to log into the user’s account. The precise steps vary coming from airline to airline, although the general technique will be the same.

For example, looking at the pass we just decoded, the hacker would certainly go to the British Airways website. There they would certainly navigate to “Manage My Booking” in addition to input the PNR “EZQ7092” as the booking reference in addition to “Leopold” for the name. Then they would certainly have access to the temporary account with all the same power to make modifications as the legitimate owner.

How to Defend Your Boarding Pass Data

There are numerous simple steps you can take to protect your boarding pass in addition to the information the idea contains. The first thing you can do, if you are fairly confident from the security of your smartphone, will be check in online in addition to use your smartphone as your boarding pass. This kind of prevents anyone coming from seeing the physical boarding pass, as you don’t have one, although you will still need to protect the scannable code.

If you do need to carry around a physical boarding pass, be sure to keep the idea tucked away when not in use. Additionally, fold the idea with the back facing out to ensure the barcode can’t be readily seen. Lastly, don’t ever throw your boarding passes from the trash. They should be safely disposed of by shredding.

the idea goes almost without saying, never post photos of your boarding passes online in addition to most definitely don’t tag them as such. This kind of will be particularly true before a flight, as an attacker could cancel your flight without you knowing.

Most of the information a boarding pass contains within the barcode will be harmless when taken by itself. However, when one takes into account of which This kind of information can be used to gain access to airline accounts, the idea becomes much more dangerous. While the idea’s unlikely of which a random hacker would certainly go around canceling your future flights, the idea’s never a not bad idea to leave your boarding pass security up to the goodwill of hackers.

A more likely threat will be a hacker going around claiming unclaimed miles, so remember to sign up for your frequent-flyer programs to prevent This kind of. While doing so, be careful what information you give out, just in case your account will be compromised.

If you found This kind of interesting, Przemek Jaroszewski reviewed some completely new tools of which make hacking boarding passes easier than ever at Defcon 24 in August of 2016. You can check out the Defcon talk below if you have an hour free to watch. I highly recommend the idea. He discusses how the boarding pass information will be created, encoded, in addition to validated, then explains how easy the idea will be to craft your own boarding pass.

Thanks for reading! If you have any questions, you can ask me here or on Twitter @The_Hoid.

Cover image by mroach/Flickr; Screenshots by Hoid/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

fifteen − twelve =