Airlines are more than travel providers. They’re also giant repositories of customer data—just think how much personal information you provide to book a flight. If you’re worried that the old technology that powers airlines isn’t up to the task of securing your data, well, maybe you have reason to be.
Noam Rotem, a security researcher based in Israel, recently exposed a flaw in at least one online booking system called Amadeus used to facilitate arrangements between travel agents, booking sites and upwards of 200 major airlines. The flaw (now said to be fixed) allowed those of nefarious intent to hack into a person’s data using little more than the six-character code printed on a boarding pass.
The problem goes a lot deeper than that.
A Clever Hack, a Worrying Weakness
Rotem claims he discovered the flaw on a whim while booking a flight with the Israeli carrier El Al, and a blog post at Safety Detective explains his method: Basically, he discovered he could obtain any passenger’s passenger name record (PNR)—the six-digit codes printed on boarding passes and luggage tickets—by manipulating the source code used to feed information from Amadeus to El Al.
“Just by guessing PNRs I was able to access personal data and change contact details of customers,” Rotem explained to Popular Mechanics in a direct message. “This was confirmed by both elal’s [sic] vp and the Amadeus team.”
Rotem ran a script that generated random PNR codes, then plugged the individual results into the backend of the website’s booking page. This way, he says, the site granted him access to the private flight information of scores of passengers. (Amadeus says it fixed the bug after Rotem disclosed his findings). The vulnerability allowed him to make a variety of nefarious moves, including stealing frequent flier miles, changing passenger seats and meals, and modifying “the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service,” the blog explains.
Even if the bug truly is fixed, its existence points to a massive problem. Amadeus serves nearly 200 major airlines, including United Airlines and Lufthansa, and managed 595 million bookings across the greater travel industry in 2016. And the other IT systems at the heart of the airlines industry aren’t getting any younger, either.
Amadeus is officially called a Global Distributed Systems (GDS), and is one of three that fosters communication between airlines and various players in the travel industry. They share deeply private information including birthdays, addresses and sometimes passport numbers over this system. But the core tech at work here first emerged in the 1960s. (There are numerous reasons airlines rely on archaic technology. One, note by a Senate inquiry in 2016, is that a plethora of corporate mergers forced major airlines to integrate their businesses at the expense of IT upgrades.)
Security researchers have repeatedly sounded the alarm in recent years that airline IT is struggling to cope with the demands of modernity. For example, Rotem’s discovery should evoke memories of a late 2016 study, conducted by the Berlin-based Security Research Labs, which pointed out many of the flaws with the PNR system. Among their many shortcomings, PNRs are vulnerable to brute-force attacks like what Rotem used to harvest El Al’s passenger database. The study also found:
“Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their booking codes can be found over the Internet with little effort.”
Even without hackers poking holes in the system, there’s a deeper, more systemic problem: the fact that PNR codes are printed on boarding passes and other travel documents. #BoardingPass is a popular hashtag on Instagram, with a glut of photos uploaded everyday that freely advertise PNRs and passenger barcodes. This is relatively low-hanging fruit for anyone with a dastardly agenda, especially if they have a barcode-scanning app that could purloin sensitive information.
As Security Research Labs explained in their study, obtaining a PNR, even on Instagram, enables a hacker to do any of the things that Rotem managed to accomplish, like steal flights and frequent flier miles.
Such security holes inspired hackers like Rotem and the folks at Security Research Labs to recommend adding Captchas and limiting retry-attempts from a single IP address to hold back brute-force attacks. The industry, so far, has not done so.
What We Don’t Know
Any weakness that could affect “tens of millions of travellers,” as the blog post states, sounds dire. But how worried should you be about a security flaw that’s seemingly hardwired into the greater travel industry?
“If you’d asked me two years ago, I’d have said that airlines were certainly lagging in their informational security apparatus,” says Scott Keyes, who runs the cheap flight-finding website Scott’s Cheap Flights. But that’s changed in the last couple years because of a focus on investing in security systems, he says.
Another airline industry analyst, Brett Snyder points out that airlines rely on a multitude of services to manage their business, many of which are separate from GDS. Writing to PM in an email, he explains that IT is stronger than it used to be:
“Overall, the airlines have started to put a bunch of money into IT and that’s going to pay dividends, but there have been years of under-investment due to chronic financial problems. So there’s a lot of catching up that needs to be done overall, but this doesn’t seem like as big of a security issue as it’s made out to be in my mind. Without knowing the full story, however, that’s just speculation.”
Indeed, Amadeus did fess up to the glitch, writing in a statement that “we have added a Recovery PTR to prevent a malicious user from accessing travellers’ personal information. We regret any inconvenience this situation might have caused.”
Bogged Down in Bureaucracy
In its statement to TechCrunch, Amadeus said its systems are subject to approval from theInternational Air Transport Association, an industry group. Because the company “relies on IATA standards that were introduced to improve efficiency and customer service on a global scale,” it argues that fixing the shortcomings with PNR will ultimately hinge on changing industry-wide standards, which, frankly, sounds like a bureaucratic nightmare.
One might chalk that up to a deflection of blame, though it’s clear that the problem is more complicated than instituting a simple fix in Amdeus’ source code. It hinges on a multi-layered approach to digital security and IT infrastructure, which is something that airlines have historically let languish. Maybe now it’s time for that to change.