DEFCON 24: "How to take the best seats in the security theater, or hack boarding passes for fun and profit"

My name is Przimek Jaroszewski, I lead the Current Threat Analysis team and the Polish national computer security research group CSIRT, which is part of the CERT Polska academic computer network. I have been programming for over 10 years, but it was a very long time ago. I have 15 years of experience in the field of IT security, I am a master of social psychology and versed in social engineering. I also love everything related to flying on airplanes. We can say that in me lives an unrealized flight controller. I like to study how the passenger air transportation support system works and what happens outside the visible side of this process.

I often fly airplanes both as a private person and at work, so I take advantage of the regular passenger. The number of miles for a regular passenger is important, as it gives discounts and status. I take advantage of such privileges as a rest room and fast track - fast passage of controls without queues. They significantly save time and ensure a comfortable stay at the airport, unless someone tries to fix something that does not need any repairs, after which these privileges stop working.

Last year, an automatic self-service gate was installed at the airport in my native Warsaw, designed to speed up the process of passing control during landing. Instead of waving your boarding pass in front of the controller, you just need to scan your ticket and the gate will let you through. However, the problem was that my fast-track function was not read correctly by the scanner, he believed that this was a privilege only for business class passengers, and I prefer flying in economy class. However, I use fast-track only because I have a “golden” status. And this gate provided fast-track only to passengers with business class tickets, and the scanner could not correctly read my status.

Therefore, I still had to find a guy from the airport staff who came up to the gate with me, scanned my ticket two or three times, which is completely unproductive. Instead of saving, on the contrary, I lost a few minutes of my time.

Let's see if I can fix this problem. Let me explain what will actually be discussed. A boarding pass is a piece of paper with a barcode printed on it. This code was approved in 2005 by resolution No. 792 of IATA, the International Air Transport Association. According to this resolution, all processes of transporting passengers by air must be marked with such a bar code, and this code can be of four types.

If you have a paper ticket, then it has a PDF417 bar code in the triangle, if you use an electronic ticket on your mobile device, then there must be a two-dimensional barcode such as QR, Aztec or DataMatrix.

To facilitate my task, I found on Google Play a mobile application for reading bar codes, there are several dozen of them. Most of all I like the Barcode Scanner from Geeks.Lab, but you can use any that you like. So you get a tool that will help you read what is written in the barcode.

So, the bar code on the ticket is encrypted in the PCBP standard and in decrypted form looks like the one shown on the slide. It is a group of numbers, symbols and letters.

If it doesn’t allow me to read my status correctly, I must find where the class is indicated here. Therefore, I will need a second tool - a barcode generator, which is also enough in the Google mobile app store.

With it, I found a letter that mistakenly defines the class - this is the letter M.
The remaining data describes the passenger's last name, departure and arrival airports, and flight number. Let's see if I can change this letter M (economy class) to C (business class). I managed to do this without problems, also now I can save half a minute on each pass of the gate, since the scanner will now see the fast-track service.

Having done this with his ticket, each passenger will be able to take advantage of business class privileges for free by changing the bar code in this way.

Then I wondered what else can be changed here. For example, name and surname - this, too, I easily succeeded. The only thing that cannot be easily changed is the reservation code, because it is connected to the reservation system, and it must match your boarding pass.

That is, it provides the system with information whether you are traveling or not, making reservations or not. I thought about how to change this data, and got a little confused. I found out that instead of the free fast-track service for everyone, you can generally provide everyone with free access to the airport.

Let me explain what I mean. My experience is with Warsaw Airport, in the USA there is a slightly different system. But what I will tell is relevant to any airport, regardless of its location. This is not just access to fast-track, it is access to all airport services. It surprises me that out of the millions of passengers visiting airports every day, no one has come up with this.

Let me remind you of the facts known to everyone, some of which took place even before the widespread introduction of barcodes on tickets:

  • In 2003, Bruce Schneier flew on the ticket of another person, making it on a home printer.
  • In 2005, Andy Bowers discovered a gaping gap in the airport's security system.
  • In 2006, Bruce Schneier repeated his act, since nothing was done in the system during this time to prevent such cases.
  • In 2007, Christopher Sogoyan posted an Internet page on which everyone could create a fake ticket for himself, for which he later received many troubles for himself. FBI agents came to his home, and TSA sent him a letter describing the violated air traffic regulations and asking him not to do that again.
  • In 2008, Jeffrey Golberg published an article on the possibility of transporting dangerous baggage.
  • In 2011 and 2012, articles by Charles Mann and John Butler about flaws in the flight safety system were also published with the participation of Bruce Schneier.

John Butler described how the pre-control system can be tricked. In some technical details he was mistaken, but the idea itself was set forth correctly. So, as in 2003, the procedure of boarding a flight for a person who was not on the passenger list:

  • bought a ticket for a fake person;
  • a boarding pass was printed on a home printer;
  • A copy of the boarding pass was created with your real name, which was not on the passenger list;
  • a false boarding pass with your name and this identification document was provided to the TSA employee. The problem was that this employee did not have access to the reservation system and therefore could not verify in whose name the ticket was bought. He simply checked the coincidence of the name on the ticket and in your ID card or passport, the check-in officer showed the correct boarding pass, which could be checked in the ticket reservation system, the passenger got on board the plane.

As I said, this method worked in 2003, but it could be repeated in 2006 and 2007, when there were already bar codes. Let's see how this method of getting on board in Europe in 2016 works:

  • buying a ticket for a fake person;
  • a boarding pass is printed on the home printer;
  • passenger gets on board the plane.

By your reaction, I see that you appreciated the improvement of the airport security system in recent years!

Firstly, it became possible thanks to the rules of passage on board aircraft of specific airlines. The fact is that this is not the task of the airport, but serves the task of the airline, which is only interested in protecting its business interests. They don’t care who bought the ticket, the main thing is that there are no fare dodgers. There are very few airlines checking your ID; for most, just checking your ticket is enough.
Secondly, this is possible thanks to an occasional security check. It’s already 2 or 3 years since your documents have not been checked at all if you fly with local lines or make flights within the Schengen countries. In my opinion, 26 countries are now included in Schengen, it’s not like the European Union, which includes 46 countries. Other countries have tightened control on the Schengen border and are exchanging immigrant databases. Schengen officials explain this by the fact that they do not need to verify ID, as the general security is ensured by checking the physical security of a particular person for others.

Let's go back a little. As it turned out, I did not need to decrypt the form of the boarding pass record, it is publicly available, for example, on the IATA website page. This is how it looks in its entirety. In the upper part there are data required for entering into the boarding pass. The problem is that only this data is mandatory: the passenger’s name, codes of airports of departure and arrival, class and flight number, date, and no more data is required to be entered on the ticket. These are just 60 characters.

There is nothing that allows you to authenticate a passenger and nothing that allows you to verify it. Additional data is located at the bottom of the form, including 4 lines of data for security. They are like an electronic signature of your ticket. They may be included in the ticket, but this feature is optional and optional.

Consider where the passenger data is stored. Passenger verification can be done using the ticket reservation system. This is a CRS computer reservation system that stores and processes the PNR passenger name register. It contains personal information (surname, name, contacts), reservation (planes, hotels, cars), issued tickets, special requirements (for example, special needs for assistance for the disabled, in a special diet like a Muslim or a Jew), data from the loyalty program and contacts of persons to be contacted in the event of a plane crash.

Dozens of CRS exist in the global GDS reservation systems (Saber, Amadeus, Galileo, Worldspan), however they mainly work with private operators. One reservation can create several PNR entries in different CRS. Access to data is limited not only in one CRS, but also between its various parts, because this applies to personal information.

The problem is that you need to know where to look in order to find this data, since there are a lot of CRS. By default, airports do not have access to this database. For example, I fly with Polish airlines, then transfer to another company’s plane, and my reservation is duplicated in both systems. If I use the services of a travel agency, they also create their own reservation record and so on.

As you know, a barcode usually contains more information than it is printed, and if you can decrypt this code, you will gain access, including to personal data.

In addition to reservation systems, some data also go to other systems:

  • data for checking tickets - to the DCS flight control system, here it is checked that the person indicated on the ticket is on board;
  • extended information about API passengers - to the border service, which should know who flew into the country, here you may need screenshots of documents and so on;
  • PRNGOV data is fed into government systems; it is not very common and is used for statistics;
  • data for the flight safety program, I will talk about them a little later.

Again, I note that this information is not intended for airports, it is used by airline agencies.

For myself, I compiled a Java Script program to generate the Aztec barcode as a web form that works offline, this is how it looks.

I enter the necessary data into it, including the class, date, last name, place, security number, and it generates a bar code. The main thing that is needed for this to work is the flight number and date. The flight number coincides with what is indicated in the airport departure schedule.

Working with a paper ticket form is not so exciting. Regular MS Word has a good tool for editing pdf format, so making your changes and printing such a ticket is not difficult. You convert pdf to doc, make changes and save again in pdf.

The main thing is that the information printed on it matches the information encoded by the barcode, so it is scanned everywhere. Thus, you can get a lot of additional entertainment for free, for example. A visit to the business lounge-zone, which are contractual for airlines, will be completely safe, because their administration does not have access to the passenger register and personal information and simply believes that it reports the bar code on the ticket. The only thing you should not use the services of the "golden" class, because you may be asked to present a physical "golden" passenger card, which you do not have. If you have a card that has expired, they can also check it online.

A bit more complicated with the lounges that are managed by the carrier. They may have access to the register of passengers, but only those who fly the flight of this particular airline. Some companies allow business class passengers who have tickets for another airline’s flight to their rooms, so it’s even easier to get access to services in this case. Recently, access to recreation areas has been through automatic doors, as at Copenhagen Airport, so your trick with a fake boarding pass can pass.

Once I used the services of Brussels Airlines, which has a slightly different booking system, and my ticket trick worked. However, there are several systems that do not work correctly in this regard. In particular, one of the best in the world, it is located in Istanbul and is operated by Turkish Airlines. I thought hacking this system would be difficult, because 99% of flights at this airport are operated by Turkey, and there are only a few Star Line flights operated by other European operators. How did I act in this case? I launched my program on a smartphone and entered the data of one of the Turkish flights into it. I looked at the schedule board and chose an arbitrary Istanbul-London flight, filled in the data on Bartholomew Simpson, he was a good prankster, а затем программа сгенерировала матричный штрих-код в полном соответствии с данными фальшивого билета.

As you can see, I'm shooting with a hidden camera, which is in my shoulder bag. I go to the automatic doors, put my smartphone with a barcode on the scanner and calmly go into the chic lounge. Now I will show what I could use for free.

As I said, you don’t need to fly anywhere, just go to the airport and use all its services, for example, such a nice thing as duty-free duty-free trade. In many countries, goods in Duty Free are sold only to passengers of the flight (while alcohol is packaged in plastic bottles), but for this you do not need to fly somewhere for real. For EU countries, higher prices apply, that is, if you fly outside the EU, you can buy goods cheaper.

Having a fake ticket on hand, you get access to all the attractions of the airport, Fast Track service, easy access to lounges and duty-free shops.
How can this be prevented? For this reason, the IATA website has a useful half-page document on fraud protection. The risks described here are fraudulent.

For example, if the controller discovers two copies of the same ticket, he must withdraw the second copy, stop its owner and verify his identity. If the data on the ticket is changed, you need to check the passenger on the basis of the passenger names of this PLN flight and attach a certificate proving that the bar code on the ticket has been changed. If you find a fake bar code, you also need to check the passenger in the PLN and attach a certificate that proves that the bar code is not genuine. By certificate is meant an electronic signature.

Consider what such an electronic signature is.

In 2008, IATA introduced the BCBP v.3 standard (barcode tickets) with support for digital signature based on PKI, the public key encryption infrastructure. The public key means that the scanner can verify the authenticity of the digital signature at any checkpoint.

Many airlines still use BCBP v.1, which does not support digital signatures. This means that the control must have additional devices to check them.
This feature is optional and is used only at the request of local security services. That is, by default it is not included in boarding passes and is only there where it is specifically stipulated.

The length of the digital signature varies and uses a special algorithm for authentication. Private keys are provided by airlines, public keys are provided by third parties. For US carriers, the TSA standard is used.

Another thing that can be used is the standard BCBP XML code. It was also introduced in 2008 and is used for PADIS (Passenger and Airport Data Interchange Standards) data exchange between airlines and third parties, such as the lounges administration and security checkpoints. This is the data format obtained by PNR scanning and does not contain any personal information. The control terminal sends a request containing the title and full content of the ticket, and the airline must answer “yes” or “no” depending on the content. This is usually 0 or 1, which means skip / skip.

The picture above shows how the passenger data is exchanged.

The problem is that the airport system is not able to contact each of the 200 airlines flying from this airport, and even more so to receive reservation data for each flight of these airlines. But even if there are only 10 of the 200 companies that the airport couldn’t ring, you still have the opportunity to make a fake ticket and use it at the airport. The difficulty lies in the fact that you can get on a flight of one of the 190 companies whose data is verified through the PADIS system.

There is another function that the PSN performs correctly - the TSA flight safety system. The system started in 2013, although its development was initiated by the Transport Security Administration (TSA) in 2009, and in 2011 a preliminary and repeated check of the indicator located in field 18 of the BCBP protocol was already carried out: 0 = normal, 1 = SSSS, 3 = LLLL. At the same time, information was exchanged between airlines and TSA headquarters regarding whether this person was included in the list of unwanted passengers or the list of re-checks. In the first case, he could not be allowed to board, in the second it was necessary to carefully verify the identity of such a passenger.

In 2013, a CAT / BPSS scanning network device was created to receive the following information from the Security Flight system:

  • passenger's full name;
  • floor;
  • Date of Birth;
  • passenger status (normal, unwanted, needs to be re-checked),
    reservation number;
  • flight route (depending on which airport received the data).

Today I do not know which airports and how well they support this system, because it was introduced relatively recently and is still being tested.

And now I will tell you why DEFCON is great. I was already finishing the slides for this presentation when Carl Kosher contacted me on Monday or Tuesday. He said that he had heard about my report and that he has something with eBay with which I can “play a little”. This device, which is usually not allowed to buy, is this weighty device, I am showing it to you now. Called BPV PENTA, it is a boarding pass check scanner at TSA control points that is designed to be sold to a limited number of buyers.

Its price on eBay was $ 160, as you can see, is not very expensive. So I had a couple of days to “play” with this device, I received several messages from Karl and made a video to show how it works. You see that after turning it on it does not show the departure airport, by default a line of several dashes appears, setting the time is not an easy task, keys can be loaded or not.

I tried to scan the used ticket. The airport of departure is determined, the correct date is not shown, but the digital signature is recognized as valid. At the same time, the scanner emitted 3 beeps, turned on a red indicator and issued a message: "the location of the departure airport is incorrect." As you can see, the digital signature has passed, and the data of the airport of departure on the ticket is recognized as incorrect. We will figure out what kind of data it is and try to fix it.

I used my smartphone with a bar code and attached it to the scanner screen. Now the airport of departure and the date of departure by the scanner is accepted, but the digital signature is invalidated. At the same time, the inscription appears: "contact the boss." I change something in the bar code, bring the smartphone to the scanner and you see that everything goes fine - a single signal sounds, a green indicator lights up, you can go on board.

Thus, the correct ticket is confirmed by one sound signal, the wrong one - by three signals. If the scanner works automatically, it all depends on the vigilance of the TSA security agent, that is, will it hear how many signals the scanner emitted when checking your ticket.

Let's try to modify the operation of the indicator. I change the bar code again, bring the smartphone to the scanner, and now it emits 3 signals when the green indicator turns on, not red. I entered the LLL parameter, which passed the security check, but did not pass the digital signature verification. Again I change the code, enter SSS and bring the smartphone to the scanner - now the red indicator lights up, but only 1 signal sounds, as if everything went well. This is how it becomes possible to deceive both the device and the human controller.

Is this a vulnerability? Therefore, I talked about the matter with several carrier organizations and airport administrations, because these are their problems, and this is what they answered. First of all, I contacted Polish Airlines Polish Airlines. They said that this problem should be addressed to the Warsaw airport administration, because it concerns the system for scanning boarding passes.

I turned to the administration of the Warsaw Airport, and they answered me that they knew about it and this is not a problem for them, because the airport complies with all the recommendations of the CAA Civil Aviation Authority, Civil Aviation Authority.

Then I turned to the SAA of Poland and waited for their response for 2 or 3 months. They wrote simply - faking boarding passes is a crime, so you do not need to do this. That’s all they could answer me.

I asked them: “Can you imagine a legal document without any authentication”? I’ll say culturally - they just sent me to hell with this question.
Turkish Airlines sent me the following answer: “Please note that we have already transferred your contact details to the appropriate service, and it will contact you shortly to clarify your issue.” That is, I received a standard reply.

Next, SAS answered me: “We appreciate that you took the time to send us your feedback, as it is very important for us and will help us improve the quality of our services."

And finally, the TSA is still silent about my appeal.

What can I tell you? My tricks work, but can bring you a lot of problems, so I do not advise you to use them. But under the loyalty program, you can get several souvenirs, such as such a pen with a rubber pen for writing on the smartphone screen, such a convenient travel pillow, a 450 ml coffee glass with a lid.

This program takes into account the points you received by flying a certain number of miles. Each of the things you can get costs a certain amount of points, for example, a pillow costs 600 points. These points are also shown in the barcode of your ticket. You can earn them by simply changing the barcode data on the ticket, as if you flew to Edinboro, returned back after 3 hours and so on - I think the principle is clear to you.

To summarize:

  • the policy of privacy and confidentiality of personal information interferes with the exchange of data between airlines and airport control points;
  • several significant security measures have been implemented by IATA, but they are expensive and limited in scope;
  • the flight safety system in the USA is better developed than in Europe, where automatic gates were widely used everywhere.

Unfortunately, I did not have time to answer your questions. I want to share with you a link to the materials of my report, which will also be included in the final presentation of DEFCON on DVD.

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure class using Dell R730xd E5-2650 v4 servers costing 9,000 euros per penny?