0:00:00.000,0:00:16.602
<i>33C3 preroll music</i>

0:00:16.602,0:00:21.660
Herald: So many of us[br]traveled to this Congress.

0:00:21.660,0:00:24.870
Probably most of us. And we all took

0:00:24.870,0:00:29.650
trains, or planes, or… maybe somebody

0:00:29.650,0:00:33.250
drove by car. But most[br]took trains and planes.

0:00:33.250,0:00:36.870
And have you guys ever wondered[br]about the infrastructure

0:00:36.870,0:00:40.970
of those travel booking systems?

0:00:40.970,0:00:45.249
Even more interesting, have you ever

0:00:45.249,0:00:49.359
thought how secure those systems are?

0:00:49.359,0:00:56.730
Karsten Nohl and Nemanja Nikodijevic…

0:00:56.730,0:01:02.030
Karsten has a really nice record[br]of security researches.

0:01:02.030,0:01:06.974
He had talks about GSM protocols

0:01:06.974,0:01:11.240
and last year he had his talk[br]about payment system abuse

0:01:11.240,0:01:13.340
which was really interesting.

0:01:13.340,0:01:21.079
Together with Nemanja, he will show us[br]his research on travel booking systems.

0:01:21.079,0:01:25.380
And probably we will find out[br]how we can get home free.

0:01:25.380,0:01:31.841
Please give a really, really warm[br]welcome to Karsten and Nemanja!

0:01:31.841,0:01:41.422
<i>applause</i>

0:01:41.422,0:01:45.330
Karsten Nohl: Thank you very much![br]Always feels great to be back!

0:01:45.330,0:01:49.970
I just today noticed that the first time[br]I was speaking at this conference

0:01:49.970,0:01:54.482
is 10 years ago. So 10 years of…

0:01:54.482,0:01:59.536
<i>applause</i>[br].. thanks you.

0:01:59.536,0:02:04.549
10 years of looking at 10 different legacy[br]systems and finding vulnerabilities

0:02:04.549,0:02:10.788
in all of them, so far. A lot of them were[br]around RFIDs, or mobile protocols.

0:02:10.788,0:02:14.613
This time we’re looking at something[br]completely different, travel booking

0:02:14.613,0:02:18.929
systems. And vulnerabilities in there.

0:02:18.929,0:02:23.154
Relative to some of the other talks we’ve[br]been giving, this will have less ‘hacking’

0:02:23.154,0:02:28.803
in it. Not because we lost our interest in[br]hacking but because much less hacking

0:02:28.803,0:02:32.317
was actually needed to exploit[br]vulnerabilities here. <i>laughter</i>

0:02:32.317,0:02:36.758
So, sorry for that if you expected a lot[br]of hacking. There’ll be a little bit,

0:02:36.758,0:02:41.934
that’s why Nemanja is here, but[br]a little bit less than usual. So we’re

0:02:41.934,0:02:48.136
talking about travel systems. And there[br]are 3 main players, or actors

0:02:48.136,0:02:53.334
in the commercial travel world. There are[br]those people who provide travelling,

0:02:53.334,0:02:59.103
airlines and hotels. There’s those people[br]who help you book them, Expedia,

0:02:59.103,0:03:04.187
websites like that or traditional travel[br]agencies. And then there’s brokers

0:03:04.187,0:03:10.084
who make sure that whatever is available[br]can be booked through those agents.

0:03:10.084,0:03:15.450
So those are really the backbone of travel[br]systems but you don’t really think

0:03:15.450,0:03:19.376
about them much, or at least I didn’t[br]before looking into this research.

0:03:19.376,0:03:25.970
The systems are very useful, as global[br]systems. In fact, they’re called “global

0:03:25.970,0:03:30.254
distribution systems”. And that tells you[br]how old they are. This is before

0:03:30.254,0:03:34.204
the internet was there. They go back to[br]the 80ies and 70ies. So there was only

0:03:34.204,0:03:38.304
one system that deserved the name[br]of a global distribution system of,

0:03:38.304,0:03:43.032
in this case, data. And this was [br]travel system. So it makes sense

0:03:43.032,0:03:48.090
to have these systems because, of cause,[br]one seat on an airplane shouldn’t be sold

0:03:48.090,0:03:51.282
multiple times, so there needs to be[br]a global inventory somewhere.

0:03:51.282,0:03:55.799
Also all airlines should be using just[br]a few systems so that they can do

0:03:55.799,0:04:00.158
'codeshare agreements', e.g. so that,[br]again, the same seats on a flight

0:04:00.158,0:04:05.458
aren’t booked multiple times. And,[br]consequently, these booking systems,

0:04:05.458,0:04:13.110
they maintain three types of information.[br]The first one, you are probably most

0:04:13.110,0:04:19.380
aware of, are the prices. Airlines will[br]put their price lists into these systems

0:04:19.380,0:04:23.960
for booking sites to fetch. They’re[br]called ‘fares’ in the travel world.

0:04:23.960,0:04:28.639
The next important data item in there is[br]‘availability’. So not everything can be

0:04:28.639,0:04:33.290
booked that has a price. There needs to be[br]a seat available at a certain booking class.

0:04:33.290,0:04:37.805
And, finally, when somebody does find an[br]available seat to a fare that they want

0:04:37.805,0:04:42.050
to purchase that is then converted into[br]a ‘reservation’. So this is after the seat

0:04:42.050,0:04:48.770
is taken. You may have seen some of this[br]information before on travel web sites.

0:04:48.770,0:04:54.663
Let me just show you the one that I like[br]to use the most. The ‘ita matrix’, has

0:04:54.663,0:04:57.933
been bought by Google a few years ago.[br]So you can’t actually book through

0:04:57.933,0:05:03.340
here any more. But they maintain the[br]interface for whatever reason. And so,

0:05:03.340,0:05:07.170
let’s say you search for a flight to[br]San Francisco from here, at the end

0:05:07.170,0:05:13.650
of the year. This, like any other web[br]site will give you plenty of options

0:05:13.650,0:05:19.500
from the different airlines. What’s[br]different for this web site is that

0:05:19.500,0:05:25.309
they give you a lot more details,[br]if you know where to click.

0:05:25.309,0:05:31.042
So the cheapest flight, really cheap[br]actually, 325 bucks to go to San Francisco

0:05:31.042,0:05:37.240
for New Year’s, a one-way trip, and[br]what I like on this web site is the rules.

0:05:37.240,0:05:42.983
So this is real data, that is kept in one[br]of these GDS systems. And this already

0:05:42.983,0:05:50.019
looks like the 70ies, right? <i>laughter</i>[br]This would usually be shown on a terminal,

0:05:50.019,0:05:54.520
maybe green font on black background, and[br]somebody would read through here,

0:05:54.520,0:05:59.373
and I would say, okay, so you wanna book[br]for a certain day, it’s okay, the dates

0:05:59.373,0:06:05.550
match, you wanna go on TAP (TP)[br]– Portugal Airlines – so okay, that matches,

0:06:05.550,0:06:10.490
and you could also take a few other[br]airlines, and then you have to meet

0:06:10.490,0:06:16.982
certain other restrictions, e.g. you can[br]stop over here. So this flight goes

0:06:16.982,0:06:20.310
through Lisbon, you can stay in Lisbon[br]for up to 84 hours before flying on

0:06:20.310,0:06:26.399
to the U.S. That’d be nice. And then[br]it has all these other rules in here,

0:06:26.399,0:06:30.500
e.g. you can not cancel this ticket,[br]right? It’s non-refundable. But you

0:06:30.500,0:06:36.340
can change it for a fee. And this goes on[br]and on and on. For just a single fare,

0:06:36.340,0:06:41.638
and there’s, of course, tens of thousands[br]of fares available. Now this, you may be

0:06:41.638,0:06:45.274
surprised to hear, is the only form in[br]which these fares are available. There

0:06:45.274,0:06:49.477
isn’t an XML, there isn’t a web service,[br]this is how the airlines publish them.

0:06:49.477,0:06:52.980
And then a web site like Expedia, they[br]have to write a parser for it to be able

0:06:52.980,0:06:59.240
to present flight options to you. You[br]may have noticed if you tried to change

0:06:59.240,0:07:03.570
or cancel flights they don’t allow that[br]to web sites often. Expedia e.g. doesn’t,

0:07:03.570,0:07:06.459
you have to call them. And if you call[br]them they say: “Give me a moment,

0:07:06.459,0:07:10.890
I have to read through the fare rules.”[br]So in that case that just didn’t parse

0:07:10.890,0:07:19.330
all this information. That’s the first[br]thing that’s kept in these… or maintained

0:07:19.330,0:07:25.460
in these large GDS, the booking systems:[br]the fares. The other thing is

0:07:25.460,0:07:29.337
the availability. That’s a little bit[br]harder to access through public web sites.

0:07:29.337,0:07:36.651
Expert Flyer is probably the best one[br]to use. And availability is important.

0:07:36.651,0:07:40.772
If you actually wanted to fly to San[br]Francisco now for New Year’s

0:07:40.772,0:07:45.571
we looked at the fare, well,[br]this is Booking Class 'O', this is

0:07:45.571,0:07:49.569
always the first letter. And then, if you[br]look at the availability for Booking Class

0:07:49.569,0:07:54.599
'O', unfortunately it says ‘C’ for ‘closed’.[br]So they don’t accept any more bookings.

0:07:54.599,0:07:58.069
So just because there’s a price available[br]doesn’t mean that anybody can actually

0:07:58.069,0:08:03.430
book this flight. And, again, somebody[br]like Expedia would have to now combine all

0:08:03.430,0:08:07.800
of these different pieces of information[br]to present a list of flight options for you.

0:08:07.800,0:08:12.669
So let’s assume they did that and you did[br]book something. Then, the third data item

0:08:12.669,0:08:18.195
is created in one of these GDS. And that’s[br]the 'passenger name record', PNR.

0:08:18.195,0:08:24.890
And that looks something like this. Again,[br]you’ll notice the same 70..80ies style.

0:08:24.890,0:08:30.638
With lots of private information.[br]Ed Hasbrouck - he is a

0:08:30.638,0:08:36.368
privacy advocate in the U.S., probably [br]the loudest voice to ask for more

0:08:36.368,0:08:39.180
privacy around travel booking[br]and he was kind enough to make

0:08:39.180,0:08:44.214
this available on his web site, for all[br]to see what information is kept. So,

0:08:44.214,0:08:47.940
contact information, of course, things[br]like e-mail. This one shows you again

0:08:47.940,0:08:53.462
how old these systems are. So they[br]don’t have the ‘@’ character! This is

0:08:53.462,0:08:58.112
using a character set from punch cards![br]And in punch card you had 6 possible

0:08:58.112,0:09:02.301
punches per character. So everything here[br]needs to be encoded with a 6-bit character

0:09:02.301,0:09:07.950
And there’s no space for ‘@’. So all[br]ancient stuff. But still, a possible

0:09:07.950,0:09:12.710
privacy hazard, right? You wouldn’t want[br]anybody to access this kind of information

0:09:12.710,0:09:20.780
about yourself. The three main players who[br]run GDS’s – Amadeus, mostly in Europe,

0:09:20.780,0:09:25.197
Sabre, mostly in the US, and then there’s[br]Galileo that merged with a few other

0:09:25.197,0:09:29.760
things into ‘Travelport’. And Galileo[br]isn’t really so much used by airlines

0:09:29.760,0:09:36.259
but it’s more used by travel agencies.[br]And then, often, multiple of these systems

0:09:36.259,0:09:40.160
they’re involved in the booking. So let’s[br]say you go through Expedia and you book

0:09:40.160,0:09:47.260
an American Airlines flight, the PNR has[br]to be kept in Amadeus as well as Sabre.

0:09:47.260,0:09:51.470
So there’s two copies here. Or let’s say[br]you go through a travel agency that’s

0:09:51.470,0:09:55.450
connected to Galileo, and you book[br]a flight that has both Lufthansa and

0:09:55.450,0:09:59.420
Aeroflot segments it would be kept[br]in all three of them. So this is lots of

0:09:59.420,0:10:06.375
redundancy depending on where your flight[br]segments and booking agents come from.

0:10:06.375,0:10:11.150
But sufficient to say there are three big[br]companies, who apparently hold on to the

0:10:11.150,0:10:15.340
private information of all travelers.[br]Hundreds of millions of records

0:10:15.340,0:10:21.250
for each of those systems. And we wanted[br]to find out whether they can sufficiently

0:10:21.250,0:10:25.730
protect this information. And there’s, of[br]course, reasons to believe that they can’t.

0:10:25.730,0:10:31.330
This is very old technology and it’s[br]unclear whether they ever did any major

0:10:31.330,0:10:35.890
security upgrades. But at the same time[br]there’s reasons to believe that they

0:10:35.890,0:10:42.985
are very well secured because this PNR[br]data, this very information about travelers

0:10:42.985,0:10:47.412
that has been disputed between different[br]governments for a long time, in particular

0:10:47.412,0:10:51.630
the U.S. Government, and asking for more[br]and more information since 9/11 in

0:10:51.630,0:10:56.350
multiple waves, and the E.U. governments[br]that say: “No, you can’t have more

0:10:56.350,0:11:01.569
information than you absolutely need. So[br]they agree politically that, yes, the U.S.

0:11:01.569,0:11:05.634
can get information on those travelers[br]going to the U.S. but only certain data

0:11:05.634,0:11:08.990
fields, and have to delete them after[br]a few years. So this was years

0:11:08.990,0:11:14.730
of negotiation. And you’d imagine that the[br]systems at the forefront of this dispute

0:11:14.730,0:11:21.212
they’d be secure enough that, let’s say,[br]we couldn’t access those same information

0:11:21.212,0:11:26.440
that even the U.S. Government is supposed[br]to not access. So we set out to answer

0:11:26.440,0:11:33.970
this simple question: do these GDS’s,[br]do they have normal, basic security.

0:11:33.970,0:11:39.990
Do they constrain access, do they[br]authenticate users well, do they protect

0:11:39.990,0:11:46.419
through rate limiting from web attacks,[br]and do they log to be able to detect any

0:11:46.419,0:11:51.841
possible type of abuse. We’ll go through[br]each of them to see where those systems

0:11:51.841,0:11:57.193
stand. Let’s start with access control.[br]And this is just drawing

0:11:57.193,0:12:02.000
from public sources, so, again, Ed[br]Hasbrouck, this privacy advocate

0:12:02.000,0:12:09.489
in California, he has been the loudest[br]voice here, saying, there’s overreach by a

0:12:09.489,0:12:15.720
lot of players already accessing PNR[br]information. So e.g. if you have a booking,

0:12:15.720,0:12:20.604
let’s say a flight booking, anybody who[br]works at this airline can access

0:12:20.604,0:12:24.641
your information. But then, if you add,[br]let’s say, a car reservation to the same

0:12:24.641,0:12:28.860
booking, anybody who works at the car[br]rental company can also access

0:12:28.860,0:12:35.630
let’s say the flight information. And[br]any agent at the booking agency

0:12:35.630,0:12:39.903
that you use can access all of this[br]information. And if you keep adding

0:12:39.903,0:12:43.630
information all of these people still have[br]access to it. That’s just how these

0:12:43.630,0:12:49.360
systems grew over time, but that’s a first[br]indication to me that this certainly

0:12:49.361,0:12:54.711
wasn’t built with modern security[br]in mind. Most concerningly

0:12:54.711,0:13:01.110
the people working at or for the GDS[br]companies, they have access to everything,

0:13:01.110,0:13:05.140
absolutely everything. Including their[br]support stuff, as far as I understand.

0:13:05.140,0:13:09.030
So these are external companies that[br]help debug the system, and they

0:13:09.030,0:13:15.253
have access to hundreds of millions[br]of people’s private information.

0:13:15.253,0:13:20.034
So way too many people have access[br]to way too much information, e.g. if you

0:13:20.034,0:13:24.200
did an online booking your IP address[br]is stored there, basically forever,

0:13:24.200,0:13:28.570
well, until the flight is over. But any of[br]these people can now access your

0:13:28.570,0:13:33.252
IP address, your e-mail address,[br]phone number and all of this.

0:13:33.252,0:13:37.896
So definitely that doesn’t seem to be[br]fine-grained access control. But,

0:13:37.896,0:13:42.886
as I said earlier, this has been known[br]for a long time and criticized a lot.

0:13:42.886,0:13:49.366
Not acted on, though, yet! How about[br]authentication? The picture is actually

0:13:49.366,0:13:53.820
even worse for authentication. And I want[br]to distinguish two different cases here.

0:13:53.820,0:13:57.690
I wanna distinguish professionals[br]accessing records, so people working

0:13:57.690,0:14:02.230
at travel agencies and airlines. And,[br]as a second case I wanna distinguish

0:14:02.230,0:14:06.110
travelers accessing their own records,[br]like when you check-in online e.g.,

0:14:06.110,0:14:11.750
you access your own record. Professionals,[br]the way they access it, typically, is that

0:14:11.750,0:14:16.530
their agency is connected to one of these[br]GDS’s through basically one account.

0:14:16.530,0:14:20.980
So an entire agency system, or at least[br]an entire location uses one account.

0:14:20.980,0:14:25.350
So years ago somebody typed in some user[br]name and password, and then it’s long been

0:14:25.350,0:14:30.250
forgotten because locally they use[br]a different access management.

0:14:30.250,0:14:34.890
A few travel agencies were kind enough to[br]help us in this research, and their access

0:14:34.890,0:14:39.470
credentials, we saw them using, they’re[br]just terrible. E.g. for one of the big

0:14:39.470,0:14:44.365
systems that I won’t name you need the[br]agent ID, so that you can get pretty

0:14:44.365,0:14:48.870
easily. And then a password for the web[br]service, so of the modern way of accessing,

0:14:48.870,0:14:54.791
this is WS for web service and the date[br]on which the password was created.

0:14:54.791,0:14:58.960
So even if you have to brute-force[br]20 years, how many possible dates

0:14:58.960,0:15:05.440
does a single year have? Times 20. This is[br]ridiculously low entropy for an account

0:15:05.440,0:15:12.535
that is supposed to protect information[br]of millions of people, if not more.

0:15:12.535,0:15:16.414
This is the best authenticator[br]that we found in these systems!

0:15:16.414,0:15:19.210
<i>laughter</i>

0:15:19.210,0:15:24.486
It gets worse with travelers accessing[br]their own information. Because there

0:15:24.486,0:15:27.600
they just simply forgot to give you[br]a password, not even a terrible password

0:15:27.600,0:15:33.090
like this; there just isn’t one. And what[br]they use instead is the booking code,

0:15:33.090,0:15:37.120
‘PNR locator’ it is sometimes called.[br]I call it booking code.

0:15:37.120,0:15:42.237
It’s a six-digit code. When you[br]check-in online you need that code.

0:15:42.237,0:15:46.640
And you only need that code and your[br]last name. So you’d imagine that,

0:15:46.640,0:15:51.810
if they treat it as a password equivalent[br]then they would keep it secret

0:15:51.810,0:15:56.630
like a password. Only – they don’t,[br]but rather print it on every piece

0:15:56.630,0:16:00.940
that you get from the airline, e.g. on[br]every piece of luggage you have

0:16:00.940,0:16:07.390
your last name and a six-digit code.[br]On your boarding pass –

0:16:07.390,0:16:11.433
it used to be there, and then it[br]disappeared and then these barcodes

0:16:11.433,0:16:15.198
showed up. So it’s inside the barcode.[br]If you decode the barcode there is

0:16:15.198,0:16:20.320
your PNR in there. I erased it here,[br]this is still for a valid booking.

0:16:20.320,0:16:23.968
<i>laughter</i>

0:16:23.968,0:16:30.910
So, you have this six-digit codes printed[br]everywhere and you can just find them

0:16:30.910,0:16:36.491
on pieces of scrap at the airport.[br]Certainly these tags you find all over,

0:16:36.491,0:16:39.700
but also people throwing away their[br]boarding passes when they’re done.

0:16:39.700,0:16:44.555
And this is supposed to be the only way[br]of authenticating users. And we’ll

0:16:44.555,0:16:51.240
show you in a minute what kind[br]of abuse is possible through that.

0:16:51.240,0:16:56.190
But let’s first think about where else you[br]could be able to find these PNR codes.

0:16:56.190,0:17:00.930
Could it get any worse than somebody[br]printing your password on a piece of paper

0:17:00.930,0:17:04.650
that you throw away at the end of your[br]journey. Of course the internet can make

0:17:04.650,0:17:11.050
it worse! And what better technology to[br]worsen the security problem than

0:17:11.050,0:17:28.390
Instagram? So on Instagram…[br]<i>laughter and applause</i>

0:17:28.390,0:17:33.550
So you got all these bookings. And, in[br]fact, there was one guy here, you see, he

0:17:33.550,0:17:38.580
actually erased the information. But for[br]one who knows what’s up, everywhere,

0:17:38.580,0:17:43.240
there’s a hundred who don’t. And this[br]is really all information you need.

0:17:43.240,0:17:47.860
I saw a Lufthansa one just now,[br]where was that? – Here.

0:17:47.860,0:17:59.190
So here is a Lufthansa one. This is from[br]today, posted by markycz at Frankfurt.

0:17:59.190,0:18:04.370
This is really all you need to get[br]somebody’s…

0:18:04.370,0:18:15.114
<i>laughter and applause</i>

0:18:15.114,0:18:17.410
Let’s see if this works.[br]Yeah, sure enough. So.

0:18:17.410,0:18:18.590
<i>laughter</i>

0:18:18.590,0:18:24.550
'Marky M.' on Instagram is apparently[br]Marketa Mottlova

0:18:24.550,0:18:28.160
and this is her booking reference.

0:18:28.160,0:18:33.280
<i>laughter</i>

0:18:33.280,0:18:37.050
I was debating whether or not to show this[br]but you guys are gonna do it anyway

0:18:37.050,0:18:40.900
when I’m done with this talk.[br]<i>laughter</i>

0:18:49.242,0:19:01.600
<i>cheers and applause</i>

0:19:01.600,0:19:06.960
So a flight today from Munich[br]to Frankfurt and then, on to Seattle.

0:19:06.960,0:19:11.670
Let me point out one thing here.

0:19:11.670,0:19:15.260
Where did I see the ticket number?

0:19:15.260,0:19:23.040
<i>off camera mumbling on stage</i>

0:19:23.040,0:19:32.555
Just use mine!

0:19:32.555,0:19:38.740
It’s AndroidAPKN[br]Oops.

0:19:38.740,0:19:50.080
And then let me write down the password.

0:19:50.080,0:19:57.060
Okay. Alright.

0:19:57.060,0:20:02.000
So what I wanted to point out is that[br]this isn’t even a Lufthansa ticket.

0:20:02.000,0:20:08.830
So she checked in with Lufthansa[br]in Frankfurt. But if you look at the

0:20:08.830,0:20:14.950
ticket number, 016, that’s a United[br][Airlines] ticket. And it also includes

0:20:14.950,0:20:19.950
flights on Alaska Airlines e.g.[br]So any of these airlines have

0:20:19.950,0:20:27.230
full access to this PNR. And many of them[br]will just grant people access to it

0:20:27.230,0:20:32.860
if they know the PNR and the last name.[br]As Nemanja will show in a minute,

0:20:32.860,0:20:38.570
even if they don’t know that yet. So...

0:20:38.570,0:20:43.200
To recap for the moment: airlines give you[br]a six-digit password that they print

0:20:43.200,0:20:50.470
on all kinds of pieces of paper and[br]that you will post on Instagram.

0:20:50.470,0:20:54.690
Why shouldn’t you, everybody else does,[br]too, apparently. 75,000 people at least

0:20:54.690,0:20:59.650
over the last couple of weeks. So[br]the authentication model here is

0:20:59.650,0:21:05.420
severely broken, too. And what[br]kind of abuse arises from this?

0:21:05.420,0:21:10.180
Of course, you can now use this PNR,[br]log in on Lufthansa as I have just done

0:21:10.180,0:21:15.950
or a more generic web site, like[br]Checkmytrip and look up peoples’

0:21:15.950,0:21:19.040
contact information at the very least.[br]So there’s always an email address

0:21:19.040,0:21:23.620
in there. There’s usually a phone number[br]in there. If in Lufthansa you click on

0:21:23.620,0:21:29.200
“I wanna change my booking” probably[br]they’ll ask you for your payment information

0:21:29.200,0:21:32.910
and pre-fill the postal address for that.[br]So you get somebody’s postal address

0:21:32.910,0:21:38.320
that they used for the booking, passport[br]information, visa information. If you

0:21:38.320,0:21:41.520
travel to the U.S. as she does there’s[br]definitely passport information

0:21:41.520,0:21:48.610
in the PNR. All of this information is now[br]readily accessible. Now so far

0:21:48.610,0:21:53.120
there was zero hacking involved. That’s[br]why we have Nemanja here who will

0:21:53.120,0:22:00.190
show you some actual hacking to get even[br]deeper into these systems.

0:22:00.190,0:22:03.230
Can we switch the screen?

0:22:03.230,0:22:09.560
Nemanja Nikodijevic: So when…[br]<i>laughter</i>

0:22:09.560,0:22:18.590
When we started this research we needed[br]to find lots of these boking numbers

0:22:18.590,0:22:24.600
to see if there is some relation between[br]them. So luckily we didn’t have to

0:22:24.600,0:22:28.960
make any bookings that we had to pay[br]because there are web sites like this one

0:22:28.960,0:22:33.270
where you can just make a booking[br]and pay it later but you get

0:22:33.270,0:22:39.490
the booking reference number at the time.[br]So let’s make some very normal

0:22:39.490,0:22:45.786
German name… <i>laughter</i>[br]..looking for someone from Germany.

0:22:45.786,0:22:52.550
Actually they check the phone number, so[br]it has to follow the certain form.

0:22:52.550,0:22:59.968
Let’s find Germany… from Berlin,

0:22:59.968,0:23:04.435
1234567.[br]<i>laughter</i>

0:23:04.435,0:23:09.390
And then ‘hans@sandiego.com’.

0:23:09.390,0:23:14.940
As you can see I tried quite some…[br]<i>laughter</i>

0:23:14.940,0:23:19.950
So for this one we already got[br]our booking reference number

0:23:19.950,0:23:28.584
which is Y56HOY.[br]And this one, in a minute.

0:23:28.584,0:23:33.340
Okay, we have to wait a bit. Y5LCF4.[br]So if you notice

0:23:33.340,0:23:39.110
they are very close to each other, so[br]they both start with Y5 which means

0:23:39.110,0:23:44.160
that they were booked on the same day.[br]Probably because one is on Lufthansa,

0:23:44.160,0:23:49.560
the other one is on Air Berlin, there is[br]slight difference. They are not exactly

0:23:49.560,0:23:53.160
sequential. But we can say that they are[br]concentrated in a certain range

0:23:53.160,0:23:58.410
for a certain day. What we can do now is

0:23:58.410,0:24:03.910
we can go to one of our servers. At first

0:24:03.910,0:24:08.380
we have to check if checkmytrip works

0:24:08.380,0:24:12.840
because I had some issues[br]with the network.

0:24:12.840,0:24:17.510
That’s… ooh![br]<i>laughter</i>

0:24:17.510,0:24:22.260
This is a bit unexpected.[br]We will have to skip this part

0:24:22.260,0:24:28.210
where we actually look for Carmen[br]Sandiego in one of our bookings.

0:24:28.210,0:24:29.210
But…

0:24:29.210,0:24:32.990
Karsten: Well, this is a side effect of[br]responsible disclosure. So you tell

0:24:32.990,0:24:37.881
a company that on this day you’ll do that[br]thing to that web site, and they just

0:24:37.881,0:24:41.580
either block the IP ranges here or just[br]took down the web site which they

0:24:41.580,0:24:48.430
have done a few times before.[br]What you can do is… – say it again!!

0:24:48.430,0:24:52.590
From audience: Can you test the hot spot?

0:24:52.590,0:24:56.880
Karsten: Actually, I think the whole[br]web site is turned off.

0:24:56.880,0:25:03.710
Nemanja: What we can demonstrate, I think,[br]is that if we go with this booking number,

0:25:03.710,0:25:10.309
to Air Berlin web site, and then[br]type last name, “Mueller”.

0:25:10.309,0:25:16.850
And actually, because it’s six-bit[br]encoding it has to be “UE”, no Umlauts

0:25:16.850,0:25:27.263
allowed. So, “Select all the food!”[br]<i>laughter and applause</i>

0:25:27.263,0:25:29.353
Let’s see if we can find this flight.

0:25:29.353,0:25:32.420
Karsten: The part of the demo that you[br]didn’t show is just brute-forcing

0:25:32.420,0:25:37.440
these ranges. If you know which ranges[br]are used in a day you can try them all.

0:25:37.440,0:25:44.590
Or at least we did many times. That[br]would then, in theory, give you access

0:25:44.590,0:25:48.360
to all of this. And not just in theory, in[br]practice, unless they take down their

0:25:48.360,0:25:52.592
entire web site which they knew we were[br]gonna use for this demo.

0:25:52.592,0:25:58.270
Nemanja: But on this, for example, if we caught[br]that flight that we wanted to catch…

0:25:58.270,0:26:05.670
Karsten: We’ll show it later. But at least[br]the first win for privacy: no information

0:26:05.670,0:26:09.690
is leaked through this web site[br]for the rest of this talk, at least!

0:26:09.690,0:26:12.300
<i>laughter and applause</i>

0:26:12.300,0:26:21.010
Can we switch back to the other screen?[br]<i>ongoing applause</i>

0:26:21.010,0:26:24.870
One thing that you would have noticed had[br]this not just been a flight reservation

0:26:24.870,0:26:29.390
but an actual ticket: it would have[br]given you options to rebook it,

0:26:29.390,0:26:34.250
to add a frequent flyer number, all of that[br]good stuff. So what’s the abuse potential

0:26:34.250,0:26:38.850
here? So far we’ve only talked about[br]privacy intrusion. And privacy intrusion

0:26:38.850,0:26:43.130
is bad enough. Imagine somebody is[br]snapping a picture of your luggage,

0:26:43.130,0:26:48.320
that person has your email address and[br]your phone number, right there, right then.

0:26:48.320,0:26:55.559
But the abuse potential goes much[br]beyond that. For instance, you can fly for free!

0:26:55.559,0:26:59.540
You can fly for free using different[br]methods. You can find somebody else’s

0:26:59.540,0:27:04.120
booking and just change the date.[br]The ticket… in fact, we can show it

0:27:04.120,0:27:09.740
a little bit later. We had prepared for[br]this demo that we are going to find

0:27:09.740,0:27:13.200
through a little bit of brute-force that’s[br]a flexible ticket. So you can just change

0:27:13.200,0:27:16.890
the date, and change the email address.[br]You just take that flight yourself.

0:27:16.890,0:27:22.770
And as the airline checks… compares the[br]ticket and your passport – oftentimes

0:27:22.770,0:27:26.110
they do it visually. What they’ll do is[br]they’ll send you a PDF, you change

0:27:26.110,0:27:31.760
the name, you take it anyway. But at least[br]in Schengen, in the EU, people don’t even

0:27:31.760,0:27:38.450
do that. Let’s say you wanted[br]to take it in your name. You can,

0:27:38.450,0:27:43.100
depending on the airline, call them up[br]or even use their web sites to cancel

0:27:43.100,0:27:48.900
the ticket, and the issue a refund to you[br]inside the PNR, and then use the money

0:27:48.900,0:27:54.600
that’s freed up there to book a new[br]ticket. Some airlines also give you

0:27:54.600,0:28:01.370
MCOs – miscellaneous charges orders.[br]Americans will know this very well,

0:28:01.370,0:28:05.760
every time you get bumped from a flight[br]they give you an MCO, “sorry, we can’t

0:28:05.760,0:28:09.420
fly you home today, you’ll have to go[br]tomorrow, but here is $1,000 towards

0:28:09.420,0:28:17.309
a new ticket”. It’s real airline cash.[br]And those same MCOs you can issue

0:28:17.309,0:28:21.059
based on flight cancellation. So you[br]cancel somebody else’s ticket and you get

0:28:21.059,0:28:26.090
airline money to book your own ticket.[br]And, again, there are no passwords

0:28:26.090,0:28:30.960
involved. The only authenticator is this[br]six-digit sequence that people post

0:28:30.960,0:28:36.480
on Instagram, print on their boarding[br]passes and that Nemanja should be able

0:28:36.480,0:28:42.270
to brute-force on their web sites. What[br]else can you do, once you have somebody’s

0:28:42.270,0:28:47.820
PNR? You can change or add a mile number.[br]And some tickets are really attractive

0:28:47.820,0:28:54.880
for mile collection. Take a round trip to[br]Australia in 1st class, get 60,000 miles

0:28:54.880,0:29:01.870
right there, for one round trip, for one[br]PNR. And that will get you a sweet, free

0:29:01.870,0:29:11.280
flight to somewhere nice, or even some [br]voucher for online and offline shopping.

0:29:11.280,0:29:17.779
One website that I wish was still[br]working is, of course, this one.

0:29:17.779,0:29:20.439
<i>laughter</i>

0:29:20.439,0:29:26.602
But they shut down business, apparently.[br]Unrelated to this talk.

0:29:26.602,0:29:30.070
<i>laughter and single claps</i>

0:29:30.070,0:29:36.740
So you have access to somebody’s PNR,[br]you can not just stalk them but change

0:29:36.740,0:29:44.260
their flights or – which may trigger some[br]curiosity – that flight can be taken twice.

0:29:44.260,0:29:48.840
But you can very stealthily add your mile[br]number everywhere, well, a new mile number

0:29:48.840,0:29:57.400
matching that name to collect those sweet[br]miles. Now, are all airlines affected

0:29:57.400,0:30:03.267
by that? The demo that we didn’t get to[br]show brute-forced for one last name,

0:30:03.267,0:30:10.250
Sandiego, all the PNRs for a day. And it[br]quickly found, in fact, a bunch of records.

0:30:10.250,0:30:15.080
There’s not just one Sandiego flying that[br]day. But in some airlines they’re

0:30:15.080,0:30:19.050
a little bit smarter. For instance American[br]Airlines, the largest airline in the world,

0:30:19.050,0:30:24.790
they don’t just want the last name[br]but also the first name. And if you’re

0:30:24.790,0:30:28.150
interested in one specific person, let’s[br]say ‘Carmen Sandiego’, you would still

0:30:28.150,0:30:32.920
find that person. But if you want to[br]conduct fraud that becomes a little bit

0:30:32.920,0:30:39.580
more tricky. A fraudster would just pick[br]a random, very popular last name and

0:30:39.580,0:30:45.610
brute-force PNRs there. And that becomes[br]more difficult if also you have to guess

0:30:45.610,0:30:51.990
a first name. However, even American[br]Airlines, those records can be accessed

0:30:51.990,0:30:57.200
through other web sites. For istance Viewtrip,[br]this is another generic web site like this

0:30:57.200,0:31:02.050
infamous Checkmytrip that just went[br]offline. And Viewtrip allows you

0:31:02.050,0:31:08.880
to brute-force by just last name and PNR,[br]again. So there’s multiple ways to access

0:31:08.880,0:31:13.570
the same information. Some of which are[br]more secured than others. And, of course,

0:31:13.570,0:31:18.831
only the weakest link mattered. So[br]Viewtrip, what they would say is

0:31:18.831,0:31:24.549
they found the record and they can’t give[br]you access to the information but then

0:31:24.549,0:31:29.090
TripCase will which, again, takes only[br]last name and reservation number.

0:31:29.090,0:31:32.980
And they will tell you the first name[br]also that then you can type in to

0:31:32.980,0:31:34.960
the American Airlines web site again[br]<i>laughter</i>

0:31:34.960,0:31:42.559
to change the booking, let’s say. So[br]there’s all these different ways to access

0:31:42.559,0:31:47.920
a person’s information here. And everybody[br]is slightly different. So let’s look at the

0:31:47.920,0:31:55.830
entire universe of travel web sites,[br]starting with just three big travel providers.

0:31:55.830,0:32:02.950
Each of them uses six-digit booking codes.[br]But they use these six-digits rather

0:32:02.950,0:32:08.250
differently. Sabre e.g. they don’t use any[br]numbers which of course severely impacts

0:32:08.250,0:32:16.530
the entropy. But then others, e.g. Amadeus,[br]they don’t use 1 and 0, because that could

0:32:16.530,0:32:23.860
be confused with i and o, and then[br]Galileo drops a few other characters. So

0:32:23.860,0:32:27.950
at the end of the day none of them really[br]used the entropy of even a six-digit

0:32:27.950,0:32:34.490
pass code. All of them are in entropy[br]lower than a randomly chosen 5-digit

0:32:34.490,0:32:38.410
password. And we will never recommend[br]anybody to use a 5-digit password, right?

0:32:38.410,0:32:44.030
So this is strictly worse. And what[br]makes it even worse, at least for

0:32:44.030,0:32:47.910
privacy-intruding attacks, is the[br]sequential nature of these bookings.

0:32:47.910,0:32:53.181
You saw the two that Nemanja just now[br]generated. Both of them were from

0:32:53.181,0:32:57.930
the same, very small sub set. So if you[br]just wanted to know all the bookings

0:32:57.930,0:33:01.820
that a person did today, you can[br]brute-force this in 10 minutes

0:33:01.820,0:33:06.900
with a few computers running in parallel.[br]It’s not so easy on Sabre because

0:33:06.900,0:33:12.160
they seem to be chosen more randomly.[br]However, Sabre has the lowest entropy,

0:33:12.160,0:33:18.460
so if you just randomly want to find[br]bookings for popular last names Sabre is

0:33:18.460,0:33:27.410
your system of choice. They’re all weak,[br]but the weaknesses differ in shades of grey

0:33:27.410,0:33:31.610
for this privacy intruding and for the[br]financial fraud-type attacks.

0:33:31.610,0:33:37.390
As one example, though, of how easy it is[br]to find these booking codes, if you

0:33:37.390,0:33:45.030
look up 1,000 just randomly chosen booking[br]codes in Sabre for the last name ‘Smith’

0:33:45.030,0:33:50.970
five will come back with current bookings.[br]So half a percent of the entire name space

0:33:50.970,0:33:55.900
is filled with current bookings for people[br]called ‘Smith’! Now, add in all the other

0:33:55.900,0:34:01.670
last names, their name space must be[br]pretty damn full. And it’s only 300 mio.

0:34:01.670,0:34:05.549
records if you calculate the entropy.[br]So it looks like almost every record

0:34:05.549,0:34:09.650
is used up and they’re running out of[br]space. So they’ll have to fix this anyway

0:34:09.650,0:34:14.580
at some point. But that, of course, makes[br]it all the easier to randomly find and

0:34:14.580,0:34:22.409
abuse other people’s bookings.[br]Each of those providers runs a website

0:34:22.409,0:34:26.239
that allows you to access all the PNRs in[br]their system if you know the PNR and

0:34:26.239,0:34:31.540
the last name. And one German reporter[br]writing about this, he calls the

0:34:31.540,0:34:38.280
websites that you didn’t know existed,[br]that you have no use for but that, anyway,

0:34:38.280,0:34:43.510
put your privacy at risk. So there doesn’t[br]seem to be any up side to these web sites.

0:34:43.510,0:34:47.590
I certainly don’t need to use them[br]but they’re there, and they’re bad.

0:34:47.590,0:34:52.469
Because when we did the research none of[br]them had any protection from brute-forcing

0:34:52.469,0:34:56.599
meaning we could try 100,000, even[br]millions of different combinations

0:34:56.599,0:35:01.869
– PNR and last name – and those[br]websites wouldn’t complain even a bit.

0:35:01.869,0:35:09.390
We did expose Amadeus to way more[br]queries that the others and at some point

0:35:09.390,0:35:13.040
they did notice, maybe also because some[br]reporters just asked them for comments

0:35:13.040,0:35:19.480
on the research. They have tried to[br]improve. So the classic checkmytrip.com

0:35:19.480,0:35:24.090
website that was just killed a few days[br]ago – R.I.P., thank you, it’s gone,

0:35:24.090,0:35:29.780
50% of the problem solved. But the other[br]website, that was still around up until

0:35:29.780,0:35:35.710
literally half an hour ago. What they[br]did over the last couple of days was,

0:35:35.710,0:35:41.390
they added a captcha. But the captcha gave[br]you a cookie. And the cookie you could

0:35:41.390,0:35:45.890
again use for indefinite number of queries.[br]<i>laughter</i>

0:35:45.890,0:35:51.840
It’s a company that just hasn’t done web[br]security before. But then they also

0:35:51.840,0:35:56.820
limited the number of requests per IP[br]address. Now, we do this from Amazon,

0:35:56.820,0:36:01.920
so it’s not so difficult to spawn new[br]IP addresses, but still… it severely

0:36:01.920,0:36:10.720
slows us down. About 1.000 requests per[br]IP address. Even if they now took down

0:36:10.720,0:36:15.500
checkmytrip for good, of course, this is[br]not the only pass to a reservation.

0:36:15.500,0:36:21.242
As we’ve seen before you can just use[br]the provider’s web site directly. And the

0:36:21.242,0:36:26.350
popular ones in Germany, they differed in[br]security quite a bit when we checked

0:36:26.350,0:36:30.080
a few weeks ago. So Lufthansa itself[br]differed on their different properties.

0:36:30.080,0:36:35.190
The standard website asked for a captcha,[br]not the first time, but I think starting

0:36:35.190,0:36:39.740
from three requests, so a really good[br]compromise. They make it comfortable

0:36:39.740,0:36:44.540
to use for really anybody who just wants[br]to look up their own records. But then

0:36:44.540,0:36:48.250
they make it a little bit more painful[br]for somebody who tries to look up

0:36:48.250,0:36:52.958
too many. But then the mobile version e.g.[br]didn’t have that captcha. And again,

0:36:52.958,0:36:58.690
weakest link principle applies. Air[br]Berlin, they had some rough IP filter,

0:36:58.690,0:37:02.359
again, 1.000 requests per IP, that’s[br]a little bit too much, they introduced

0:37:02.359,0:37:08.590
a captcha today! So, again, in response[br]to this. This is already showing

0:37:08.590,0:37:13.940
some effect. Thank you to checkmytrip[br]and Air Berlin for working on this

0:37:13.940,0:37:19.649
over the holidays, much appreciated.[br]Maybe, if you know anybody, thank you!

0:37:19.649,0:37:28.340
<i>applause</i>

0:37:28.340,0:37:35.020
On the other GDS’s the situation is much[br]worse still. They’re still as bruteforceable

0:37:35.020,0:37:41.970
as they ever were, as are the web sites.[br]Except for the little bit of first-name

0:37:41.970,0:37:48.810
extra complication on American Airlines,[br]every web site we have tried is not protected

0:37:48.810,0:37:55.540
from brute-forcing. And this is surprising[br]to me. In my consulting work I have

0:37:55.540,0:38:00.480
never seen a web site where not the first[br]pentester ever looking at it would say:

0:38:00.480,0:38:04.190
“Oh, you didn’t have rate limiting in it,[br]please add it!” and then, two days later

0:38:04.190,0:38:10.310
they had. So for most of this industry[br]that is yet to happen. So no cookie here,

0:38:10.310,0:38:18.950
either. Let’s talk about one more abuse[br]scenario that’s… I can say they’re very

0:38:18.950,0:38:22.400
relevant but that’s maybe because in my[br]consulting life I’ve been dealing with

0:38:22.400,0:38:28.109
human security for the last couple of[br]years, appreciating that technology

0:38:28.109,0:38:32.609
is mostly not the weakest link but the[br]the gullibility of people working

0:38:32.609,0:38:38.220
in the company. And the same probably goes[br]for travelers. Imagine the scenario where

0:38:38.220,0:38:42.400
you made a booking, just a few minutes[br]ago. And now that airline, or at least

0:38:42.400,0:38:46.859
it looks like that airline, sends you an[br]e-mail saying “Thank you for making

0:38:46.859,0:38:53.160
this reservation, here is all your booking[br]stuff, summarized for you, please update

0:38:53.160,0:38:57.480
your credit card information, though.[br]The booking didn’t go through.

0:38:57.480,0:39:03.310
I would click on that. I expect them to[br]e-mail me, I know that sometimes

0:39:03.310,0:39:08.170
credit cards are fuzzy, I would click on[br]it and enter my credit card information

0:39:08.170,0:39:13.830
again. And how is this possible? Of course[br]we can stay ahead of the current pointer

0:39:13.830,0:39:18.410
in this sequences and find bookings[br]that were made in the last, let’s say,

0:39:18.410,0:39:23.950
half an hour, for popular last names[br]again. And each of those bookings will

0:39:23.950,0:39:28.369
point us to an e-mail address, and give us[br]all the context we need to include in this

0:39:28.369,0:39:33.740
very, very targeted phishing. If nothing[br]else, I think this should convince

0:39:33.740,0:39:38.480
the airline industry to close these loop[br]holes because the evilness of the internet

0:39:38.480,0:39:43.190
will not ignore this forever. Phishers are[br]always looking for new targets, and

0:39:43.190,0:39:52.369
this will be a very juicy one. So we[br]looked at the three big GDS’s now.

0:39:52.369,0:39:59.330
There’s a few other players, e.g. SITA.[br]It looks like on the way out but these two

0:39:59.330,0:40:03.830
very big airlines, they still use it. So[br]they’re certainly still relevant. They are

0:40:03.830,0:40:08.430
even worse. They use, instead of a[br]six-digit booking code they use five digits.

0:40:08.430,0:40:12.540
And one digit is fixed per airline. So if[br]you know you’re looking for Air India

0:40:12.540,0:40:18.770
you don’t even have to brute-force that[br]leaving just four digits to go through,

0:40:18.770,0:40:23.560
and to brute-force. Now we don’t have[br]a demo for this because we found three

0:40:23.560,0:40:28.670
other more fun ones to demo. So…[br]<i>laughter</i>

0:40:28.670,0:40:35.910
Nemanja will now show you RyanAir, Oman[br]Air and Pakistan International Airlines.

0:40:35.910,0:40:42.710
Note that all of these are connected to[br]big GDS systems. So it’s now the web sites

0:40:42.710,0:40:48.359
that make it even worse than we already[br]discussed before. And can we switch over

0:40:48.359,0:40:51.850
to the other computer again? Thanks.

0:40:51.850,0:40:57.900
Nemanja: Yeah, I guess, many people[br]fly with Ryan Air here.

0:40:57.900,0:41:02.359
They use Navitaire which is now owned by[br]Amadeus.

0:41:02.359,0:41:06.780
So they don’t share the same address space.[br]But on the Ryanair web site you can

0:41:06.780,0:41:10.510
either search for the reservation with the[br]e-mail address and the reservation number

0:41:10.510,0:41:15.020
or the last four digits of the credit card[br]that you used for booking.

0:41:15.020,0:41:16.020
<i>laughter</i>

0:41:16.020,0:41:20.770
Karsten: Again, great authenticator,[br]right? Ten thousand options.

0:41:20.770,0:41:29.820
Nemanja: As they don’t have captcha[br]we can have a look for…

0:41:29.820,0:41:34.430
So we know that the last four digits of

0:41:34.430,0:41:36.300
Carmen Sandiego’s card are these.

0:41:36.300,0:41:38.551
Karsten: And if not we can just try all[br]ten thousand.

0:41:38.551,0:41:42.130
Nemanja: We can just try, yeah. We can[br]do the other way around. So this way

0:41:42.130,0:41:48.270
we know that… and that it starts[br]with these characters. And let’s try

0:41:48.270,0:41:54.130
to brute-force it. In the meantime[br]let’s have a look at the Oman Air.

0:41:54.130,0:41:57.890
They ask for the booking reference[br]and for the departure airport. But

0:41:57.890,0:42:01.900
departure airport doesn’t have to be just[br]the departure airport but it can also be

0:42:01.900,0:42:07.082
any airport that is within the reservation.[br]So for Oman Air we think that it’s

0:42:07.082,0:42:13.090
Muscat which is the capital.[br]So usually… most of these slides

0:42:13.090,0:42:18.420
go through there. Let’s see[br]if we can find someone who is…

0:42:18.420,0:42:24.430
Karsten: And he’s now just trying random[br]booking codes that are valid within

0:42:24.430,0:42:28.820
that name space. So, again, they don’t[br]really use the full entropy. So that makes

0:42:28.820,0:42:32.830
the search a little bit quicker but other[br]than that it’s just a pure brute-force.

0:42:32.830,0:42:37.830
Nemanja: And as there is no captcha as you[br]can see we can go on to the next one.

0:42:37.830,0:42:39.869
So this one is the winner!

0:42:39.869,0:42:44.180
<i>laughter</i>

0:42:44.180,0:42:53.609
They trust you that it’s yours![br]<i>strong applause</i>

0:42:53.609,0:43:00.780
And let’s see … so we already have one[br]for the Oman Air. Okay. This is the one…

0:43:00.780,0:43:01.780
this is where…

0:43:01.780,0:43:04.910
Karsten: That was RyanAir, huh?

0:43:04.910,0:43:07.180
Nemanja: This is the RyanAir, yeah.

0:43:07.180,0:43:10.670
So we didn’t bring these two characters.

0:43:10.670,0:43:15.110
But… because we wanted to hide it. If we[br]accidentally hit some booking with that

0:43:15.110,0:43:18.840
card number we don’t want to show the[br]booking reference number of someone else.

0:43:18.840,0:43:27.820
So it might be even some[br]of the people here. We can try…

0:43:27.820,0:43:33.950
Even got one from the Pakistan. Carmen[br]Sandiego is flying from SXF to TSR.

0:43:33.950,0:43:45.750
And here we can just enter the…[br]what was the, I think… if I’m right…

0:43:45.750,0:43:54.140
Let’s see if this will work. Yeah, okay.

0:43:54.140,0:43:55.400
Hello Carmen Sandiego.

0:43:55.400,0:44:01.099
Karsten: So now we know where Carmen[br]Sandiego is, finally. The point is,

0:44:01.099,0:44:05.450
we made, you can brute-force these web[br]sites rather easily and you don’t really

0:44:05.450,0:44:10.410
trigger any alerts there, apparently.[br]Which, again, coming from

0:44:10.410,0:44:15.180
an IT security background I find pretty[br]shocking. Can we switch back to

0:44:15.180,0:44:25.140
the other screen? Let’s look at the last[br]security feature that we would expect

0:44:25.140,0:44:30.090
any IT system to have, these days.[br]Especially knowing that it has been

0:44:30.090,0:44:33.880
criticized for lack of IT security for[br]a long time. And that, of course,

0:44:33.880,0:44:40.260
is accountability, logging. At least track[br]who’s legitimately or illegitimately

0:44:40.260,0:44:45.010
accessing these records. It turns out[br]that it has been asked for a long time

0:44:45.010,0:44:50.410
by different people, again most notably[br]Ed Hasbrouck, this privacy advocate,

0:44:50.410,0:44:55.400
but also other reporters and other[br]advocates have come across this

0:44:55.400,0:44:59.950
for years, saying “there’s rumors that,[br]let’s say, the Department of Homeland

0:44:59.950,0:45:05.040
Security in the U.S., they have root access[br]in these GDS’s. Where are the records,

0:45:05.040,0:45:10.310
whether they are accessing it or not.[br]Where are the records for abuse by

0:45:10.310,0:45:15.390
support stuff in these GDS companies.[br]Where are any records?

0:45:15.390,0:45:19.250
The GDS companies have always said,[br]“oh, we can’t keep any records, it’s

0:45:19.250,0:45:26.240
not technologically possible.” I call BS[br]on that. They are logging… in the tiniest

0:45:26.240,0:45:30.520
minutia, any change to a reservation[br]there’s a log for. And then access log

0:45:30.520,0:45:34.910
does not exist? And it’s not[br]technologically possible? I think there’s

0:45:34.910,0:45:40.119
a completely different reason behind here.[br]If, in fact, these companies gave access,

0:45:40.119,0:45:45.130
unlawful access, or at least in violation[br]of privacy laws in, let’s say,

0:45:45.130,0:45:49.580
the E.U. or Canada, if, in fact, they gave[br]that access to other governments

0:45:49.580,0:45:54.530
the last thing you want is a trail of[br]evidence showing that people have

0:45:54.530,0:46:01.070
access to records. So this has nothing to[br]do with technological restrictions, this is

0:46:01.070,0:46:05.570
purely – those companies don’t wanna be[br]in the middle of a debate where probably

0:46:05.570,0:46:10.810
some sealed order in the U.S. makes them[br]disclose all this information but laws

0:46:10.810,0:46:14.820
in Europe make them not disclose the[br]information. They just don’t wanna have

0:46:14.820,0:46:20.920
evidence either way. But that leaves us[br]in a very peculiar position where now

0:46:20.920,0:46:26.020
we know that these systems are insecure,[br]use very bad authenticators, expose this

0:46:26.020,0:46:31.160
over web sites that can be brute-forced[br]and don’t keep any record of if that

0:46:31.160,0:46:36.780
actually happens. So it’s completely[br]unknown how much abuse may be

0:46:36.780,0:46:41.810
happening here. I think we can be pretty[br]certain that the flight changes for people

0:46:41.810,0:46:45.470
to fly for free, that they are not[br]happening very frequently because that’s

0:46:45.470,0:46:50.580
the only one of these attack methods that[br]would leave very clear evidence, somebody

0:46:50.580,0:46:55.400
actually complaining, saying “I wanted to[br]take my flight but apparently somebody

0:46:55.400,0:47:01.180
else already took it before me, or[br]canceled it and took off with the money.

0:47:01.180,0:47:04.630
But the other cases we have no idea[br]whether or not they’re happening.

0:47:04.630,0:47:08.480
They’re technologically possible, and[br]nobody seems to be looking for these

0:47:08.480,0:47:17.040
abuse patterns. In summary, there’s just[br]three big global databases, two in the U.S.,

0:47:17.040,0:47:24.240
one in Europe. They keep all the[br]information on all the travelers.

0:47:24.240,0:47:29.230
This information includes your personal[br]contact information, payment information,

0:47:29.230,0:47:34.250
your IP address. So lots of stuff that in[br]a lot of other systems we consider

0:47:34.250,0:47:39.700
sensitive, private even. And it should be[br]protected with a good password. We would

0:47:39.700,0:47:44.490
advise people to use an 8-character or[br]longer password, with special character.

0:47:44.490,0:47:48.839
None of that exists here. The passwords[br]here are six-digits. They are less than

0:47:48.839,0:47:53.770
five digits at worth of entropy. They’re[br]printed on scraps of paper that you

0:47:53.770,0:47:58.720
throw away. They are found on Instagram[br]an they’re brute-forcable through numerous

0:47:58.720,0:48:04.290
web sites by the GDS companies and through[br]the travel providers. So this is very,

0:48:04.290,0:48:10.920
very far away from even weak internet[br]security. This really predates the internet

0:48:10.920,0:48:17.970
in stupidity and insecurity. And while[br]there’s multiple scenarios in which

0:48:17.970,0:48:23.980
either privacy of users is at risk or even[br]fraud could happen none of this is even

0:48:23.980,0:48:28.570
logged, and nobody knows or has any way[br]of knowing the magnitude to which

0:48:28.570,0:48:33.130
these systems are already abused.[br]So what do we need here?

0:48:33.130,0:48:38.260
We clearly need more limitations on who[br]can access what. This is not just my ask.

0:48:38.260,0:48:43.020
This has been asked for 10 .. 20 years.[br]But more on the technical level,

0:48:43.020,0:48:48.730
in a long term, we need passwords for[br]every traveler. You should be able

0:48:48.730,0:48:53.380
to post a picture of your boarding pass[br]on Instagram without having to worry

0:48:53.380,0:48:57.140
about somebody abusing it. This is a piece[br]of paper that you will throw away.

0:48:57.140,0:49:02.870
There should be nothing secret about it.[br]If you wanna share it – feel free to.

0:49:02.870,0:49:08.010
Somebody else needs to add a password[br]to make that safe again.

0:49:08.010,0:49:12.760
But that’s a very long-term goal. These[br]travel companies, they’re so interwoven,

0:49:12.760,0:49:18.080
as we saw today, that all of them really[br]have to move at the same time.

0:49:18.080,0:49:24.860
The GDS’s have to do their share. But then[br]each of interconnected airlines has to do

0:49:24.860,0:49:29.119
their share. We saw this one random ticket[br]from Instagram, so this was a Lufthansa

0:49:29.119,0:49:35.810
ticket with some Alaska Air components[br]issued by United. So at least those three

0:49:35.810,0:49:40.020
companies have to work together. And how[br]many more different airlines today have

0:49:40.020,0:49:44.670
code-share agreements. So we’re talking[br]about hundreds of companies who have

0:49:44.670,0:49:50.260
to come together and decide “we wanna[br]introduce pass codes, passwords”,

0:49:50.260,0:49:54.730
whatever you wanna call them, “for each[br]booking”. So that is a long-term goal.

0:49:54.730,0:49:59.100
In the short term, though, at the very[br]least we can expect, is for all these

0:49:59.100,0:50:04.720
web sites that do give access to travelers’[br]private information to do the bare minimum

0:50:04.720,0:50:09.460
of web security. At the very least[br]some rate limiting. Don’t allow us

0:50:09.460,0:50:16.000
to throw millions of requests at your[br]properties, and give us back honest

0:50:16.000,0:50:22.230
answers. That is unheard of anywhere else[br]in the “cloud”. But for travel systems

0:50:22.230,0:50:27.800
who claim for themselves to be the first[br]cloud ever this seems to be very standard.

0:50:27.800,0:50:32.240
And then, finally, until all of this can[br]be guaranteed, until there’s passwords

0:50:32.240,0:50:36.349
and until there is good rate limiting[br]I think we have a right to know

0:50:36.349,0:50:40.849
who accesses our records, and there must[br]be some accountability. Especially,

0:50:40.849,0:50:46.300
knowing how insecure these systems are[br]today. This is a long way, and I can only

0:50:46.300,0:50:52.540
hope that we are starting a journey by[br]annoying large companies like Amadeus.

0:50:52.540,0:50:58.260
They have done their little bit of fixing[br]over the weekend now, so hopefully

0:50:58.260,0:51:02.410
some others will follow suit and we[br]will have better systems. Until then,

0:51:02.410,0:51:07.050
of course, I can only encourage all of you[br]to look at more of these travel systems

0:51:07.050,0:51:10.950
because there’s plenty more to find.[br]We’re only scratching the surface here.

0:51:10.950,0:51:14.650
And, more generally, to look at more[br]legacy systems. I think we’re spending

0:51:14.650,0:51:20.119
way too much time making some already[br]really good crypto just a tiny bit better

0:51:20.119,0:51:25.060
or finding a really good mobile operating[br]system the next little jailbreak

0:51:25.060,0:51:31.780
that will be fixed two days later anyhow[br]ignoring all these huge security issues

0:51:31.780,0:51:36.250
that have been there for many, many years[br]in systems that are a little bit less sexy

0:51:36.250,0:51:40.290
and riddled with bug bounties than[br]something else that we do spend a lot

0:51:40.290,0:51:46.970
of time on. So I hope I could encourage[br]you to do that. I wanna just hand out

0:51:46.970,0:51:52.690
a few thankyous to members of our team[br]without whom this research wouldn’t

0:51:52.690,0:51:58.310
have been possible, and to a few industry[br]experts who were kind enough to

0:51:58.310,0:52:02.630
read over these slides and provide[br]feedback, and help us hopefully

0:52:02.630,0:52:07.880
not have any major gaps on our[br]information. And then, to you for

0:52:07.880,0:52:11.500
showing up in such great numbers,[br]thank you very much!

0:52:11.500,0:52:29.920
<i>applause</i>

0:52:29.920,0:52:33.560
Herald: Wow, great talk. Thank you[br]very much! We have five minutes

0:52:33.560,0:52:38.550
for Q&amp;A. So please line up on the[br]microphones, and we’ll take

0:52:38.550,0:52:40.560
some questions. First one!

0:52:40.560,0:52:44.300
Question: Do you have any indication of[br]how secure the systems are on the other

0:52:44.300,0:52:48.674
end, that the airlines supply their[br]fares into the entire systems?

0:52:48.674,0:52:53.869
Is there any indication that those systems[br]might be more secure than

0:52:53.869,0:52:59.180
on the customer side? Or would it[br]be easy to inject a cheap fare, e.g.

0:52:59.180,0:53:02.859
by impersonating the airline[br]with weak passwords?

0:53:02.859,0:53:08.450
Karsten: Honestly, we don’t know.[br]It was definitely on our list to research

0:53:08.450,0:53:14.160
but we don’t have time for everything so[br]we focus more on the customer privacy.

0:53:14.160,0:53:18.660
But one thing that I really would want[br]to test if I had any way of doing it:

0:53:18.660,0:53:24.280
imagine the parsers for these strings.[br]Imagine injecting some special characters

0:53:24.280,0:53:32.190
in that. I don’t know who creates these[br]strings and maybe I don’t wanna know.

0:53:32.190,0:53:37.990
But if anybody does and you could play[br]with some SQL commands I think a lot of

0:53:37.990,0:53:42.880
web sites would wake up understanding that[br]on that front they don’t do enough

0:53:42.880,0:53:44.970
security either.

0:53:44.970,0:53:48.300
Herald: Okay, question[br]from the Signal Angel?

0:53:48.300,0:53:52.040
Signal Angel: A question from IRC.[br]Recently, U.S. Customs And Border Patrols

0:53:52.040,0:53:56.430
started collecting social media identifiers[br]for foreign citizens trying to enter

0:53:56.430,0:54:00.470
the U.S. on a Visitor Visa. Could that[br]information be accessible through PNR’s?

0:54:00.470,0:54:04.830
Karsten: That’s a good question.[br]I don’t think you would be.

0:54:04.830,0:54:07.030
From Audience: They are!

0:54:07.030,0:54:08.680
Karsten: So, I…

0:54:08.680,0:54:11.430
From Audience: Yes, they are!

0:54:11.430,0:54:13.580
Karsten: They are in the PNR?

0:54:13.580,0:54:15.140
From Audience: Yes!

0:54:15.140,0:54:16.390
Karsten: Okay.

0:54:16.390,0:54:18.650
<i>laughter</i>

0:54:18.650,0:54:25.590
I would have imagined that it’s[br]more a case like this journalist,

0:54:25.590,0:54:32.589
Cyrus Favia. He requested through[br]FOIA disclosure all the records that

0:54:32.589,0:54:36.600
the U.S. Government kept on his[br]travelling. And he found a lot more stuff

0:54:36.600,0:54:41.899
than just in the PNR. They had notes in[br]there like “he’s a journalist”, “we had

0:54:41.899,0:54:45.560
to search him extra for that”, stuff like[br]that. So they don’t wanna write that

0:54:45.560,0:54:49.930
into the PNR. But the Government keeps[br]separate records that may be indexed

0:54:49.930,0:54:51.880
by PNR, I don’t know.

0:54:51.880,0:54:54.780
Herald: Okay, microphone here!

0:54:54.780,0:54:58.690
Question: Can you say something about[br]how long information will be stored

0:54:58.690,0:55:04.700
in those travel systems, and whether users[br]have a right to get them deleted?

0:55:04.700,0:55:11.500
Karsten: That’s a good question. I think[br]that differs by system. So in Amadeus

0:55:11.500,0:55:17.180
records are removed pretty quickly. Days,[br]or at most, weeks after the last flight is

0:55:17.180,0:55:21.349
finally done. But in Sabre I had the[br]impression that much older records was

0:55:21.349,0:55:25.960
still in there. Which may explain why[br]their data set is so dense. If you keep

0:55:25.960,0:55:29.500
accumulating all the information. By the[br]end of the day this is all going back

0:55:29.500,0:55:33.859
to mainframe technology. So I don’t think[br]anybody understands these algorithms

0:55:33.859,0:55:36.210
any more. They just kind of work.

0:55:36.210,0:55:38.170
Question: The deletion?

0:55:38.170,0:55:41.750
Karsten: The deletion, yeah. I don’t think[br]you can request anything to be deleted.

0:55:41.750,0:55:45.890
I don’t think they consider you[br]a person that they wanna talk to.

0:55:45.890,0:55:47.560
You’re not the customer!

0:55:47.560,0:55:49.680
Question: Thanks!

0:55:49.680,0:55:52.150
Herald: Okay, the microphone[br]there, in the…

0:55:52.150,0:55:56.430
Question: It seems that the immediate way[br]to abuse these systems is, like you said,

0:55:56.430,0:56:01.710
with abusing money, and the mileage etc.[br]It seems that those paths are actually

0:56:01.710,0:56:05.800
somehow monitored by airlines, so if I’m[br]collecting miles and take it not under

0:56:05.800,0:56:09.460
my name that would raise some flags.[br]You think that’s not the case?

0:56:09.460,0:56:15.700
Karsten: Yes, I should have been more[br]explicit how this attack works,

0:56:15.700,0:56:19.950
the mile diversion. So, of course, you[br]have to have an account in the same name

0:56:19.950,0:56:24.570
as the person flying. So had his demo[br]worked, he would have a PNR for

0:56:24.570,0:56:28.650
a lady Carmen Sandiego. You can just go[br]to miles&amp;more and create an account

0:56:28.650,0:56:33.589
under that name. A lot of airlines, though,[br]they also allow you to change your name.

0:56:33.589,0:56:38.470
So you just change it whenever you found[br]a round trip Australia ticket,

0:56:38.470,0:56:42.510
you change the name to whatever that[br]target name is. And I know for a fact

0:56:42.510,0:56:49.040
that people are doing that right now, not[br]you guys, before even. Based on Instagram

0:56:49.040,0:56:53.720
photos. So people are diverting miles by[br]creating new accounts or by keeping

0:56:53.720,0:56:58.109
changing the names of the accounts.[br]And yes, airlines do sometimes notice this

0:56:58.109,0:57:04.790
but only when it becomes excessive.[br]And sure, that’s their money. I just hope

0:57:04.790,0:57:08.790
that it will become so excessive that[br]it’s such a big problem that it can’t be

0:57:08.790,0:57:13.760
ignored any more. And then the privacy[br]issues get fixed on the same token

0:57:13.760,0:57:18.470
where privacy is never enough to convince[br]a big company. But if you throw in

0:57:18.470,0:57:20.800
a little bit of fraud it may be enough.

0:57:20.800,0:57:29.080
<i>applause</i>

0:57:29.080,0:57:31.624
Herald: Okay, one last question.[br]Microphone here!

0:57:31.624,0:57:36.600
Question: Hi Karsten! When people use[br]like GDS’s they have these really archaic…

0:57:36.600,0:57:41.180
there are not even… there are like actual[br]terminals, not even pseudo-terminals.

0:57:41.180,0:57:45.190
And then they expose like these EPI’s for[br]the sake of writing your code in like Java

0:57:45.190,0:57:49.260
or whatever. I’m wondering if there’s[br]research to be done at that level?

0:57:49.260,0:57:53.880
Or did you just not look at that, or[br]that’s just an area of further research?

0:57:53.880,0:57:59.329
Karsten: We did, quite a bit. But we found[br]no way of making that public in any way

0:57:59.329,0:58:05.720
that wouldn’t require a login from a[br]travel agency and all of that good stuff.

0:58:05.720,0:58:11.550
So I think the most I wanna say about that[br]is the logins that travel agencies have,

0:58:11.550,0:58:15.630
they’re terribly secured. But, of course,[br]I can’t encourage anybody to go out

0:58:15.630,0:58:20.630
and hack them. But if you did and you had[br]access you’d be logging in to something

0:58:20.630,0:58:24.760
that looks like a terminal. And you’d be[br]typing some commands. And the next thing

0:58:24.760,0:58:29.940
you know it throws a Java stack trace at[br]you. So these just look like terminals.

0:58:29.940,0:58:33.579
They have moved well beyond that while[br]still maintaining this look and feel

0:58:33.579,0:58:38.110
of a mainframe. And they’re terribly[br]insecure. So these stack traces, they just

0:58:38.110,0:58:41.510
come left and right even if you[br]try to do the right thing!

0:58:41.510,0:58:43.200
<i>laughter</i>

0:58:43.200,0:58:45.290
Question: Thanks![br]Herald: Okay we have one question

0:58:45.290,0:58:47.099
from the internet!

0:58:47.099,0:58:52.970
Signal Angel: Somebody wants to know,[br]how do you avoid DDoS’ing those services

0:58:52.970,0:58:56.730
when you just brute-force the booking[br]numbers?

0:58:56.730,0:59:01.813
Karsten: A good question. Of course we[br]don’t wanna hurt anybody, so we tried to

0:59:01.813,0:59:07.490
keep the rates low. And it turns out if[br]you throw 20 Amazon instances at them

0:59:07.490,0:59:09.711
they don’t go down yet. And…

0:59:09.711,0:59:11.460
<i>laughter</i>

0:59:11.460,0:59:14.260
Herald: Okay. Thank you very much,[br]Karsten and Nemanja!

0:59:14.260,0:59:20.559
<i>applause</i>

0:59:20.559,0:59:23.900
<i>postroll music</i>

0:59:23.900,0:59:45.000
subtitles created by c3subtitles.de[br]in the year 2020. Join and help us!