Even amateurs can hack online bookings, get free flights – cybersecurity expert

28 Dec, 2016 12:14 / Updated 8 years ago

Almost anyone with basic computer skills can change online bookings and steal flights, German cyber experts warned after a remarkable hacking experiment. The issue lies with booking systems being too archaic, they said.

Online booking often provides more convenience for passengers, but ageing computer systems used for the purpose are vulnerable to fairly primitive hacks, according to German cyber security experts.

Flight bookings worldwide are managed by the so-called Global Distributed Systems (GDS) that connect travel agencies, online booking websites, airlines and passengers. Amadeus, Sabre, and Travelport, the three largest GDS networks, administer more than 90 percent of the bookings as well as numerous hotel, car, and other travel reservations, according to Security Research Labs (SR Labs), a Berlin-based hacking research collective.

Karsten Nohl, founder and head of SR Labs, told the Sueddeutsche Zeitung newspaper and broadcaster WDR that intruders are able to hack into six-character booking codes used by customers for identification, online check-in and selecting seats. 

In a hacking experiment, Nohl demonstrated a computer program cracking the six-letter booking codes within minutes. He said breaking the codes is easy as they use only capital letters and digits. Hackers can employ the code to gain access to the actual passenger’s account and change the departure time and email address.

“Today’s GDSs go back to the ‘70s and ‘80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices,” the SR Labs website wrote

“The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications.”

Online check-ins and the EU’s visa-free Schengen zone mean that most European passengers do not have to show their IDs at airports while traveling in the bloc. Changing departure time and email address increases the possibility that the actual passenger would know nothing of his data breach.

“Everyone can really manage to do it,” Nohl told Sueddeutsche Zeitung, claiming that it does not require advanced hacking skills. “Booking systems lack a security feature that we know from all other computer systems – the password,” he stressed.

Nohl said that nothing happens if the hacker-generated booking code is wrong. Modern websites and computer systems actually limit the number of attempts to try a code from a single IP address, but archaic systems operated by many airlines have no such limit. “This is an industry-wide problem,” he asserted.

Speaking to RT, Nohl said the security flaws “open doors to both privacy intrusion and fraud,” adding that passengers’ private data is secured with just a six-digit code printed on many pieces of paper “you probably throw away at the airport.”

“Plenty of people can access this information that you would consider private. The ultimate goal here would be to introduce passwords, just like any other internet service requires a password. But many companies, hundreds of companies would have to agree on how to do that and this would take a few years,” he said.

It is not the first time passengers’ privacy has been exposed as vulnerable to security flaws. In August, Sueddeutsche Zeitung said the names, credit card numbers and flight data belonging to millions of airline passengers in Europe could be accessed due to online security gaps revealed at Germany’s largest wholesale ticket 

The newspaper report said every link to an itinerary receipt – distributed by wholesale dealer Aerticket –ended with an eight-digit number, but the company’s failure was that the documents were not secure.

The digits at the end of each link could be changed manually by anyone, allowing the possibility of a user to jump to other travelers’ tickets, invoices, routes and credit card numbers.

While other online booking websites use randomly-generated codes that include both digits and letters, that was not the case at Aerticket, the newspaper reported. Aerticket reportedly eliminated the vulnerability within hours of the newspaper report.