33C3 preroll music
Herald: So many of us
traveled to this Congress.
Probably most of us. And we all took
trains, or planes, or… maybe somebody
drove by car. But most
took trains and planes.
And have you guys ever wondered
about the infrastructure
of those travel booking systems?
Even more interesting, have you ever
thought how secure those systems are?
Karsten Nohl and Nemanja Nikodijevic…
Karsten has a really nice record
of security researches.
He had talks about GSM protocols
and last year he had his talk
about payment system abuse
which was really interesting.
Together with Nemanja, he will show us
his research on travel booking systems.
And probably we will find out
how we can get home free.
Please give a really, really warm
welcome to Karsten and Nemanja!
applause
Karsten Nohl: Thank you very much!
Always feels great to be back!
I just today noticed that the first time
I was speaking at this conference
is 10 years ago. So 10 years of…
applause
.. thanks you.
10 years of looking at 10 different legacy
systems and finding vulnerabilities
in all of them, so far. A lot of them were
around RFIDs, or mobile protocols.
This time we’re looking at something
completely different, travel booking
systems. And vulnerabilities in there.
Relative to some of the other talks we’ve
been giving, this will have less ‘hacking’
in it. Not because we lost our interest in
hacking but because much less hacking
was actually needed to exploit
vulnerabilities here. laughter
So, sorry for that if you expected a lot
of hacking. There’ll be a little bit,
that’s why Nemanja is here, but
a little bit less than usual. So we’re
talking about travel systems. And there
are 3 main players, or actors
in the commercial travel world. There are
those people who provide travelling,
airlines and hotels. There’s those people
who help you book them, Expedia,
websites like that or traditional travel
agencies. And then there’s brokers
who make sure that whatever is available
can be booked through those agents.
So those are really the backbone of travel
systems but you don’t really think
about them much, or at least I didn’t
before looking into this research.
The systems are very useful, as global
systems. In fact, they’re called “global
distribution systems”. And that tells you
how old they are. This is before
the internet was there. They go back to
the 80ies and 70ies. So there was only
one system that deserved the name
of a global distribution system of,
in this case, data. And this was
travel system. So it makes sense
to have these systems because, of cause,
one seat on an airplane shouldn’t be sold
multiple times, so there needs to be
a global inventory somewhere.
Also all airlines should be using just
a few systems so that they can do
'codeshare agreements', e.g. so that,
again, the same seats on a flight
aren’t booked multiple times. And,
consequently, these booking systems,
they maintain three types of information.
The first one, you are probably most
aware of, are the prices. Airlines will
put their price lists into these systems
for booking sites to fetch. They’re
called ‘fares’ in the travel world.
The next important data item in there is
‘availability’. So not everything can be
booked that has a price. There needs to be
a seat available at a certain booking class.
And, finally, when somebody does find an
available seat to a fare that they want
to purchase that is then converted into
a ‘reservation’. So this is after the seat
is taken. You may have seen some of this
information before on travel web sites.
Let me just show you the one that I like
to use the most. The ‘ita matrix’, has
been bought by Google a few years ago.
So you can’t actually book through
here any more. But they maintain the
interface for whatever reason. And so,
let’s say you search for a flight to
San Francisco from here, at the end
of the year. This, like any other web
site will give you plenty of options
from the different airlines. What’s
different for this web site is that
they give you a lot more details,
if you know where to click.
So the cheapest flight, really cheap
actually, 325 bucks to go to San Francisco
for New Year’s, a one-way trip, and
what I like on this web site is the rules.
So this is real data, that is kept in one
of these GDS systems. And this already
looks like the 70ies, right? laughter
This would usually be shown on a terminal,
maybe green font on black background, and
somebody would read through here,
and I would say, okay, so you wanna book
for a certain day, it’s okay, the dates
match, you wanna go on TAP (TP)
– Portugal Airlines – so okay, that matches,
and you could also take a few other
airlines, and then you have to meet
certain other restrictions, e.g. you can
stop over here. So this flight goes
through Lisbon, you can stay in Lisbon
for up to 84 hours before flying on
to the U.S. That’d be nice. And then
it has all these other rules in here,
e.g. you can not cancel this ticket,
right? It’s non-refundable. But you
can change it for a fee. And this goes on
and on and on. For just a single fare,
and there’s, of course, tens of thousands
of fares available. Now this, you may be
surprised to hear, is the only form in
which these fares are available. There
isn’t an XML, there isn’t a web service,
this is how the airlines publish them.
And then a web site like Expedia, they
have to write a parser for it to be able
to present flight options to you. You
may have noticed if you tried to change
or cancel flights they don’t allow that
to web sites often. Expedia e.g. doesn’t,
you have to call them. And if you call
them they say: “Give me a moment,
I have to read through the fare rules.”
So in that case that just didn’t parse
all this information. That’s the first
thing that’s kept in these… or maintained
in these large GDS, the booking systems:
the fares. The other thing is
the availability. That’s a little bit
harder to access through public web sites.
Expert Flyer is probably the best one
to use. And availability is important.
If you actually wanted to fly to San
Francisco now for New Year’s
we looked at the fare, well,
this is Booking Class 'O', this is
always the first letter. And then, if you
look at the availability for Booking Class
'O', unfortunately it says ‘C’ for ‘closed’.
So they don’t accept any more bookings.
So just because there’s a price available
doesn’t mean that anybody can actually
book this flight. And, again, somebody
like Expedia would have to now combine all
of these different pieces of information
to present a list of flight options for you.
So let’s assume they did that and you did
book something. Then, the third data item
is created in one of these GDS. And that’s
the 'passenger name record', PNR.
And that looks something like this. Again,
you’ll notice the same 70..80ies style.
With lots of private information.
Ed Hasbrouck - he is a
privacy advocate in the U.S., probably
the loudest voice to ask for more
privacy around travel booking
and he was kind enough to make
this available on his web site, for all
to see what information is kept. So,
contact information, of course, things
like e-mail. This one shows you again
how old these systems are. So they
don’t have the ‘@’ character! This is
using a character set from punch cards!
And in punch card you had 6 possible
punches per character. So everything here
needs to be encoded with a 6-bit character
And there’s no space for ‘@’. So all
ancient stuff. But still, a possible
privacy hazard, right? You wouldn’t want
anybody to access this kind of information
about yourself. The three main players who
run GDS’s – Amadeus, mostly in Europe,
Sabre, mostly in the US, and then there’s
Galileo that merged with a few other
things into ‘Travelport’. And Galileo
isn’t really so much used by airlines
but it’s more used by travel agencies.
And then, often, multiple of these systems
they’re involved in the booking. So let’s
say you go through Expedia and you book
an American Airlines flight, the PNR has
to be kept in Amadeus as well as Sabre.
So there’s two copies here. Or let’s say
you go through a travel agency that’s
connected to Galileo, and you book
a flight that has both Lufthansa and
Aeroflot segments it would be kept
in all three of them. So this is lots of
redundancy depending on where your flight
segments and booking agents come from.
But sufficient to say there are three big
companies, who apparently hold on to the
private information of all travelers.
Hundreds of millions of records
for each of those systems. And we wanted
to find out whether they can sufficiently
protect this information. And there’s, of
course, reasons to believe that they can’t.
This is very old technology and it’s
unclear whether they ever did any major
security upgrades. But at the same time
there’s reasons to believe that they
are very well secured because this PNR
data, this very information about travelers
that has been disputed between different
governments for a long time, in particular
the U.S. Government, and asking for more
and more information since 9/11 in
multiple waves, and the E.U. governments
that say: “No, you can’t have more
information than you absolutely need. So
they agree politically that, yes, the U.S.
can get information on those travelers
going to the U.S. but only certain data
fields, and have to delete them after
a few years. So this was years
of negotiation. And you’d imagine that the
systems at the forefront of this dispute
they’d be secure enough that, let’s say,
we couldn’t access those same information
that even the U.S. Government is supposed
to not access. So we set out to answer
this simple question: do these GDS’s,
do they have normal, basic security.
Do they constrain access, do they
authenticate users well, do they protect
through rate limiting from web attacks,
and do they log to be able to detect any
possible type of abuse. We’ll go through
each of them to see where those systems
stand. Let’s start with access control.
And this is just drawing
from public sources, so, again, Ed
Hasbrouck, this privacy advocate
in California, he has been the loudest
voice here, saying, there’s overreach by a
lot of players already accessing PNR
information. So e.g. if you have a booking,
let’s say a flight booking, anybody who
works at this airline can access
your information. But then, if you add,
let’s say, a car reservation to the same
booking, anybody who works at the car
rental company can also access
let’s say the flight information. And
any agent at the booking agency
that you use can access all of this
information. And if you keep adding
information all of these people still have
access to it. That’s just how these
systems grew over time, but that’s a first
indication to me that this certainly
wasn’t built with modern security
in mind. Most concerningly
the people working at or for the GDS
companies, they have access to everything,
absolutely everything. Including their
support stuff, as far as I understand.
So these are external companies that
help debug the system, and they
have access to hundreds of millions
of people’s private information.
So way too many people have access
to way too much information, e.g. if you
did an online booking your IP address
is stored there, basically forever,
well, until the flight is over. But any of
these people can now access your
IP address, your e-mail address,
phone number and all of this.
So definitely that doesn’t seem to be
fine-grained access control. But,
as I said earlier, this has been known
for a long time and criticized a lot.
Not acted on, though, yet! How about
authentication? The picture is actually
even worse for authentication. And I want
to distinguish two different cases here.
I wanna distinguish professionals
accessing records, so people working
at travel agencies and airlines. And,
as a second case I wanna distinguish
travelers accessing their own records,
like when you check-in online e.g.,
you access your own record. Professionals,
the way they access it, typically, is that
their agency is connected to one of these
GDS’s through basically one account.
So an entire agency system, or at least
an entire location uses one account.
So years ago somebody typed in some user
name and password, and then it’s long been
forgotten because locally they use
a different access management.
A few travel agencies were kind enough to
help us in this research, and their access
credentials, we saw them using, they’re
just terrible. E.g. for one of the big
systems that I won’t name you need the
agent ID, so that you can get pretty
easily. And then a password for the web
service, so of the modern way of accessing,
this is WS for web service and the date
on which the password was created.
So even if you have to brute-force
20 years, how many possible dates
does a single year have? Times 20. This is
ridiculously low entropy for an account
that is supposed to protect information
of millions of people, if not more.
This is the best authenticator
that we found in these systems!
laughter
It gets worse with travelers accessing
their own information. Because there
they just simply forgot to give you
a password, not even a terrible password
like this; there just isn’t one. And what
they use instead is the booking code,
‘PNR locator’ it is sometimes called.
I call it booking code.
It’s a six-digit code. When you
check-in online you need that code.
And you only need that code and your
last name. So you’d imagine that,
if they treat it as a password equivalent
then they would keep it secret
like a password. Only – they don’t,
but rather print it on every piece
that you get from the airline, e.g. on
every piece of luggage you have
your last name and a six-digit code.
On your boarding pass –
it used to be there, and then it
disappeared and then these barcodes
showed up. So it’s inside the barcode.
If you decode the barcode there is
your PNR in there. I erased it here,
this is still for a valid booking.
laughter
So, you have this six-digit codes printed
everywhere and you can just find them
on pieces of scrap at the airport.
Certainly these tags you find all over,
but also people throwing away their
boarding passes when they’re done.
And this is supposed to be the only way
of authenticating users. And we’ll
show you in a minute what kind
of abuse is possible through that.
But let’s first think about where else you
could be able to find these PNR codes.
Could it get any worse than somebody
printing your password on a piece of paper
that you throw away at the end of your
journey. Of course the internet can make
it worse! And what better technology to
worsen the security problem than
Instagram? So on Instagram…
laughter and applause
So you got all these bookings. And, in
fact, there was one guy here, you see, he
actually erased the information. But for
one who knows what’s up, everywhere,
there’s a hundred who don’t. And this
is really all information you need.
I saw a Lufthansa one just now,
where was that? – Here.
So here is a Lufthansa one. This is from
today, posted by markycz at Frankfurt.
This is really all you need to get
somebody’s…
laughter and applause
Let’s see if this works.
Yeah, sure enough. So.
laughter
'Marky M.' on Instagram is apparently
Marketa Mottlova
and this is her booking reference.
laughter
I was debating whether or not to show this
but you guys are gonna do it anyway
when I’m done with this talk.
laughter
cheers and applause
So a flight today from Munich
to Frankfurt and then, on to Seattle.
Let me point out one thing here.
Where did I see the ticket number?
off camera mumbling on stage
Just use mine!
It’s AndroidAPKN
Oops.
And then let me write down the password.
Okay. Alright.
So what I wanted to point out is that
this isn’t even a Lufthansa ticket.
So she checked in with Lufthansa
in Frankfurt. But if you look at the
ticket number, 016, that’s a United
[Airlines] ticket. And it also includes
flights on Alaska Airlines e.g.
So any of these airlines have
full access to this PNR. And many of them
will just grant people access to it
if they know the PNR and the last name.
As Nemanja will show in a minute,
even if they don’t know that yet. So...
To recap for the moment: airlines give you
a six-digit password that they print
on all kinds of pieces of paper and
that you will post on Instagram.
Why shouldn’t you, everybody else does,
too, apparently. 75,000 people at least
over the last couple of weeks. So
the authentication model here is
severely broken, too. And what
kind of abuse arises from this?
Of course, you can now use this PNR,
log in on Lufthansa as I have just done
or a more generic web site, like
Checkmytrip and look up peoples’
contact information at the very least.
So there’s always an email address
in there. There’s usually a phone number
in there. If in Lufthansa you click on
“I wanna change my booking” probably
they’ll ask you for your payment information
and pre-fill the postal address for that.
So you get somebody’s postal address
that they used for the booking, passport
information, visa information. If you
travel to the U.S. as she does there’s
definitely passport information
in the PNR. All of this information is now
readily accessible. Now so far
there was zero hacking involved. That’s
why we have Nemanja here who will
show you some actual hacking to get even
deeper into these systems.
Can we switch the screen?
Nemanja Nikodijevic: So when…
laughter
When we started this research we needed
to find lots of these boking numbers
to see if there is some relation between
them. So luckily we didn’t have to
make any bookings that we had to pay
because there are web sites like this one
where you can just make a booking
and pay it later but you get
the booking reference number at the time.
So let’s make some very normal
German name… laughter
..looking for someone from Germany.
Actually they check the phone number, so
it has to follow the certain form.
Let’s find Germany… from Berlin,
1234567.
laughter
And then ‘hans@sandiego.com’.
As you can see I tried quite some…
laughter
So for this one we already got
our booking reference number
which is Y56HOY.
And this one, in a minute.
Okay, we have to wait a bit. Y5LCF4.
So if you notice
they are very close to each other, so
they both start with Y5 which means
that they were booked on the same day.
Probably because one is on Lufthansa,
the other one is on Air Berlin, there is
slight difference. They are not exactly
sequential. But we can say that they are
concentrated in a certain range
for a certain day. What we can do now is
we can go to one of our servers. At first
we have to check if checkmytrip works
because I had some issues
with the network.
That’s… ooh!
laughter
This is a bit unexpected.
We will have to skip this part
where we actually look for Carmen
Sandiego in one of our bookings.
But…
Karsten: Well, this is a side effect of
responsible disclosure. So you tell
a company that on this day you’ll do that
thing to that web site, and they just
either block the IP ranges here or just
took down the web site which they
have done a few times before.
What you can do is… – say it again!!
From audience: Can you test the hot spot?
Karsten: Actually, I think the whole
web site is turned off.
Nemanja: What we can demonstrate, I think,
is that if we go with this booking number,
to Air Berlin web site, and then
type last name, “Mueller”.
And actually, because it’s six-bit
encoding it has to be “UE”, no Umlauts
allowed. So, “Select all the food!”
laughter and applause
Let’s see if we can find this flight.
Karsten: The part of the demo that you
didn’t show is just brute-forcing
these ranges. If you know which ranges
are used in a day you can try them all.
Or at least we did many times. That
would then, in theory, give you access
to all of this. And not just in theory, in
practice, unless they take down their
entire web site which they knew we were
gonna use for this demo.
Nemanja: But on this, for example, if we caught
that flight that we wanted to catch…
Karsten: We’ll show it later. But at least
the first win for privacy: no information
is leaked through this web site
for the rest of this talk, at least!
laughter and applause
Can we switch back to the other screen?
ongoing applause
One thing that you would have noticed had
this not just been a flight reservation
but an actual ticket: it would have
given you options to rebook it,
to add a frequent flyer number, all of that
good stuff. So what’s the abuse potential
here? So far we’ve only talked about
privacy intrusion. And privacy intrusion
is bad enough. Imagine somebody is
snapping a picture of your luggage,
that person has your email address and
your phone number, right there, right then.
But the abuse potential goes much
beyond that. For instance, you can fly for free!
You can fly for free using different
methods. You can find somebody else’s
booking and just change the date.
The ticket… in fact, we can show it
a little bit later. We had prepared for
this demo that we are going to find
through a little bit of brute-force that’s
a flexible ticket. So you can just change
the date, and change the email address.
You just take that flight yourself.
And as the airline checks… compares the
ticket and your passport – oftentimes
they do it visually. What they’ll do is
they’ll send you a PDF, you change
the name, you take it anyway. But at least
in Schengen, in the EU, people don’t even
do that. Let’s say you wanted
to take it in your name. You can,
depending on the airline, call them up
or even use their web sites to cancel
the ticket, and the issue a refund to you
inside the PNR, and then use the money
that’s freed up there to book a new
ticket. Some airlines also give you
MCOs – miscellaneous charges orders.
Americans will know this very well,
every time you get bumped from a flight
they give you an MCO, “sorry, we can’t
fly you home today, you’ll have to go
tomorrow, but here is $1,000 towards
a new ticket”. It’s real airline cash.
And those same MCOs you can issue
based on flight cancellation. So you
cancel somebody else’s ticket and you get
airline money to book your own ticket.
And, again, there are no passwords
involved. The only authenticator is this
six-digit sequence that people post
on Instagram, print on their boarding
passes and that Nemanja should be able
to brute-force on their web sites. What
else can you do, once you have somebody’s
PNR? You can change or add a mile number.
And some tickets are really attractive
for mile collection. Take a round trip to
Australia in 1st class, get 60,000 miles
right there, for one round trip, for one
PNR. And that will get you a sweet, free
flight to somewhere nice, or even some
voucher for online and offline shopping.
One website that I wish was still
working is, of course, this one.
laughter
But they shut down business, apparently.
Unrelated to this talk.
laughter and single claps
So you have access to somebody’s PNR,
you can not just stalk them but change
their flights or – which may trigger some
curiosity – that flight can be taken twice.
But you can very stealthily add your mile
number everywhere, well, a new mile number
matching that name to collect those sweet
miles. Now, are all airlines affected
by that? The demo that we didn’t get to
show brute-forced for one last name,
Sandiego, all the PNRs for a day. And it
quickly found, in fact, a bunch of records.
There’s not just one Sandiego flying that
day. But in some airlines they’re
a little bit smarter. For instance American
Airlines, the largest airline in the world,
they don’t just want the last name
but also the first name. And if you’re
interested in one specific person, let’s
say ‘Carmen Sandiego’, you would still
find that person. But if you want to
conduct fraud that becomes a little bit
more tricky. A fraudster would just pick
a random, very popular last name and
brute-force PNRs there. And that becomes
more difficult if also you have to guess
a first name. However, even American
Airlines, those records can be accessed
through other web sites. For istance Viewtrip,
this is another generic web site like this
infamous Checkmytrip that just went
offline. And Viewtrip allows you
to brute-force by just last name and PNR,
again. So there’s multiple ways to access
the same information. Some of which are
more secured than others. And, of course,
only the weakest link mattered. So
Viewtrip, what they would say is
they found the record and they can’t give
you access to the information but then
TripCase will which, again, takes only
last name and reservation number.
And they will tell you the first name
also that then you can type in to
the American Airlines web site again
laughter
to change the booking, let’s say. So
there’s all these different ways to access
a person’s information here. And everybody
is slightly different. So let’s look at the
entire universe of travel web sites,
starting with just three big travel providers.
Each of them uses six-digit booking codes.
But they use these six-digits rather
differently. Sabre e.g. they don’t use any
numbers which of course severely impacts
the entropy. But then others, e.g. Amadeus,
they don’t use 1 and 0, because that could
be confused with i and o, and then
Galileo drops a few other characters. So
at the end of the day none of them really
used the entropy of even a six-digit
pass code. All of them are in entropy
lower than a randomly chosen 5-digit
password. And we will never recommend
anybody to use a 5-digit password, right?
So this is strictly worse. And what
makes it even worse, at least for
privacy-intruding attacks, is the
sequential nature of these bookings.
You saw the two that Nemanja just now
generated. Both of them were from
the same, very small sub set. So if you
just wanted to know all the bookings
that a person did today, you can
brute-force this in 10 minutes
with a few computers running in parallel.
It’s not so easy on Sabre because
they seem to be chosen more randomly.
However, Sabre has the lowest entropy,
so if you just randomly want to find
bookings for popular last names Sabre is
your system of choice. They’re all weak,
but the weaknesses differ in shades of grey
for this privacy intruding and for the
financial fraud-type attacks.
As one example, though, of how easy it is
to find these booking codes, if you
look up 1,000 just randomly chosen booking
codes in Sabre for the last name ‘Smith’
five will come back with current bookings.
So half a percent of the entire name space
is filled with current bookings for people
called ‘Smith’! Now, add in all the other
last names, their name space must be
pretty damn full. And it’s only 300 mio.
records if you calculate the entropy.
So it looks like almost every record
is used up and they’re running out of
space. So they’ll have to fix this anyway
at some point. But that, of course, makes
it all the easier to randomly find and
abuse other people’s bookings.
Each of those providers runs a website
that allows you to access all the PNRs in
their system if you know the PNR and
the last name. And one German reporter
writing about this, he calls the
websites that you didn’t know existed,
that you have no use for but that, anyway,
put your privacy at risk. So there doesn’t
seem to be any up side to these web sites.
I certainly don’t need to use them
but they’re there, and they’re bad.
Because when we did the research none of
them had any protection from brute-forcing
meaning we could try 100,000, even
millions of different combinations
– PNR and last name – and those
websites wouldn’t complain even a bit.
We did expose Amadeus to way more
queries that the others and at some point
they did notice, maybe also because some
reporters just asked them for comments
on the research. They have tried to
improve. So the classic checkmytrip.com
website that was just killed a few days
ago – R.I.P., thank you, it’s gone,
50% of the problem solved. But the other
website, that was still around up until
literally half an hour ago. What they
did over the last couple of days was,
they added a captcha. But the captcha gave
you a cookie. And the cookie you could
again use for indefinite number of queries.
laughter
It’s a company that just hasn’t done web
security before. But then they also
limited the number of requests per IP
address. Now, we do this from Amazon,
so it’s not so difficult to spawn new
IP addresses, but still… it severely
slows us down. About 1.000 requests per
IP address. Even if they now took down
checkmytrip for good, of course, this is
not the only pass to a reservation.
As we’ve seen before you can just use
the provider’s web site directly. And the
popular ones in Germany, they differed in
security quite a bit when we checked
a few weeks ago. So Lufthansa itself
differed on their different properties.
The standard website asked for a captcha,
not the first time, but I think starting
from three requests, so a really good
compromise. They make it comfortable
to use for really anybody who just wants
to look up their own records. But then
they make it a little bit more painful
for somebody who tries to look up
too many. But then the mobile version e.g.
didn’t have that captcha. And again,
weakest link principle applies. Air
Berlin, they had some rough IP filter,
again, 1.000 requests per IP, that’s
a little bit too much, they introduced
a captcha today! So, again, in response
to this. This is already showing
some effect. Thank you to checkmytrip
and Air Berlin for working on this
over the holidays, much appreciated.
Maybe, if you know anybody, thank you!
applause
On the other GDS’s the situation is much
worse still. They’re still as bruteforceable
as they ever were, as are the web sites.
Except for the little bit of first-name
extra complication on American Airlines,
every web site we have tried is not protected
from brute-forcing. And this is surprising
to me. In my consulting work I have
never seen a web site where not the first
pentester ever looking at it would say:
“Oh, you didn’t have rate limiting in it,
please add it!” and then, two days later
they had. So for most of this industry
that is yet to happen. So no cookie here,
either. Let’s talk about one more abuse
scenario that’s… I can say they’re very
relevant but that’s maybe because in my
consulting life I’ve been dealing with
human security for the last couple of
years, appreciating that technology
is mostly not the weakest link but the
the gullibility of people working
in the company. And the same probably goes
for travelers. Imagine the scenario where
you made a booking, just a few minutes
ago. And now that airline, or at least
it looks like that airline, sends you an
e-mail saying “Thank you for making
this reservation, here is all your booking
stuff, summarized for you, please update
your credit card information, though.
The booking didn’t go through.
I would click on that. I expect them to
e-mail me, I know that sometimes
credit cards are fuzzy, I would click on
it and enter my credit card information
again. And how is this possible? Of course
we can stay ahead of the current pointer
in this sequences and find bookings
that were made in the last, let’s say,
half an hour, for popular last names
again. And each of those bookings will
point us to an e-mail address, and give us
all the context we need to include in this
very, very targeted phishing. If nothing
else, I think this should convince
the airline industry to close these loop
holes because the evilness of the internet
will not ignore this forever. Phishers are
always looking for new targets, and
this will be a very juicy one. So we
looked at the three big GDS’s now.
There’s a few other players, e.g. SITA.
It looks like on the way out but these two
very big airlines, they still use it. So
they’re certainly still relevant. They are
even worse. They use, instead of a
six-digit booking code they use five digits.
And one digit is fixed per airline. So if
you know you’re looking for Air India
you don’t even have to brute-force that
leaving just four digits to go through,
and to brute-force. Now we don’t have
a demo for this because we found three
other more fun ones to demo. So…
laughter
Nemanja will now show you RyanAir, Oman
Air and Pakistan International Airlines.
Note that all of these are connected to
big GDS systems. So it’s now the web sites
that make it even worse than we already
discussed before. And can we switch over
to the other computer again? Thanks.
Nemanja: Yeah, I guess, many people
fly with Ryan Air here.
They use Navitaire which is now owned by
Amadeus.
So they don’t share the same address space.
But on the Ryanair web site you can
either search for the reservation with the
e-mail address and the reservation number
or the last four digits of the credit card
that you used for booking.
laughter
Karsten: Again, great authenticator,
right? Ten thousand options.
Nemanja: As they don’t have captcha
we can have a look for…
So we know that the last four digits of
Carmen Sandiego’s card are these.
Karsten: And if not we can just try all
ten thousand.
Nemanja: We can just try, yeah. We can
do the other way around. So this way
we know that… and that it starts
with these characters. And let’s try
to brute-force it. In the meantime
let’s have a look at the Oman Air.
They ask for the booking reference
and for the departure airport. But
departure airport doesn’t have to be just
the departure airport but it can also be
any airport that is within the reservation.
So for Oman Air we think that it’s
Muscat which is the capital.
So usually… most of these slides
go through there. Let’s see
if we can find someone who is…
Karsten: And he’s now just trying random
booking codes that are valid within
that name space. So, again, they don’t
really use the full entropy. So that makes
the search a little bit quicker but other
than that it’s just a pure brute-force.
Nemanja: And as there is no captcha as you
can see we can go on to the next one.
So this one is the winner!
laughter
They trust you that it’s yours!
strong applause
And let’s see … so we already have one
for the Oman Air. Okay. This is the one…
this is where…
Karsten: That was RyanAir, huh?
Nemanja: This is the RyanAir, yeah.
So we didn’t bring these two characters.
But… because we wanted to hide it. If we
accidentally hit some booking with that
card number we don’t want to show the
booking reference number of someone else.
So it might be even some
of the people here. We can try…
Even got one from the Pakistan. Carmen
Sandiego is flying from SXF to TSR.
And here we can just enter the…
what was the, I think… if I’m right…
Let’s see if this will work. Yeah, okay.
Hello Carmen Sandiego.
Karsten: So now we know where Carmen
Sandiego is, finally. The point is,
we made, you can brute-force these web
sites rather easily and you don’t really
trigger any alerts there, apparently.
Which, again, coming from
an IT security background I find pretty
shocking. Can we switch back to
the other screen? Let’s look at the last
security feature that we would expect
any IT system to have, these days.
Especially knowing that it has been
criticized for lack of IT security for
a long time. And that, of course,
is accountability, logging. At least track
who’s legitimately or illegitimately
accessing these records. It turns out
that it has been asked for a long time
by different people, again most notably
Ed Hasbrouck, this privacy advocate,
but also other reporters and other
advocates have come across this
for years, saying “there’s rumors that,
let’s say, the Department of Homeland
Security in the U.S., they have root access
in these GDS’s. Where are the records,
whether they are accessing it or not.
Where are the records for abuse by
support stuff in these GDS companies.
Where are any records?
The GDS companies have always said,
“oh, we can’t keep any records, it’s
not technologically possible.” I call BS
on that. They are logging… in the tiniest
minutia, any change to a reservation
there’s a log for. And then access log
does not exist? And it’s not
technologically possible? I think there’s
a completely different reason behind here.
If, in fact, these companies gave access,
unlawful access, or at least in violation
of privacy laws in, let’s say,
the E.U. or Canada, if, in fact, they gave
that access to other governments
the last thing you want is a trail of
evidence showing that people have
access to records. So this has nothing to
do with technological restrictions, this is
purely – those companies don’t wanna be
in the middle of a debate where probably
some sealed order in the U.S. makes them
disclose all this information but laws
in Europe make them not disclose the
information. They just don’t wanna have
evidence either way. But that leaves us
in a very peculiar position where now
we know that these systems are insecure,
use very bad authenticators, expose this
over web sites that can be brute-forced
and don’t keep any record of if that
actually happens. So it’s completely
unknown how much abuse may be
happening here. I think we can be pretty
certain that the flight changes for people
to fly for free, that they are not
happening very frequently because that’s
the only one of these attack methods that
would leave very clear evidence, somebody
actually complaining, saying “I wanted to
take my flight but apparently somebody
else already took it before me, or
canceled it and took off with the money.
But the other cases we have no idea
whether or not they’re happening.
They’re technologically possible, and
nobody seems to be looking for these
abuse patterns. In summary, there’s just
three big global databases, two in the U.S.,
one in Europe. They keep all the
information on all the travelers.
This information includes your personal
contact information, payment information,
your IP address. So lots of stuff that in
a lot of other systems we consider
sensitive, private even. And it should be
protected with a good password. We would
advise people to use an 8-character or
longer password, with special character.
None of that exists here. The passwords
here are six-digits. They are less than
five digits at worth of entropy. They’re
printed on scraps of paper that you
throw away. They are found on Instagram
an they’re brute-forcable through numerous
web sites by the GDS companies and through
the travel providers. So this is very,
very far away from even weak internet
security. This really predates the internet
in stupidity and insecurity. And while
there’s multiple scenarios in which
either privacy of users is at risk or even
fraud could happen none of this is even
logged, and nobody knows or has any way
of knowing the magnitude to which
these systems are already abused.
So what do we need here?
We clearly need more limitations on who
can access what. This is not just my ask.
This has been asked for 10 .. 20 years.
But more on the technical level,
in a long term, we need passwords for
every traveler. You should be able
to post a picture of your boarding pass
on Instagram without having to worry
about somebody abusing it. This is a piece
of paper that you will throw away.
There should be nothing secret about it.
If you wanna share it – feel free to.
Somebody else needs to add a password
to make that safe again.
But that’s a very long-term goal. These
travel companies, they’re so interwoven,
as we saw today, that all of them really
have to move at the same time.
The GDS’s have to do their share. But then
each of interconnected airlines has to do
their share. We saw this one random ticket
from Instagram, so this was a Lufthansa
ticket with some Alaska Air components
issued by United. So at least those three
companies have to work together. And how
many more different airlines today have
code-share agreements. So we’re talking
about hundreds of companies who have
to come together and decide “we wanna
introduce pass codes, passwords”,
whatever you wanna call them, “for each
booking”. So that is a long-term goal.
In the short term, though, at the very
least we can expect, is for all these
web sites that do give access to travelers’
private information to do the bare minimum
of web security. At the very least
some rate limiting. Don’t allow us
to throw millions of requests at your
properties, and give us back honest
answers. That is unheard of anywhere else
in the “cloud”. But for travel systems
who claim for themselves to be the first
cloud ever this seems to be very standard.
And then, finally, until all of this can
be guaranteed, until there’s passwords
and until there is good rate limiting
I think we have a right to know
who accesses our records, and there must
be some accountability. Especially,
knowing how insecure these systems are
today. This is a long way, and I can only
hope that we are starting a journey by
annoying large companies like Amadeus.
They have done their little bit of fixing
over the weekend now, so hopefully
some others will follow suit and we
will have better systems. Until then,
of course, I can only encourage all of you
to look at more of these travel systems
because there’s plenty more to find.
We’re only scratching the surface here.
And, more generally, to look at more
legacy systems. I think we’re spending
way too much time making some already
really good crypto just a tiny bit better
or finding a really good mobile operating
system the next little jailbreak
that will be fixed two days later anyhow
ignoring all these huge security issues
that have been there for many, many years
in systems that are a little bit less sexy
and riddled with bug bounties than
something else that we do spend a lot
of time on. So I hope I could encourage
you to do that. I wanna just hand out
a few thankyous to members of our team
without whom this research wouldn’t
have been possible, and to a few industry
experts who were kind enough to
read over these slides and provide
feedback, and help us hopefully
not have any major gaps on our
information. And then, to you for
showing up in such great numbers,
thank you very much!
applause
Herald: Wow, great talk. Thank you
very much! We have five minutes
for Q&A. So please line up on the
microphones, and we’ll take
some questions. First one!
Question: Do you have any indication of
how secure the systems are on the other
end, that the airlines supply their
fares into the entire systems?
Is there any indication that those systems
might be more secure than
on the customer side? Or would it
be easy to inject a cheap fare, e.g.
by impersonating the airline
with weak passwords?
Karsten: Honestly, we don’t know.
It was definitely on our list to research
but we don’t have time for everything so
we focus more on the customer privacy.
But one thing that I really would want
to test if I had any way of doing it:
imagine the parsers for these strings.
Imagine injecting some special characters
in that. I don’t know who creates these
strings and maybe I don’t wanna know.
But if anybody does and you could play
with some SQL commands I think a lot of
web sites would wake up understanding that
on that front they don’t do enough
security either.
Herald: Okay, question
from the Signal Angel?
Signal Angel: A question from IRC.
Recently, U.S. Customs And Border Patrols
started collecting social media identifiers
for foreign citizens trying to enter
the U.S. on a Visitor Visa. Could that
information be accessible through PNR’s?
Karsten: That’s a good question.
I don’t think you would be.
From Audience: They are!
Karsten: So, I…
From Audience: Yes, they are!
Karsten: They are in the PNR?
From Audience: Yes!
Karsten: Okay.
laughter
I would have imagined that it’s
more a case like this journalist,
Cyrus Favia. He requested through
FOIA disclosure all the records that
the U.S. Government kept on his
travelling. And he found a lot more stuff
than just in the PNR. They had notes in
there like “he’s a journalist”, “we had
to search him extra for that”, stuff like
that. So they don’t wanna write that
into the PNR. But the Government keeps
separate records that may be indexed
by PNR, I don’t know.
Herald: Okay, microphone here!
Question: Can you say something about
how long information will be stored
in those travel systems, and whether users
have a right to get them deleted?
Karsten: That’s a good question. I think
that differs by system. So in Amadeus
records are removed pretty quickly. Days,
or at most, weeks after the last flight is
finally done. But in Sabre I had the
impression that much older records was
still in there. Which may explain why
their data set is so dense. If you keep
accumulating all the information. By the
end of the day this is all going back
to mainframe technology. So I don’t think
anybody understands these algorithms
any more. They just kind of work.
Question: The deletion?
Karsten: The deletion, yeah. I don’t think
you can request anything to be deleted.
I don’t think they consider you
a person that they wanna talk to.
You’re not the customer!
Question: Thanks!
Herald: Okay, the microphone
there, in the…
Question: It seems that the immediate way
to abuse these systems is, like you said,
with abusing money, and the mileage etc.
It seems that those paths are actually
somehow monitored by airlines, so if I’m
collecting miles and take it not under
my name that would raise some flags.
You think that’s not the case?
Karsten: Yes, I should have been more
explicit how this attack works,
the mile diversion. So, of course, you
have to have an account in the same name
as the person flying. So had his demo
worked, he would have a PNR for
a lady Carmen Sandiego. You can just go
to miles&more and create an account
under that name. A lot of airlines, though,
they also allow you to change your name.
So you just change it whenever you found
a round trip Australia ticket,
you change the name to whatever that
target name is. And I know for a fact
that people are doing that right now, not
you guys, before even. Based on Instagram
photos. So people are diverting miles by
creating new accounts or by keeping
changing the names of the accounts.
And yes, airlines do sometimes notice this
but only when it becomes excessive.
And sure, that’s their money. I just hope
that it will become so excessive that
it’s such a big problem that it can’t be
ignored any more. And then the privacy
issues get fixed on the same token
where privacy is never enough to convince
a big company. But if you throw in
a little bit of fraud it may be enough.
applause
Herald: Okay, one last question.
Microphone here!
Question: Hi Karsten! When people use
like GDS’s they have these really archaic…
there are not even… there are like actual
terminals, not even pseudo-terminals.
And then they expose like these EPI’s for
the sake of writing your code in like Java
or whatever. I’m wondering if there’s
research to be done at that level?
Or did you just not look at that, or
that’s just an area of further research?
Karsten: We did, quite a bit. But we found
no way of making that public in any way
that wouldn’t require a login from a
travel agency and all of that good stuff.
So I think the most I wanna say about that
is the logins that travel agencies have,
they’re terribly secured. But, of course,
I can’t encourage anybody to go out
and hack them. But if you did and you had
access you’d be logging in to something
that looks like a terminal. And you’d be
typing some commands. And the next thing
you know it throws a Java stack trace at
you. So these just look like terminals.
They have moved well beyond that while
still maintaining this look and feel
of a mainframe. And they’re terribly
insecure. So these stack traces, they just
come left and right even if you
try to do the right thing!
laughter
Question: Thanks!
Herald: Okay we have one question
from the internet!
Signal Angel: Somebody wants to know,
how do you avoid DDoS’ing those services
when you just brute-force the booking
numbers?
Karsten: A good question. Of course we
don’t wanna hurt anybody, so we tried to
keep the rates low. And it turns out if
you throw 20 Amazon instances at them
they don’t go down yet. And…
laughter
Herald: Okay. Thank you very much,
Karsten and Nemanja!
applause
postroll music
subtitles created by c3subtitles.de
in the year 2020. Join and help us!