1
00:00:00,000 --> 00:00:16,602
33C3 preroll music
2
00:00:16,602 --> 00:00:21,660
Herald: So many of us
traveled to this Congress.
3
00:00:21,660 --> 00:00:24,870
Probably most of us. And we all took
4
00:00:24,870 --> 00:00:29,650
trains, or planes, or… maybe somebody
5
00:00:29,650 --> 00:00:33,250
drove by car. But most
took trains and planes.
6
00:00:33,250 --> 00:00:36,870
And have you guys ever wondered
about the infrastructure
7
00:00:36,870 --> 00:00:40,970
of those travel booking systems?
8
00:00:40,970 --> 00:00:45,249
Even more interesting, have you ever
9
00:00:45,249 --> 00:00:49,359
thought how secure those systems are?
10
00:00:49,359 --> 00:00:56,730
Karsten Nohl and Nemanja Nikodijevic…
11
00:00:56,730 --> 00:01:02,030
Karsten has a really nice record
of security researches.
12
00:01:02,030 --> 00:01:06,974
He had talks about GSM protocols
13
00:01:06,974 --> 00:01:11,240
and last year he had his talk
about payment system abuse
14
00:01:11,240 --> 00:01:13,340
which was really interesting.
15
00:01:13,340 --> 00:01:21,079
Together with Nemanja, he will show us
his research on travel booking systems.
16
00:01:21,079 --> 00:01:25,380
And probably we will find out
how we can get home free.
17
00:01:25,380 --> 00:01:31,841
Please give a really, really warm
welcome to Karsten and Nemanja!
18
00:01:31,841 --> 00:01:41,422
applause
19
00:01:41,422 --> 00:01:45,330
Karsten Nohl: Thank you very much!
Always feels great to be back!
20
00:01:45,330 --> 00:01:49,970
I just today noticed that the first time
I was speaking at this conference
21
00:01:49,970 --> 00:01:54,482
is 10 years ago. So 10 years of…
22
00:01:54,482 --> 00:01:59,536
applause
.. thanks you.
23
00:01:59,536 --> 00:02:04,549
10 years of looking at 10 different legacy
systems and finding vulnerabilities
24
00:02:04,549 --> 00:02:10,788
in all of them, so far. A lot of them were
around RFIDs, or mobile protocols.
25
00:02:10,788 --> 00:02:14,613
This time we’re looking at something
completely different, travel booking
26
00:02:14,613 --> 00:02:18,929
systems. And vulnerabilities in there.
27
00:02:18,929 --> 00:02:23,154
Relative to some of the other talks we’ve
been giving, this will have less ‘hacking’
28
00:02:23,154 --> 00:02:28,803
in it. Not because we lost our interest in
hacking but because much less hacking
29
00:02:28,803 --> 00:02:32,317
was actually needed to exploit
vulnerabilities here. laughter
30
00:02:32,317 --> 00:02:36,758
So, sorry for that if you expected a lot
of hacking. There’ll be a little bit,
31
00:02:36,758 --> 00:02:41,934
that’s why Nemanja is here, but
a little bit less than usual. So we’re
32
00:02:41,934 --> 00:02:48,136
talking about travel systems. And there
are 3 main players, or actors
33
00:02:48,136 --> 00:02:53,334
in the commercial travel world. There are
those people who provide travelling,
34
00:02:53,334 --> 00:02:59,103
airlines and hotels. There’s those people
who help you book them, Expedia,
35
00:02:59,103 --> 00:03:04,187
websites like that or traditional travel
agencies. And then there’s brokers
36
00:03:04,187 --> 00:03:10,084
who make sure that whatever is available
can be booked through those agents.
37
00:03:10,084 --> 00:03:15,450
So those are really the backbone of travel
systems but you don’t really think
38
00:03:15,450 --> 00:03:19,376
about them much, or at least I didn’t
before looking into this research.
39
00:03:19,376 --> 00:03:25,970
The systems are very useful, as global
systems. In fact, they’re called “global
40
00:03:25,970 --> 00:03:30,254
distribution systems”. And that tells you
how old they are. This is before
41
00:03:30,254 --> 00:03:34,204
the internet was there. They go back to
the 80ies and 70ies. So there was only
42
00:03:34,204 --> 00:03:38,304
one system that deserved the name
of a global distribution system of,
43
00:03:38,304 --> 00:03:43,032
in this case, data. And this was
travel system. So it makes sense
44
00:03:43,032 --> 00:03:48,090
to have these systems because, of cause,
one seat on an airplane shouldn’t be sold
45
00:03:48,090 --> 00:03:51,282
multiple times, so there needs to be
a global inventory somewhere.
46
00:03:51,282 --> 00:03:55,799
Also all airlines should be using just
a few systems so that they can do
47
00:03:55,799 --> 00:04:00,158
'codeshare agreements', e.g. so that,
again, the same seats on a flight
48
00:04:00,158 --> 00:04:05,458
aren’t booked multiple times. And,
consequently, these booking systems,
49
00:04:05,458 --> 00:04:13,110
they maintain three types of information.
The first one, you are probably most
50
00:04:13,110 --> 00:04:19,380
aware of, are the prices. Airlines will
put their price lists into these systems
51
00:04:19,380 --> 00:04:23,960
for booking sites to fetch. They’re
called ‘fares’ in the travel world.
52
00:04:23,960 --> 00:04:28,639
The next important data item in there is
‘availability’. So not everything can be
53
00:04:28,639 --> 00:04:33,290
booked that has a price. There needs to be
a seat available at a certain booking class.
54
00:04:33,290 --> 00:04:37,805
And, finally, when somebody does find an
available seat to a fare that they want
55
00:04:37,805 --> 00:04:42,050
to purchase that is then converted into
a ‘reservation’. So this is after the seat
56
00:04:42,050 --> 00:04:48,770
is taken. You may have seen some of this
information before on travel web sites.
57
00:04:48,770 --> 00:04:54,663
Let me just show you the one that I like
to use the most. The ‘ita matrix’, has
58
00:04:54,663 --> 00:04:57,933
been bought by Google a few years ago.
So you can’t actually book through
59
00:04:57,933 --> 00:05:03,340
here any more. But they maintain the
interface for whatever reason. And so,
60
00:05:03,340 --> 00:05:07,170
let’s say you search for a flight to
San Francisco from here, at the end
61
00:05:07,170 --> 00:05:13,650
of the year. This, like any other web
site will give you plenty of options
62
00:05:13,650 --> 00:05:19,500
from the different airlines. What’s
different for this web site is that
63
00:05:19,500 --> 00:05:25,309
they give you a lot more details,
if you know where to click.
64
00:05:25,309 --> 00:05:31,042
So the cheapest flight, really cheap
actually, 325 bucks to go to San Francisco
65
00:05:31,042 --> 00:05:37,240
for New Year’s, a one-way trip, and
what I like on this web site is the rules.
66
00:05:37,240 --> 00:05:42,983
So this is real data, that is kept in one
of these GDS systems. And this already
67
00:05:42,983 --> 00:05:50,019
looks like the 70ies, right? laughter
This would usually be shown on a terminal,
68
00:05:50,019 --> 00:05:54,520
maybe green font on black background, and
somebody would read through here,
69
00:05:54,520 --> 00:05:59,373
and I would say, okay, so you wanna book
for a certain day, it’s okay, the dates
70
00:05:59,373 --> 00:06:05,550
match, you wanna go on TAP (TP)
– Portugal Airlines – so okay, that matches,
71
00:06:05,550 --> 00:06:10,490
and you could also take a few other
airlines, and then you have to meet
72
00:06:10,490 --> 00:06:16,982
certain other restrictions, e.g. you can
stop over here. So this flight goes
73
00:06:16,982 --> 00:06:20,310
through Lisbon, you can stay in Lisbon
for up to 84 hours before flying on
74
00:06:20,310 --> 00:06:26,399
to the U.S. That’d be nice. And then
it has all these other rules in here,
75
00:06:26,399 --> 00:06:30,500
e.g. you can not cancel this ticket,
right? It’s non-refundable. But you
76
00:06:30,500 --> 00:06:36,340
can change it for a fee. And this goes on
and on and on. For just a single fare,
77
00:06:36,340 --> 00:06:41,638
and there’s, of course, tens of thousands
of fares available. Now this, you may be
78
00:06:41,638 --> 00:06:45,274
surprised to hear, is the only form in
which these fares are available. There
79
00:06:45,274 --> 00:06:49,477
isn’t an XML, there isn’t a web service,
this is how the airlines publish them.
80
00:06:49,477 --> 00:06:52,980
And then a web site like Expedia, they
have to write a parser for it to be able
81
00:06:52,980 --> 00:06:59,240
to present flight options to you. You
may have noticed if you tried to change
82
00:06:59,240 --> 00:07:03,570
or cancel flights they don’t allow that
to web sites often. Expedia e.g. doesn’t,
83
00:07:03,570 --> 00:07:06,459
you have to call them. And if you call
them they say: “Give me a moment,
84
00:07:06,459 --> 00:07:10,890
I have to read through the fare rules.”
So in that case that just didn’t parse
85
00:07:10,890 --> 00:07:19,330
all this information. That’s the first
thing that’s kept in these… or maintained
86
00:07:19,330 --> 00:07:25,460
in these large GDS, the booking systems:
the fares. The other thing is
87
00:07:25,460 --> 00:07:29,337
the availability. That’s a little bit
harder to access through public web sites.
88
00:07:29,337 --> 00:07:36,651
Expert Flyer is probably the best one
to use. And availability is important.
89
00:07:36,651 --> 00:07:40,772
If you actually wanted to fly to San
Francisco now for New Year’s
90
00:07:40,772 --> 00:07:45,571
we looked at the fare, well,
this is Booking Class 'O', this is
91
00:07:45,571 --> 00:07:49,569
always the first letter. And then, if you
look at the availability for Booking Class
92
00:07:49,569 --> 00:07:54,599
'O', unfortunately it says ‘C’ for ‘closed’.
So they don’t accept any more bookings.
93
00:07:54,599 --> 00:07:58,069
So just because there’s a price available
doesn’t mean that anybody can actually
94
00:07:58,069 --> 00:08:03,430
book this flight. And, again, somebody
like Expedia would have to now combine all
95
00:08:03,430 --> 00:08:07,800
of these different pieces of information
to present a list of flight options for you.
96
00:08:07,800 --> 00:08:12,669
So let’s assume they did that and you did
book something. Then, the third data item
97
00:08:12,669 --> 00:08:18,195
is created in one of these GDS. And that’s
the 'passenger name record', PNR.
98
00:08:18,195 --> 00:08:24,890
And that looks something like this. Again,
you’ll notice the same 70..80ies style.
99
00:08:24,890 --> 00:08:30,638
With lots of private information.
Ed Hasbrouck - he is a
100
00:08:30,638 --> 00:08:36,368
privacy advocate in the U.S., probably
the loudest voice to ask for more
101
00:08:36,368 --> 00:08:39,180
privacy around travel booking
and he was kind enough to make
102
00:08:39,180 --> 00:08:44,214
this available on his web site, for all
to see what information is kept. So,
103
00:08:44,214 --> 00:08:47,940
contact information, of course, things
like e-mail. This one shows you again
104
00:08:47,940 --> 00:08:53,462
how old these systems are. So they
don’t have the ‘@’ character! This is
105
00:08:53,462 --> 00:08:58,112
using a character set from punch cards!
And in punch card you had 6 possible
106
00:08:58,112 --> 00:09:02,301
punches per character. So everything here
needs to be encoded with a 6-bit character
107
00:09:02,301 --> 00:09:07,950
And there’s no space for ‘@’. So all
ancient stuff. But still, a possible
108
00:09:07,950 --> 00:09:12,710
privacy hazard, right? You wouldn’t want
anybody to access this kind of information
109
00:09:12,710 --> 00:09:20,780
about yourself. The three main players who
run GDS’s – Amadeus, mostly in Europe,
110
00:09:20,780 --> 00:09:25,197
Sabre, mostly in the US, and then there’s
Galileo that merged with a few other
111
00:09:25,197 --> 00:09:29,760
things into ‘Travelport’. And Galileo
isn’t really so much used by airlines
112
00:09:29,760 --> 00:09:36,259
but it’s more used by travel agencies.
And then, often, multiple of these systems
113
00:09:36,259 --> 00:09:40,160
they’re involved in the booking. So let’s
say you go through Expedia and you book
114
00:09:40,160 --> 00:09:47,260
an American Airlines flight, the PNR has
to be kept in Amadeus as well as Sabre.
115
00:09:47,260 --> 00:09:51,470
So there’s two copies here. Or let’s say
you go through a travel agency that’s
116
00:09:51,470 --> 00:09:55,450
connected to Galileo, and you book
a flight that has both Lufthansa and
117
00:09:55,450 --> 00:09:59,420
Aeroflot segments it would be kept
in all three of them. So this is lots of
118
00:09:59,420 --> 00:10:06,375
redundancy depending on where your flight
segments and booking agents come from.
119
00:10:06,375 --> 00:10:11,150
But sufficient to say there are three big
companies, who apparently hold on to the
120
00:10:11,150 --> 00:10:15,340
private information of all travelers.
Hundreds of millions of records
121
00:10:15,340 --> 00:10:21,250
for each of those systems. And we wanted
to find out whether they can sufficiently
122
00:10:21,250 --> 00:10:25,730
protect this information. And there’s, of
course, reasons to believe that they can’t.
123
00:10:25,730 --> 00:10:31,330
This is very old technology and it’s
unclear whether they ever did any major
124
00:10:31,330 --> 00:10:35,890
security upgrades. But at the same time
there’s reasons to believe that they
125
00:10:35,890 --> 00:10:42,985
are very well secured because this PNR
data, this very information about travelers
126
00:10:42,985 --> 00:10:47,412
that has been disputed between different
governments for a long time, in particular
127
00:10:47,412 --> 00:10:51,630
the U.S. Government, and asking for more
and more information since 9/11 in
128
00:10:51,630 --> 00:10:56,350
multiple waves, and the E.U. governments
that say: “No, you can’t have more
129
00:10:56,350 --> 00:11:01,569
information than you absolutely need. So
they agree politically that, yes, the U.S.
130
00:11:01,569 --> 00:11:05,634
can get information on those travelers
going to the U.S. but only certain data
131
00:11:05,634 --> 00:11:08,990
fields, and have to delete them after
a few years. So this was years
132
00:11:08,990 --> 00:11:14,730
of negotiation. And you’d imagine that the
systems at the forefront of this dispute
133
00:11:14,730 --> 00:11:21,212
they’d be secure enough that, let’s say,
we couldn’t access those same information
134
00:11:21,212 --> 00:11:26,440
that even the U.S. Government is supposed
to not access. So we set out to answer
135
00:11:26,440 --> 00:11:33,970
this simple question: do these GDS’s,
do they have normal, basic security.
136
00:11:33,970 --> 00:11:39,990
Do they constrain access, do they
authenticate users well, do they protect
137
00:11:39,990 --> 00:11:46,419
through rate limiting from web attacks,
and do they log to be able to detect any
138
00:11:46,419 --> 00:11:51,841
possible type of abuse. We’ll go through
each of them to see where those systems
139
00:11:51,841 --> 00:11:57,193
stand. Let’s start with access control.
And this is just drawing
140
00:11:57,193 --> 00:12:02,000
from public sources, so, again, Ed
Hasbrouck, this privacy advocate
141
00:12:02,000 --> 00:12:09,489
in California, he has been the loudest
voice here, saying, there’s overreach by a
142
00:12:09,489 --> 00:12:15,720
lot of players already accessing PNR
information. So e.g. if you have a booking,
143
00:12:15,720 --> 00:12:20,604
let’s say a flight booking, anybody who
works at this airline can access
144
00:12:20,604 --> 00:12:24,641
your information. But then, if you add,
let’s say, a car reservation to the same
145
00:12:24,641 --> 00:12:28,860
booking, anybody who works at the car
rental company can also access
146
00:12:28,860 --> 00:12:35,630
let’s say the flight information. And
any agent at the booking agency
147
00:12:35,630 --> 00:12:39,903
that you use can access all of this
information. And if you keep adding
148
00:12:39,903 --> 00:12:43,630
information all of these people still have
access to it. That’s just how these
149
00:12:43,630 --> 00:12:49,360
systems grew over time, but that’s a first
indication to me that this certainly
150
00:12:49,361 --> 00:12:54,711
wasn’t built with modern security
in mind. Most concerningly
151
00:12:54,711 --> 00:13:01,110
the people working at or for the GDS
companies, they have access to everything,
152
00:13:01,110 --> 00:13:05,140
absolutely everything. Including their
support stuff, as far as I understand.
153
00:13:05,140 --> 00:13:09,030
So these are external companies that
help debug the system, and they
154
00:13:09,030 --> 00:13:15,253
have access to hundreds of millions
of people’s private information.
155
00:13:15,253 --> 00:13:20,034
So way too many people have access
to way too much information, e.g. if you
156
00:13:20,034 --> 00:13:24,200
did an online booking your IP address
is stored there, basically forever,
157
00:13:24,200 --> 00:13:28,570
well, until the flight is over. But any of
these people can now access your
158
00:13:28,570 --> 00:13:33,252
IP address, your e-mail address,
phone number and all of this.
159
00:13:33,252 --> 00:13:37,896
So definitely that doesn’t seem to be
fine-grained access control. But,
160
00:13:37,896 --> 00:13:42,886
as I said earlier, this has been known
for a long time and criticized a lot.
161
00:13:42,886 --> 00:13:49,366
Not acted on, though, yet! How about
authentication? The picture is actually
162
00:13:49,366 --> 00:13:53,820
even worse for authentication. And I want
to distinguish two different cases here.
163
00:13:53,820 --> 00:13:57,690
I wanna distinguish professionals
accessing records, so people working
164
00:13:57,690 --> 00:14:02,230
at travel agencies and airlines. And,
as a second case I wanna distinguish
165
00:14:02,230 --> 00:14:06,110
travelers accessing their own records,
like when you check-in online e.g.,
166
00:14:06,110 --> 00:14:11,750
you access your own record. Professionals,
the way they access it, typically, is that
167
00:14:11,750 --> 00:14:16,530
their agency is connected to one of these
GDS’s through basically one account.
168
00:14:16,530 --> 00:14:20,980
So an entire agency system, or at least
an entire location uses one account.
169
00:14:20,980 --> 00:14:25,350
So years ago somebody typed in some user
name and password, and then it’s long been
170
00:14:25,350 --> 00:14:30,250
forgotten because locally they use
a different access management.
171
00:14:30,250 --> 00:14:34,890
A few travel agencies were kind enough to
help us in this research, and their access
172
00:14:34,890 --> 00:14:39,470
credentials, we saw them using, they’re
just terrible. E.g. for one of the big
173
00:14:39,470 --> 00:14:44,365
systems that I won’t name you need the
agent ID, so that you can get pretty
174
00:14:44,365 --> 00:14:48,870
easily. And then a password for the web
service, so of the modern way of accessing,
175
00:14:48,870 --> 00:14:54,791
this is WS for web service and the date
on which the password was created.
176
00:14:54,791 --> 00:14:58,960
So even if you have to brute-force
20 years, how many possible dates
177
00:14:58,960 --> 00:15:05,440
does a single year have? Times 20. This is
ridiculously low entropy for an account
178
00:15:05,440 --> 00:15:12,535
that is supposed to protect information
of millions of people, if not more.
179
00:15:12,535 --> 00:15:16,414
This is the best authenticator
that we found in these systems!
180
00:15:16,414 --> 00:15:19,210
laughter
181
00:15:19,210 --> 00:15:24,486
It gets worse with travelers accessing
their own information. Because there
182
00:15:24,486 --> 00:15:27,600
they just simply forgot to give you
a password, not even a terrible password
183
00:15:27,600 --> 00:15:33,090
like this; there just isn’t one. And what
they use instead is the booking code,
184
00:15:33,090 --> 00:15:37,120
‘PNR locator’ it is sometimes called.
I call it booking code.
185
00:15:37,120 --> 00:15:42,237
It’s a six-digit code. When you
check-in online you need that code.
186
00:15:42,237 --> 00:15:46,640
And you only need that code and your
last name. So you’d imagine that,
187
00:15:46,640 --> 00:15:51,810
if they treat it as a password equivalent
then they would keep it secret
188
00:15:51,810 --> 00:15:56,630
like a password. Only – they don’t,
but rather print it on every piece
189
00:15:56,630 --> 00:16:00,940
that you get from the airline, e.g. on
every piece of luggage you have
190
00:16:00,940 --> 00:16:07,390
your last name and a six-digit code.
On your boarding pass –
191
00:16:07,390 --> 00:16:11,433
it used to be there, and then it
disappeared and then these barcodes
192
00:16:11,433 --> 00:16:15,198
showed up. So it’s inside the barcode.
If you decode the barcode there is
193
00:16:15,198 --> 00:16:20,320
your PNR in there. I erased it here,
this is still for a valid booking.
194
00:16:20,320 --> 00:16:23,968
laughter
195
00:16:23,968 --> 00:16:30,910
So, you have this six-digit codes printed
everywhere and you can just find them
196
00:16:30,910 --> 00:16:36,491
on pieces of scrap at the airport.
Certainly these tags you find all over,
197
00:16:36,491 --> 00:16:39,700
but also people throwing away their
boarding passes when they’re done.
198
00:16:39,700 --> 00:16:44,555
And this is supposed to be the only way
of authenticating users. And we’ll
199
00:16:44,555 --> 00:16:51,240
show you in a minute what kind
of abuse is possible through that.
200
00:16:51,240 --> 00:16:56,190
But let’s first think about where else you
could be able to find these PNR codes.
201
00:16:56,190 --> 00:17:00,930
Could it get any worse than somebody
printing your password on a piece of paper
202
00:17:00,930 --> 00:17:04,650
that you throw away at the end of your
journey. Of course the internet can make
203
00:17:04,650 --> 00:17:11,050
it worse! And what better technology to
worsen the security problem than
204
00:17:11,050 --> 00:17:28,390
Instagram? So on Instagram…
laughter and applause
205
00:17:28,390 --> 00:17:33,550
So you got all these bookings. And, in
fact, there was one guy here, you see, he
206
00:17:33,550 --> 00:17:38,580
actually erased the information. But for
one who knows what’s up, everywhere,
207
00:17:38,580 --> 00:17:43,240
there’s a hundred who don’t. And this
is really all information you need.
208
00:17:43,240 --> 00:17:47,860
I saw a Lufthansa one just now,
where was that? – Here.
209
00:17:47,860 --> 00:17:59,190
So here is a Lufthansa one. This is from
today, posted by markycz at Frankfurt.
210
00:17:59,190 --> 00:18:04,370
This is really all you need to get
somebody’s…
211
00:18:04,370 --> 00:18:15,114
laughter and applause
212
00:18:15,114 --> 00:18:17,410
Let’s see if this works.
Yeah, sure enough. So.
213
00:18:17,410 --> 00:18:18,590
laughter
214
00:18:18,590 --> 00:18:24,550
'Marky M.' on Instagram is apparently
Marketa Mottlova
215
00:18:24,550 --> 00:18:28,160
and this is her booking reference.
216
00:18:28,160 --> 00:18:33,280
laughter
217
00:18:33,280 --> 00:18:37,050
I was debating whether or not to show this
but you guys are gonna do it anyway
218
00:18:37,050 --> 00:18:40,900
when I’m done with this talk.
laughter
219
00:18:49,242 --> 00:19:01,600
cheers and applause
220
00:19:01,600 --> 00:19:06,960
So a flight today from Munich
to Frankfurt and then, on to Seattle.
221
00:19:06,960 --> 00:19:11,670
Let me point out one thing here.
222
00:19:11,670 --> 00:19:15,260
Where did I see the ticket number?
223
00:19:15,260 --> 00:19:23,040
off camera mumbling on stage
224
00:19:23,040 --> 00:19:32,555
Just use mine!
225
00:19:32,555 --> 00:19:38,740
It’s AndroidAPKN
Oops.
226
00:19:38,740 --> 00:19:50,080
And then let me write down the password.
227
00:19:50,080 --> 00:19:57,060
Okay. Alright.
228
00:19:57,060 --> 00:20:02,000
So what I wanted to point out is that
this isn’t even a Lufthansa ticket.
229
00:20:02,000 --> 00:20:08,830
So she checked in with Lufthansa
in Frankfurt. But if you look at the
230
00:20:08,830 --> 00:20:14,950
ticket number, 016, that’s a United
[Airlines] ticket. And it also includes
231
00:20:14,950 --> 00:20:19,950
flights on Alaska Airlines e.g.
So any of these airlines have
232
00:20:19,950 --> 00:20:27,230
full access to this PNR. And many of them
will just grant people access to it
233
00:20:27,230 --> 00:20:32,860
if they know the PNR and the last name.
As Nemanja will show in a minute,
234
00:20:32,860 --> 00:20:38,570
even if they don’t know that yet. So...
235
00:20:38,570 --> 00:20:43,200
To recap for the moment: airlines give you
a six-digit password that they print
236
00:20:43,200 --> 00:20:50,470
on all kinds of pieces of paper and
that you will post on Instagram.
237
00:20:50,470 --> 00:20:54,690
Why shouldn’t you, everybody else does,
too, apparently. 75,000 people at least
238
00:20:54,690 --> 00:20:59,650
over the last couple of weeks. So
the authentication model here is
239
00:20:59,650 --> 00:21:05,420
severely broken, too. And what
kind of abuse arises from this?
240
00:21:05,420 --> 00:21:10,180
Of course, you can now use this PNR,
log in on Lufthansa as I have just done
241
00:21:10,180 --> 00:21:15,950
or a more generic web site, like
Checkmytrip and look up peoples’
242
00:21:15,950 --> 00:21:19,040
contact information at the very least.
So there’s always an email address
243
00:21:19,040 --> 00:21:23,620
in there. There’s usually a phone number
in there. If in Lufthansa you click on
244
00:21:23,620 --> 00:21:29,200
“I wanna change my booking” probably
they’ll ask you for your payment information
245
00:21:29,200 --> 00:21:32,910
and pre-fill the postal address for that.
So you get somebody’s postal address
246
00:21:32,910 --> 00:21:38,320
that they used for the booking, passport
information, visa information. If you
247
00:21:38,320 --> 00:21:41,520
travel to the U.S. as she does there’s
definitely passport information
248
00:21:41,520 --> 00:21:48,610
in the PNR. All of this information is now
readily accessible. Now so far
249
00:21:48,610 --> 00:21:53,120
there was zero hacking involved. That’s
why we have Nemanja here who will
250
00:21:53,120 --> 00:22:00,190
show you some actual hacking to get even
deeper into these systems.
251
00:22:00,190 --> 00:22:03,230
Can we switch the screen?
252
00:22:03,230 --> 00:22:09,560
Nemanja Nikodijevic: So when…
laughter
253
00:22:09,560 --> 00:22:18,590
When we started this research we needed
to find lots of these boking numbers
254
00:22:18,590 --> 00:22:24,600
to see if there is some relation between
them. So luckily we didn’t have to
255
00:22:24,600 --> 00:22:28,960
make any bookings that we had to pay
because there are web sites like this one
256
00:22:28,960 --> 00:22:33,270
where you can just make a booking
and pay it later but you get
257
00:22:33,270 --> 00:22:39,490
the booking reference number at the time.
So let’s make some very normal
258
00:22:39,490 --> 00:22:45,786
German name… laughter
..looking for someone from Germany.
259
00:22:45,786 --> 00:22:52,550
Actually they check the phone number, so
it has to follow the certain form.
260
00:22:52,550 --> 00:22:59,968
Let’s find Germany… from Berlin,
261
00:22:59,968 --> 00:23:04,435
1234567.
laughter
262
00:23:04,435 --> 00:23:09,390
And then ‘hans@sandiego.com’.
263
00:23:09,390 --> 00:23:14,940
As you can see I tried quite some…
laughter
264
00:23:14,940 --> 00:23:19,950
So for this one we already got
our booking reference number
265
00:23:19,950 --> 00:23:28,584
which is Y56HOY.
And this one, in a minute.
266
00:23:28,584 --> 00:23:33,340
Okay, we have to wait a bit. Y5LCF4.
So if you notice
267
00:23:33,340 --> 00:23:39,110
they are very close to each other, so
they both start with Y5 which means
268
00:23:39,110 --> 00:23:44,160
that they were booked on the same day.
Probably because one is on Lufthansa,
269
00:23:44,160 --> 00:23:49,560
the other one is on Air Berlin, there is
slight difference. They are not exactly
270
00:23:49,560 --> 00:23:53,160
sequential. But we can say that they are
concentrated in a certain range
271
00:23:53,160 --> 00:23:58,410
for a certain day. What we can do now is
272
00:23:58,410 --> 00:24:03,910
we can go to one of our servers. At first
273
00:24:03,910 --> 00:24:08,380
we have to check if checkmytrip works
274
00:24:08,380 --> 00:24:12,840
because I had some issues
with the network.
275
00:24:12,840 --> 00:24:17,510
That’s… ooh!
laughter
276
00:24:17,510 --> 00:24:22,260
This is a bit unexpected.
We will have to skip this part
277
00:24:22,260 --> 00:24:28,210
where we actually look for Carmen
Sandiego in one of our bookings.
278
00:24:28,210 --> 00:24:29,210
But…
279
00:24:29,210 --> 00:24:32,990
Karsten: Well, this is a side effect of
responsible disclosure. So you tell
280
00:24:32,990 --> 00:24:37,881
a company that on this day you’ll do that
thing to that web site, and they just
281
00:24:37,881 --> 00:24:41,580
either block the IP ranges here or just
took down the web site which they
282
00:24:41,580 --> 00:24:48,430
have done a few times before.
What you can do is… – say it again!!
283
00:24:48,430 --> 00:24:52,590
From audience: Can you test the hot spot?
284
00:24:52,590 --> 00:24:56,880
Karsten: Actually, I think the whole
web site is turned off.
285
00:24:56,880 --> 00:25:03,710
Nemanja: What we can demonstrate, I think,
is that if we go with this booking number,
286
00:25:03,710 --> 00:25:10,309
to Air Berlin web site, and then
type last name, “Mueller”.
287
00:25:10,309 --> 00:25:16,850
And actually, because it’s six-bit
encoding it has to be “UE”, no Umlauts
288
00:25:16,850 --> 00:25:27,263
allowed. So, “Select all the food!”
laughter and applause
289
00:25:27,263 --> 00:25:29,353
Let’s see if we can find this flight.
290
00:25:29,353 --> 00:25:32,420
Karsten: The part of the demo that you
didn’t show is just brute-forcing
291
00:25:32,420 --> 00:25:37,440
these ranges. If you know which ranges
are used in a day you can try them all.
292
00:25:37,440 --> 00:25:44,590
Or at least we did many times. That
would then, in theory, give you access
293
00:25:44,590 --> 00:25:48,360
to all of this. And not just in theory, in
practice, unless they take down their
294
00:25:48,360 --> 00:25:52,592
entire web site which they knew we were
gonna use for this demo.
295
00:25:52,592 --> 00:25:58,270
Nemanja: But on this, for example, if we caught
that flight that we wanted to catch…
296
00:25:58,270 --> 00:26:05,670
Karsten: We’ll show it later. But at least
the first win for privacy: no information
297
00:26:05,670 --> 00:26:09,690
is leaked through this web site
for the rest of this talk, at least!
298
00:26:09,690 --> 00:26:12,300
laughter and applause
299
00:26:12,300 --> 00:26:21,010
Can we switch back to the other screen?
ongoing applause
300
00:26:21,010 --> 00:26:24,870
One thing that you would have noticed had
this not just been a flight reservation
301
00:26:24,870 --> 00:26:29,390
but an actual ticket: it would have
given you options to rebook it,
302
00:26:29,390 --> 00:26:34,250
to add a frequent flyer number, all of that
good stuff. So what’s the abuse potential
303
00:26:34,250 --> 00:26:38,850
here? So far we’ve only talked about
privacy intrusion. And privacy intrusion
304
00:26:38,850 --> 00:26:43,130
is bad enough. Imagine somebody is
snapping a picture of your luggage,
305
00:26:43,130 --> 00:26:48,320
that person has your email address and
your phone number, right there, right then.
306
00:26:48,320 --> 00:26:55,559
But the abuse potential goes much
beyond that. For instance, you can fly for free!
307
00:26:55,559 --> 00:26:59,540
You can fly for free using different
methods. You can find somebody else’s
308
00:26:59,540 --> 00:27:04,120
booking and just change the date.
The ticket… in fact, we can show it
309
00:27:04,120 --> 00:27:09,740
a little bit later. We had prepared for
this demo that we are going to find
310
00:27:09,740 --> 00:27:13,200
through a little bit of brute-force that’s
a flexible ticket. So you can just change
311
00:27:13,200 --> 00:27:16,890
the date, and change the email address.
You just take that flight yourself.
312
00:27:16,890 --> 00:27:22,770
And as the airline checks… compares the
ticket and your passport – oftentimes
313
00:27:22,770 --> 00:27:26,110
they do it visually. What they’ll do is
they’ll send you a PDF, you change
314
00:27:26,110 --> 00:27:31,760
the name, you take it anyway. But at least
in Schengen, in the EU, people don’t even
315
00:27:31,760 --> 00:27:38,450
do that. Let’s say you wanted
to take it in your name. You can,
316
00:27:38,450 --> 00:27:43,100
depending on the airline, call them up
or even use their web sites to cancel
317
00:27:43,100 --> 00:27:48,900
the ticket, and the issue a refund to you
inside the PNR, and then use the money
318
00:27:48,900 --> 00:27:54,600
that’s freed up there to book a new
ticket. Some airlines also give you
319
00:27:54,600 --> 00:28:01,370
MCOs – miscellaneous charges orders.
Americans will know this very well,
320
00:28:01,370 --> 00:28:05,760
every time you get bumped from a flight
they give you an MCO, “sorry, we can’t
321
00:28:05,760 --> 00:28:09,420
fly you home today, you’ll have to go
tomorrow, but here is $1,000 towards
322
00:28:09,420 --> 00:28:17,309
a new ticket”. It’s real airline cash.
And those same MCOs you can issue
323
00:28:17,309 --> 00:28:21,059
based on flight cancellation. So you
cancel somebody else’s ticket and you get
324
00:28:21,059 --> 00:28:26,090
airline money to book your own ticket.
And, again, there are no passwords
325
00:28:26,090 --> 00:28:30,960
involved. The only authenticator is this
six-digit sequence that people post
326
00:28:30,960 --> 00:28:36,480
on Instagram, print on their boarding
passes and that Nemanja should be able
327
00:28:36,480 --> 00:28:42,270
to brute-force on their web sites. What
else can you do, once you have somebody’s
328
00:28:42,270 --> 00:28:47,820
PNR? You can change or add a mile number.
And some tickets are really attractive
329
00:28:47,820 --> 00:28:54,880
for mile collection. Take a round trip to
Australia in 1st class, get 60,000 miles
330
00:28:54,880 --> 00:29:01,870
right there, for one round trip, for one
PNR. And that will get you a sweet, free
331
00:29:01,870 --> 00:29:11,280
flight to somewhere nice, or even some
voucher for online and offline shopping.
332
00:29:11,280 --> 00:29:17,779
One website that I wish was still
working is, of course, this one.
333
00:29:17,779 --> 00:29:20,439
laughter
334
00:29:20,439 --> 00:29:26,602
But they shut down business, apparently.
Unrelated to this talk.
335
00:29:26,602 --> 00:29:30,070
laughter and single claps
336
00:29:30,070 --> 00:29:36,740
So you have access to somebody’s PNR,
you can not just stalk them but change
337
00:29:36,740 --> 00:29:44,260
their flights or – which may trigger some
curiosity – that flight can be taken twice.
338
00:29:44,260 --> 00:29:48,840
But you can very stealthily add your mile
number everywhere, well, a new mile number
339
00:29:48,840 --> 00:29:57,400
matching that name to collect those sweet
miles. Now, are all airlines affected
340
00:29:57,400 --> 00:30:03,267
by that? The demo that we didn’t get to
show brute-forced for one last name,
341
00:30:03,267 --> 00:30:10,250
Sandiego, all the PNRs for a day. And it
quickly found, in fact, a bunch of records.
342
00:30:10,250 --> 00:30:15,080
There’s not just one Sandiego flying that
day. But in some airlines they’re
343
00:30:15,080 --> 00:30:19,050
a little bit smarter. For instance American
Airlines, the largest airline in the world,
344
00:30:19,050 --> 00:30:24,790
they don’t just want the last name
but also the first name. And if you’re
345
00:30:24,790 --> 00:30:28,150
interested in one specific person, let’s
say ‘Carmen Sandiego’, you would still
346
00:30:28,150 --> 00:30:32,920
find that person. But if you want to
conduct fraud that becomes a little bit
347
00:30:32,920 --> 00:30:39,580
more tricky. A fraudster would just pick
a random, very popular last name and
348
00:30:39,580 --> 00:30:45,610
brute-force PNRs there. And that becomes
more difficult if also you have to guess
349
00:30:45,610 --> 00:30:51,990
a first name. However, even American
Airlines, those records can be accessed
350
00:30:51,990 --> 00:30:57,200
through other web sites. For istance Viewtrip,
this is another generic web site like this
351
00:30:57,200 --> 00:31:02,050
infamous Checkmytrip that just went
offline. And Viewtrip allows you
352
00:31:02,050 --> 00:31:08,880
to brute-force by just last name and PNR,
again. So there’s multiple ways to access
353
00:31:08,880 --> 00:31:13,570
the same information. Some of which are
more secured than others. And, of course,
354
00:31:13,570 --> 00:31:18,831
only the weakest link mattered. So
Viewtrip, what they would say is
355
00:31:18,831 --> 00:31:24,549
they found the record and they can’t give
you access to the information but then
356
00:31:24,549 --> 00:31:29,090
TripCase will which, again, takes only
last name and reservation number.
357
00:31:29,090 --> 00:31:32,980
And they will tell you the first name
also that then you can type in to
358
00:31:32,980 --> 00:31:34,960
the American Airlines web site again
laughter
359
00:31:34,960 --> 00:31:42,559
to change the booking, let’s say. So
there’s all these different ways to access
360
00:31:42,559 --> 00:31:47,920
a person’s information here. And everybody
is slightly different. So let’s look at the
361
00:31:47,920 --> 00:31:55,830
entire universe of travel web sites,
starting with just three big travel providers.
362
00:31:55,830 --> 00:32:02,950
Each of them uses six-digit booking codes.
But they use these six-digits rather
363
00:32:02,950 --> 00:32:08,250
differently. Sabre e.g. they don’t use any
numbers which of course severely impacts
364
00:32:08,250 --> 00:32:16,530
the entropy. But then others, e.g. Amadeus,
they don’t use 1 and 0, because that could
365
00:32:16,530 --> 00:32:23,860
be confused with i and o, and then
Galileo drops a few other characters. So
366
00:32:23,860 --> 00:32:27,950
at the end of the day none of them really
used the entropy of even a six-digit
367
00:32:27,950 --> 00:32:34,490
pass code. All of them are in entropy
lower than a randomly chosen 5-digit
368
00:32:34,490 --> 00:32:38,410
password. And we will never recommend
anybody to use a 5-digit password, right?
369
00:32:38,410 --> 00:32:44,030
So this is strictly worse. And what
makes it even worse, at least for
370
00:32:44,030 --> 00:32:47,910
privacy-intruding attacks, is the
sequential nature of these bookings.
371
00:32:47,910 --> 00:32:53,181
You saw the two that Nemanja just now
generated. Both of them were from
372
00:32:53,181 --> 00:32:57,930
the same, very small sub set. So if you
just wanted to know all the bookings
373
00:32:57,930 --> 00:33:01,820
that a person did today, you can
brute-force this in 10 minutes
374
00:33:01,820 --> 00:33:06,900
with a few computers running in parallel.
It’s not so easy on Sabre because
375
00:33:06,900 --> 00:33:12,160
they seem to be chosen more randomly.
However, Sabre has the lowest entropy,
376
00:33:12,160 --> 00:33:18,460
so if you just randomly want to find
bookings for popular last names Sabre is
377
00:33:18,460 --> 00:33:27,410
your system of choice. They’re all weak,
but the weaknesses differ in shades of grey
378
00:33:27,410 --> 00:33:31,610
for this privacy intruding and for the
financial fraud-type attacks.
379
00:33:31,610 --> 00:33:37,390
As one example, though, of how easy it is
to find these booking codes, if you
380
00:33:37,390 --> 00:33:45,030
look up 1,000 just randomly chosen booking
codes in Sabre for the last name ‘Smith’
381
00:33:45,030 --> 00:33:50,970
five will come back with current bookings.
So half a percent of the entire name space
382
00:33:50,970 --> 00:33:55,900
is filled with current bookings for people
called ‘Smith’! Now, add in all the other
383
00:33:55,900 --> 00:34:01,670
last names, their name space must be
pretty damn full. And it’s only 300 mio.
384
00:34:01,670 --> 00:34:05,549
records if you calculate the entropy.
So it looks like almost every record
385
00:34:05,549 --> 00:34:09,650
is used up and they’re running out of
space. So they’ll have to fix this anyway
386
00:34:09,650 --> 00:34:14,580
at some point. But that, of course, makes
it all the easier to randomly find and
387
00:34:14,580 --> 00:34:22,409
abuse other people’s bookings.
Each of those providers runs a website
388
00:34:22,409 --> 00:34:26,239
that allows you to access all the PNRs in
their system if you know the PNR and
389
00:34:26,239 --> 00:34:31,540
the last name. And one German reporter
writing about this, he calls the
390
00:34:31,540 --> 00:34:38,280
websites that you didn’t know existed,
that you have no use for but that, anyway,
391
00:34:38,280 --> 00:34:43,510
put your privacy at risk. So there doesn’t
seem to be any up side to these web sites.
392
00:34:43,510 --> 00:34:47,590
I certainly don’t need to use them
but they’re there, and they’re bad.
393
00:34:47,590 --> 00:34:52,469
Because when we did the research none of
them had any protection from brute-forcing
394
00:34:52,469 --> 00:34:56,599
meaning we could try 100,000, even
millions of different combinations
395
00:34:56,599 --> 00:35:01,869
– PNR and last name – and those
websites wouldn’t complain even a bit.
396
00:35:01,869 --> 00:35:09,390
We did expose Amadeus to way more
queries that the others and at some point
397
00:35:09,390 --> 00:35:13,040
they did notice, maybe also because some
reporters just asked them for comments
398
00:35:13,040 --> 00:35:19,480
on the research. They have tried to
improve. So the classic checkmytrip.com
399
00:35:19,480 --> 00:35:24,090
website that was just killed a few days
ago – R.I.P., thank you, it’s gone,
400
00:35:24,090 --> 00:35:29,780
50% of the problem solved. But the other
website, that was still around up until
401
00:35:29,780 --> 00:35:35,710
literally half an hour ago. What they
did over the last couple of days was,
402
00:35:35,710 --> 00:35:41,390
they added a captcha. But the captcha gave
you a cookie. And the cookie you could
403
00:35:41,390 --> 00:35:45,890
again use for indefinite number of queries.
laughter
404
00:35:45,890 --> 00:35:51,840
It’s a company that just hasn’t done web
security before. But then they also
405
00:35:51,840 --> 00:35:56,820
limited the number of requests per IP
address. Now, we do this from Amazon,
406
00:35:56,820 --> 00:36:01,920
so it’s not so difficult to spawn new
IP addresses, but still… it severely
407
00:36:01,920 --> 00:36:10,720
slows us down. About 1.000 requests per
IP address. Even if they now took down
408
00:36:10,720 --> 00:36:15,500
checkmytrip for good, of course, this is
not the only pass to a reservation.
409
00:36:15,500 --> 00:36:21,242
As we’ve seen before you can just use
the provider’s web site directly. And the
410
00:36:21,242 --> 00:36:26,350
popular ones in Germany, they differed in
security quite a bit when we checked
411
00:36:26,350 --> 00:36:30,080
a few weeks ago. So Lufthansa itself
differed on their different properties.
412
00:36:30,080 --> 00:36:35,190
The standard website asked for a captcha,
not the first time, but I think starting
413
00:36:35,190 --> 00:36:39,740
from three requests, so a really good
compromise. They make it comfortable
414
00:36:39,740 --> 00:36:44,540
to use for really anybody who just wants
to look up their own records. But then
415
00:36:44,540 --> 00:36:48,250
they make it a little bit more painful
for somebody who tries to look up
416
00:36:48,250 --> 00:36:52,958
too many. But then the mobile version e.g.
didn’t have that captcha. And again,
417
00:36:52,958 --> 00:36:58,690
weakest link principle applies. Air
Berlin, they had some rough IP filter,
418
00:36:58,690 --> 00:37:02,359
again, 1.000 requests per IP, that’s
a little bit too much, they introduced
419
00:37:02,359 --> 00:37:08,590
a captcha today! So, again, in response
to this. This is already showing
420
00:37:08,590 --> 00:37:13,940
some effect. Thank you to checkmytrip
and Air Berlin for working on this
421
00:37:13,940 --> 00:37:19,649
over the holidays, much appreciated.
Maybe, if you know anybody, thank you!
422
00:37:19,649 --> 00:37:28,340
applause
423
00:37:28,340 --> 00:37:35,020
On the other GDS’s the situation is much
worse still. They’re still as bruteforceable
424
00:37:35,020 --> 00:37:41,970
as they ever were, as are the web sites.
Except for the little bit of first-name
425
00:37:41,970 --> 00:37:48,810
extra complication on American Airlines,
every web site we have tried is not protected
426
00:37:48,810 --> 00:37:55,540
from brute-forcing. And this is surprising
to me. In my consulting work I have
427
00:37:55,540 --> 00:38:00,480
never seen a web site where not the first
pentester ever looking at it would say:
428
00:38:00,480 --> 00:38:04,190
“Oh, you didn’t have rate limiting in it,
please add it!” and then, two days later
429
00:38:04,190 --> 00:38:10,310
they had. So for most of this industry
that is yet to happen. So no cookie here,
430
00:38:10,310 --> 00:38:18,950
either. Let’s talk about one more abuse
scenario that’s… I can say they’re very
431
00:38:18,950 --> 00:38:22,400
relevant but that’s maybe because in my
consulting life I’ve been dealing with
432
00:38:22,400 --> 00:38:28,109
human security for the last couple of
years, appreciating that technology
433
00:38:28,109 --> 00:38:32,609
is mostly not the weakest link but the
the gullibility of people working
434
00:38:32,609 --> 00:38:38,220
in the company. And the same probably goes
for travelers. Imagine the scenario where
435
00:38:38,220 --> 00:38:42,400
you made a booking, just a few minutes
ago. And now that airline, or at least
436
00:38:42,400 --> 00:38:46,859
it looks like that airline, sends you an
e-mail saying “Thank you for making
437
00:38:46,859 --> 00:38:53,160
this reservation, here is all your booking
stuff, summarized for you, please update
438
00:38:53,160 --> 00:38:57,480
your credit card information, though.
The booking didn’t go through.
439
00:38:57,480 --> 00:39:03,310
I would click on that. I expect them to
e-mail me, I know that sometimes
440
00:39:03,310 --> 00:39:08,170
credit cards are fuzzy, I would click on
it and enter my credit card information
441
00:39:08,170 --> 00:39:13,830
again. And how is this possible? Of course
we can stay ahead of the current pointer
442
00:39:13,830 --> 00:39:18,410
in this sequences and find bookings
that were made in the last, let’s say,
443
00:39:18,410 --> 00:39:23,950
half an hour, for popular last names
again. And each of those bookings will
444
00:39:23,950 --> 00:39:28,369
point us to an e-mail address, and give us
all the context we need to include in this
445
00:39:28,369 --> 00:39:33,740
very, very targeted phishing. If nothing
else, I think this should convince
446
00:39:33,740 --> 00:39:38,480
the airline industry to close these loop
holes because the evilness of the internet
447
00:39:38,480 --> 00:39:43,190
will not ignore this forever. Phishers are
always looking for new targets, and
448
00:39:43,190 --> 00:39:52,369
this will be a very juicy one. So we
looked at the three big GDS’s now.
449
00:39:52,369 --> 00:39:59,330
There’s a few other players, e.g. SITA.
It looks like on the way out but these two
450
00:39:59,330 --> 00:40:03,830
very big airlines, they still use it. So
they’re certainly still relevant. They are
451
00:40:03,830 --> 00:40:08,430
even worse. They use, instead of a
six-digit booking code they use five digits.
452
00:40:08,430 --> 00:40:12,540
And one digit is fixed per airline. So if
you know you’re looking for Air India
453
00:40:12,540 --> 00:40:18,770
you don’t even have to brute-force that
leaving just four digits to go through,
454
00:40:18,770 --> 00:40:23,560
and to brute-force. Now we don’t have
a demo for this because we found three
455
00:40:23,560 --> 00:40:28,670
other more fun ones to demo. So…
laughter
456
00:40:28,670 --> 00:40:35,910
Nemanja will now show you RyanAir, Oman
Air and Pakistan International Airlines.
457
00:40:35,910 --> 00:40:42,710
Note that all of these are connected to
big GDS systems. So it’s now the web sites
458
00:40:42,710 --> 00:40:48,359
that make it even worse than we already
discussed before. And can we switch over
459
00:40:48,359 --> 00:40:51,850
to the other computer again? Thanks.
460
00:40:51,850 --> 00:40:57,900
Nemanja: Yeah, I guess, many people
fly with Ryan Air here.
461
00:40:57,900 --> 00:41:02,359
They use Navitaire which is now owned by
Amadeus.
462
00:41:02,359 --> 00:41:06,780
So they don’t share the same address space.
But on the Ryanair web site you can
463
00:41:06,780 --> 00:41:10,510
either search for the reservation with the
e-mail address and the reservation number
464
00:41:10,510 --> 00:41:15,020
or the last four digits of the credit card
that you used for booking.
465
00:41:15,020 --> 00:41:16,020
laughter
466
00:41:16,020 --> 00:41:20,770
Karsten: Again, great authenticator,
right? Ten thousand options.
467
00:41:20,770 --> 00:41:29,820
Nemanja: As they don’t have captcha
we can have a look for…
468
00:41:29,820 --> 00:41:34,430
So we know that the last four digits of
469
00:41:34,430 --> 00:41:36,300
Carmen Sandiego’s card are these.
470
00:41:36,300 --> 00:41:38,551
Karsten: And if not we can just try all
ten thousand.
471
00:41:38,551 --> 00:41:42,130
Nemanja: We can just try, yeah. We can
do the other way around. So this way
472
00:41:42,130 --> 00:41:48,270
we know that… and that it starts
with these characters. And let’s try
473
00:41:48,270 --> 00:41:54,130
to brute-force it. In the meantime
let’s have a look at the Oman Air.
474
00:41:54,130 --> 00:41:57,890
They ask for the booking reference
and for the departure airport. But
475
00:41:57,890 --> 00:42:01,900
departure airport doesn’t have to be just
the departure airport but it can also be
476
00:42:01,900 --> 00:42:07,082
any airport that is within the reservation.
So for Oman Air we think that it’s
477
00:42:07,082 --> 00:42:13,090
Muscat which is the capital.
So usually… most of these slides
478
00:42:13,090 --> 00:42:18,420
go through there. Let’s see
if we can find someone who is…
479
00:42:18,420 --> 00:42:24,430
Karsten: And he’s now just trying random
booking codes that are valid within
480
00:42:24,430 --> 00:42:28,820
that name space. So, again, they don’t
really use the full entropy. So that makes
481
00:42:28,820 --> 00:42:32,830
the search a little bit quicker but other
than that it’s just a pure brute-force.
482
00:42:32,830 --> 00:42:37,830
Nemanja: And as there is no captcha as you
can see we can go on to the next one.
483
00:42:37,830 --> 00:42:39,869
So this one is the winner!
484
00:42:39,869 --> 00:42:44,180
laughter
485
00:42:44,180 --> 00:42:53,609
They trust you that it’s yours!
strong applause
486
00:42:53,609 --> 00:43:00,780
And let’s see … so we already have one
for the Oman Air. Okay. This is the one…
487
00:43:00,780 --> 00:43:01,780
this is where…
488
00:43:01,780 --> 00:43:04,910
Karsten: That was RyanAir, huh?
489
00:43:04,910 --> 00:43:07,180
Nemanja: This is the RyanAir, yeah.
490
00:43:07,180 --> 00:43:10,670
So we didn’t bring these two characters.
491
00:43:10,670 --> 00:43:15,110
But… because we wanted to hide it. If we
accidentally hit some booking with that
492
00:43:15,110 --> 00:43:18,840
card number we don’t want to show the
booking reference number of someone else.
493
00:43:18,840 --> 00:43:27,820
So it might be even some
of the people here. We can try…
494
00:43:27,820 --> 00:43:33,950
Even got one from the Pakistan. Carmen
Sandiego is flying from SXF to TSR.
495
00:43:33,950 --> 00:43:45,750
And here we can just enter the…
what was the, I think… if I’m right…
496
00:43:45,750 --> 00:43:54,140
Let’s see if this will work. Yeah, okay.
497
00:43:54,140 --> 00:43:55,400
Hello Carmen Sandiego.
498
00:43:55,400 --> 00:44:01,099
Karsten: So now we know where Carmen
Sandiego is, finally. The point is,
499
00:44:01,099 --> 00:44:05,450
we made, you can brute-force these web
sites rather easily and you don’t really
500
00:44:05,450 --> 00:44:10,410
trigger any alerts there, apparently.
Which, again, coming from
501
00:44:10,410 --> 00:44:15,180
an IT security background I find pretty
shocking. Can we switch back to
502
00:44:15,180 --> 00:44:25,140
the other screen? Let’s look at the last
security feature that we would expect
503
00:44:25,140 --> 00:44:30,090
any IT system to have, these days.
Especially knowing that it has been
504
00:44:30,090 --> 00:44:33,880
criticized for lack of IT security for
a long time. And that, of course,
505
00:44:33,880 --> 00:44:40,260
is accountability, logging. At least track
who’s legitimately or illegitimately
506
00:44:40,260 --> 00:44:45,010
accessing these records. It turns out
that it has been asked for a long time
507
00:44:45,010 --> 00:44:50,410
by different people, again most notably
Ed Hasbrouck, this privacy advocate,
508
00:44:50,410 --> 00:44:55,400
but also other reporters and other
advocates have come across this
509
00:44:55,400 --> 00:44:59,950
for years, saying “there’s rumors that,
let’s say, the Department of Homeland
510
00:44:59,950 --> 00:45:05,040
Security in the U.S., they have root access
in these GDS’s. Where are the records,
511
00:45:05,040 --> 00:45:10,310
whether they are accessing it or not.
Where are the records for abuse by
512
00:45:10,310 --> 00:45:15,390
support stuff in these GDS companies.
Where are any records?
513
00:45:15,390 --> 00:45:19,250
The GDS companies have always said,
“oh, we can’t keep any records, it’s
514
00:45:19,250 --> 00:45:26,240
not technologically possible.” I call BS
on that. They are logging… in the tiniest
515
00:45:26,240 --> 00:45:30,520
minutia, any change to a reservation
there’s a log for. And then access log
516
00:45:30,520 --> 00:45:34,910
does not exist? And it’s not
technologically possible? I think there’s
517
00:45:34,910 --> 00:45:40,119
a completely different reason behind here.
If, in fact, these companies gave access,
518
00:45:40,119 --> 00:45:45,130
unlawful access, or at least in violation
of privacy laws in, let’s say,
519
00:45:45,130 --> 00:45:49,580
the E.U. or Canada, if, in fact, they gave
that access to other governments
520
00:45:49,580 --> 00:45:54,530
the last thing you want is a trail of
evidence showing that people have
521
00:45:54,530 --> 00:46:01,070
access to records. So this has nothing to
do with technological restrictions, this is
522
00:46:01,070 --> 00:46:05,570
purely – those companies don’t wanna be
in the middle of a debate where probably
523
00:46:05,570 --> 00:46:10,810
some sealed order in the U.S. makes them
disclose all this information but laws
524
00:46:10,810 --> 00:46:14,820
in Europe make them not disclose the
information. They just don’t wanna have
525
00:46:14,820 --> 00:46:20,920
evidence either way. But that leaves us
in a very peculiar position where now
526
00:46:20,920 --> 00:46:26,020
we know that these systems are insecure,
use very bad authenticators, expose this
527
00:46:26,020 --> 00:46:31,160
over web sites that can be brute-forced
and don’t keep any record of if that
528
00:46:31,160 --> 00:46:36,780
actually happens. So it’s completely
unknown how much abuse may be
529
00:46:36,780 --> 00:46:41,810
happening here. I think we can be pretty
certain that the flight changes for people
530
00:46:41,810 --> 00:46:45,470
to fly for free, that they are not
happening very frequently because that’s
531
00:46:45,470 --> 00:46:50,580
the only one of these attack methods that
would leave very clear evidence, somebody
532
00:46:50,580 --> 00:46:55,400
actually complaining, saying “I wanted to
take my flight but apparently somebody
533
00:46:55,400 --> 00:47:01,180
else already took it before me, or
canceled it and took off with the money.
534
00:47:01,180 --> 00:47:04,630
But the other cases we have no idea
whether or not they’re happening.
535
00:47:04,630 --> 00:47:08,480
They’re technologically possible, and
nobody seems to be looking for these
536
00:47:08,480 --> 00:47:17,040
abuse patterns. In summary, there’s just
three big global databases, two in the U.S.,
537
00:47:17,040 --> 00:47:24,240
one in Europe. They keep all the
information on all the travelers.
538
00:47:24,240 --> 00:47:29,230
This information includes your personal
contact information, payment information,
539
00:47:29,230 --> 00:47:34,250
your IP address. So lots of stuff that in
a lot of other systems we consider
540
00:47:34,250 --> 00:47:39,700
sensitive, private even. And it should be
protected with a good password. We would
541
00:47:39,700 --> 00:47:44,490
advise people to use an 8-character or
longer password, with special character.
542
00:47:44,490 --> 00:47:48,839
None of that exists here. The passwords
here are six-digits. They are less than
543
00:47:48,839 --> 00:47:53,770
five digits at worth of entropy. They’re
printed on scraps of paper that you
544
00:47:53,770 --> 00:47:58,720
throw away. They are found on Instagram
an they’re brute-forcable through numerous
545
00:47:58,720 --> 00:48:04,290
web sites by the GDS companies and through
the travel providers. So this is very,
546
00:48:04,290 --> 00:48:10,920
very far away from even weak internet
security. This really predates the internet
547
00:48:10,920 --> 00:48:17,970
in stupidity and insecurity. And while
there’s multiple scenarios in which
548
00:48:17,970 --> 00:48:23,980
either privacy of users is at risk or even
fraud could happen none of this is even
549
00:48:23,980 --> 00:48:28,570
logged, and nobody knows or has any way
of knowing the magnitude to which
550
00:48:28,570 --> 00:48:33,130
these systems are already abused.
So what do we need here?
551
00:48:33,130 --> 00:48:38,260
We clearly need more limitations on who
can access what. This is not just my ask.
552
00:48:38,260 --> 00:48:43,020
This has been asked for 10 .. 20 years.
But more on the technical level,
553
00:48:43,020 --> 00:48:48,730
in a long term, we need passwords for
every traveler. You should be able
554
00:48:48,730 --> 00:48:53,380
to post a picture of your boarding pass
on Instagram without having to worry
555
00:48:53,380 --> 00:48:57,140
about somebody abusing it. This is a piece
of paper that you will throw away.
556
00:48:57,140 --> 00:49:02,870
There should be nothing secret about it.
If you wanna share it – feel free to.
557
00:49:02,870 --> 00:49:08,010
Somebody else needs to add a password
to make that safe again.
558
00:49:08,010 --> 00:49:12,760
But that’s a very long-term goal. These
travel companies, they’re so interwoven,
559
00:49:12,760 --> 00:49:18,080
as we saw today, that all of them really
have to move at the same time.
560
00:49:18,080 --> 00:49:24,860
The GDS’s have to do their share. But then
each of interconnected airlines has to do
561
00:49:24,860 --> 00:49:29,119
their share. We saw this one random ticket
from Instagram, so this was a Lufthansa
562
00:49:29,119 --> 00:49:35,810
ticket with some Alaska Air components
issued by United. So at least those three
563
00:49:35,810 --> 00:49:40,020
companies have to work together. And how
many more different airlines today have
564
00:49:40,020 --> 00:49:44,670
code-share agreements. So we’re talking
about hundreds of companies who have
565
00:49:44,670 --> 00:49:50,260
to come together and decide “we wanna
introduce pass codes, passwords”,
566
00:49:50,260 --> 00:49:54,730
whatever you wanna call them, “for each
booking”. So that is a long-term goal.
567
00:49:54,730 --> 00:49:59,100
In the short term, though, at the very
least we can expect, is for all these
568
00:49:59,100 --> 00:50:04,720
web sites that do give access to travelers’
private information to do the bare minimum
569
00:50:04,720 --> 00:50:09,460
of web security. At the very least
some rate limiting. Don’t allow us
570
00:50:09,460 --> 00:50:16,000
to throw millions of requests at your
properties, and give us back honest
571
00:50:16,000 --> 00:50:22,230
answers. That is unheard of anywhere else
in the “cloud”. But for travel systems
572
00:50:22,230 --> 00:50:27,800
who claim for themselves to be the first
cloud ever this seems to be very standard.
573
00:50:27,800 --> 00:50:32,240
And then, finally, until all of this can
be guaranteed, until there’s passwords
574
00:50:32,240 --> 00:50:36,349
and until there is good rate limiting
I think we have a right to know
575
00:50:36,349 --> 00:50:40,849
who accesses our records, and there must
be some accountability. Especially,
576
00:50:40,849 --> 00:50:46,300
knowing how insecure these systems are
today. This is a long way, and I can only
577
00:50:46,300 --> 00:50:52,540
hope that we are starting a journey by
annoying large companies like Amadeus.
578
00:50:52,540 --> 00:50:58,260
They have done their little bit of fixing
over the weekend now, so hopefully
579
00:50:58,260 --> 00:51:02,410
some others will follow suit and we
will have better systems. Until then,
580
00:51:02,410 --> 00:51:07,050
of course, I can only encourage all of you
to look at more of these travel systems
581
00:51:07,050 --> 00:51:10,950
because there’s plenty more to find.
We’re only scratching the surface here.
582
00:51:10,950 --> 00:51:14,650
And, more generally, to look at more
legacy systems. I think we’re spending
583
00:51:14,650 --> 00:51:20,119
way too much time making some already
really good crypto just a tiny bit better
584
00:51:20,119 --> 00:51:25,060
or finding a really good mobile operating
system the next little jailbreak
585
00:51:25,060 --> 00:51:31,780
that will be fixed two days later anyhow
ignoring all these huge security issues
586
00:51:31,780 --> 00:51:36,250
that have been there for many, many years
in systems that are a little bit less sexy
587
00:51:36,250 --> 00:51:40,290
and riddled with bug bounties than
something else that we do spend a lot
588
00:51:40,290 --> 00:51:46,970
of time on. So I hope I could encourage
you to do that. I wanna just hand out
589
00:51:46,970 --> 00:51:52,690
a few thankyous to members of our team
without whom this research wouldn’t
590
00:51:52,690 --> 00:51:58,310
have been possible, and to a few industry
experts who were kind enough to
591
00:51:58,310 --> 00:52:02,630
read over these slides and provide
feedback, and help us hopefully
592
00:52:02,630 --> 00:52:07,880
not have any major gaps on our
information. And then, to you for
593
00:52:07,880 --> 00:52:11,500
showing up in such great numbers,
thank you very much!
594
00:52:11,500 --> 00:52:29,920
applause
595
00:52:29,920 --> 00:52:33,560
Herald: Wow, great talk. Thank you
very much! We have five minutes
596
00:52:33,560 --> 00:52:38,550
for Q&A. So please line up on the
microphones, and we’ll take
597
00:52:38,550 --> 00:52:40,560
some questions. First one!
598
00:52:40,560 --> 00:52:44,300
Question: Do you have any indication of
how secure the systems are on the other
599
00:52:44,300 --> 00:52:48,674
end, that the airlines supply their
fares into the entire systems?
600
00:52:48,674 --> 00:52:53,869
Is there any indication that those systems
might be more secure than
601
00:52:53,869 --> 00:52:59,180
on the customer side? Or would it
be easy to inject a cheap fare, e.g.
602
00:52:59,180 --> 00:53:02,859
by impersonating the airline
with weak passwords?
603
00:53:02,859 --> 00:53:08,450
Karsten: Honestly, we don’t know.
It was definitely on our list to research
604
00:53:08,450 --> 00:53:14,160
but we don’t have time for everything so
we focus more on the customer privacy.
605
00:53:14,160 --> 00:53:18,660
But one thing that I really would want
to test if I had any way of doing it:
606
00:53:18,660 --> 00:53:24,280
imagine the parsers for these strings.
Imagine injecting some special characters
607
00:53:24,280 --> 00:53:32,190
in that. I don’t know who creates these
strings and maybe I don’t wanna know.
608
00:53:32,190 --> 00:53:37,990
But if anybody does and you could play
with some SQL commands I think a lot of
609
00:53:37,990 --> 00:53:42,880
web sites would wake up understanding that
on that front they don’t do enough
610
00:53:42,880 --> 00:53:44,970
security either.
611
00:53:44,970 --> 00:53:48,300
Herald: Okay, question
from the Signal Angel?
612
00:53:48,300 --> 00:53:52,040
Signal Angel: A question from IRC.
Recently, U.S. Customs And Border Patrols
613
00:53:52,040 --> 00:53:56,430
started collecting social media identifiers
for foreign citizens trying to enter
614
00:53:56,430 --> 00:54:00,470
the U.S. on a Visitor Visa. Could that
information be accessible through PNR’s?
615
00:54:00,470 --> 00:54:04,830
Karsten: That’s a good question.
I don’t think you would be.
616
00:54:04,830 --> 00:54:07,030
From Audience: They are!
617
00:54:07,030 --> 00:54:08,680
Karsten: So, I…
618
00:54:08,680 --> 00:54:11,430
From Audience: Yes, they are!
619
00:54:11,430 --> 00:54:13,580
Karsten: They are in the PNR?
620
00:54:13,580 --> 00:54:15,140
From Audience: Yes!
621
00:54:15,140 --> 00:54:16,390
Karsten: Okay.
622
00:54:16,390 --> 00:54:18,650
laughter
623
00:54:18,650 --> 00:54:25,590
I would have imagined that it’s
more a case like this journalist,
624
00:54:25,590 --> 00:54:32,589
Cyrus Favia. He requested through
FOIA disclosure all the records that
625
00:54:32,589 --> 00:54:36,600
the U.S. Government kept on his
travelling. And he found a lot more stuff
626
00:54:36,600 --> 00:54:41,899
than just in the PNR. They had notes in
there like “he’s a journalist”, “we had
627
00:54:41,899 --> 00:54:45,560
to search him extra for that”, stuff like
that. So they don’t wanna write that
628
00:54:45,560 --> 00:54:49,930
into the PNR. But the Government keeps
separate records that may be indexed
629
00:54:49,930 --> 00:54:51,880
by PNR, I don’t know.
630
00:54:51,880 --> 00:54:54,780
Herald: Okay, microphone here!
631
00:54:54,780 --> 00:54:58,690
Question: Can you say something about
how long information will be stored
632
00:54:58,690 --> 00:55:04,700
in those travel systems, and whether users
have a right to get them deleted?
633
00:55:04,700 --> 00:55:11,500
Karsten: That’s a good question. I think
that differs by system. So in Amadeus
634
00:55:11,500 --> 00:55:17,180
records are removed pretty quickly. Days,
or at most, weeks after the last flight is
635
00:55:17,180 --> 00:55:21,349
finally done. But in Sabre I had the
impression that much older records was
636
00:55:21,349 --> 00:55:25,960
still in there. Which may explain why
their data set is so dense. If you keep
637
00:55:25,960 --> 00:55:29,500
accumulating all the information. By the
end of the day this is all going back
638
00:55:29,500 --> 00:55:33,859
to mainframe technology. So I don’t think
anybody understands these algorithms
639
00:55:33,859 --> 00:55:36,210
any more. They just kind of work.
640
00:55:36,210 --> 00:55:38,170
Question: The deletion?
641
00:55:38,170 --> 00:55:41,750
Karsten: The deletion, yeah. I don’t think
you can request anything to be deleted.
642
00:55:41,750 --> 00:55:45,890
I don’t think they consider you
a person that they wanna talk to.
643
00:55:45,890 --> 00:55:47,560
You’re not the customer!
644
00:55:47,560 --> 00:55:49,680
Question: Thanks!
645
00:55:49,680 --> 00:55:52,150
Herald: Okay, the microphone
there, in the…
646
00:55:52,150 --> 00:55:56,430
Question: It seems that the immediate way
to abuse these systems is, like you said,
647
00:55:56,430 --> 00:56:01,710
with abusing money, and the mileage etc.
It seems that those paths are actually
648
00:56:01,710 --> 00:56:05,800
somehow monitored by airlines, so if I’m
collecting miles and take it not under
649
00:56:05,800 --> 00:56:09,460
my name that would raise some flags.
You think that’s not the case?
650
00:56:09,460 --> 00:56:15,700
Karsten: Yes, I should have been more
explicit how this attack works,
651
00:56:15,700 --> 00:56:19,950
the mile diversion. So, of course, you
have to have an account in the same name
652
00:56:19,950 --> 00:56:24,570
as the person flying. So had his demo
worked, he would have a PNR for
653
00:56:24,570 --> 00:56:28,650
a lady Carmen Sandiego. You can just go
to miles&more and create an account
654
00:56:28,650 --> 00:56:33,589
under that name. A lot of airlines, though,
they also allow you to change your name.
655
00:56:33,589 --> 00:56:38,470
So you just change it whenever you found
a round trip Australia ticket,
656
00:56:38,470 --> 00:56:42,510
you change the name to whatever that
target name is. And I know for a fact
657
00:56:42,510 --> 00:56:49,040
that people are doing that right now, not
you guys, before even. Based on Instagram
658
00:56:49,040 --> 00:56:53,720
photos. So people are diverting miles by
creating new accounts or by keeping
659
00:56:53,720 --> 00:56:58,109
changing the names of the accounts.
And yes, airlines do sometimes notice this
660
00:56:58,109 --> 00:57:04,790
but only when it becomes excessive.
And sure, that’s their money. I just hope
661
00:57:04,790 --> 00:57:08,790
that it will become so excessive that
it’s such a big problem that it can’t be
662
00:57:08,790 --> 00:57:13,760
ignored any more. And then the privacy
issues get fixed on the same token
663
00:57:13,760 --> 00:57:18,470
where privacy is never enough to convince
a big company. But if you throw in
664
00:57:18,470 --> 00:57:20,800
a little bit of fraud it may be enough.
665
00:57:20,800 --> 00:57:29,080
applause
666
00:57:29,080 --> 00:57:31,624
Herald: Okay, one last question.
Microphone here!
667
00:57:31,624 --> 00:57:36,600
Question: Hi Karsten! When people use
like GDS’s they have these really archaic…
668
00:57:36,600 --> 00:57:41,180
there are not even… there are like actual
terminals, not even pseudo-terminals.
669
00:57:41,180 --> 00:57:45,190
And then they expose like these EPI’s for
the sake of writing your code in like Java
670
00:57:45,190 --> 00:57:49,260
or whatever. I’m wondering if there’s
research to be done at that level?
671
00:57:49,260 --> 00:57:53,880
Or did you just not look at that, or
that’s just an area of further research?
672
00:57:53,880 --> 00:57:59,329
Karsten: We did, quite a bit. But we found
no way of making that public in any way
673
00:57:59,329 --> 00:58:05,720
that wouldn’t require a login from a
travel agency and all of that good stuff.
674
00:58:05,720 --> 00:58:11,550
So I think the most I wanna say about that
is the logins that travel agencies have,
675
00:58:11,550 --> 00:58:15,630
they’re terribly secured. But, of course,
I can’t encourage anybody to go out
676
00:58:15,630 --> 00:58:20,630
and hack them. But if you did and you had
access you’d be logging in to something
677
00:58:20,630 --> 00:58:24,760
that looks like a terminal. And you’d be
typing some commands. And the next thing
678
00:58:24,760 --> 00:58:29,940
you know it throws a Java stack trace at
you. So these just look like terminals.
679
00:58:29,940 --> 00:58:33,579
They have moved well beyond that while
still maintaining this look and feel
680
00:58:33,579 --> 00:58:38,110
of a mainframe. And they’re terribly
insecure. So these stack traces, they just
681
00:58:38,110 --> 00:58:41,510
come left and right even if you
try to do the right thing!
682
00:58:41,510 --> 00:58:43,200
laughter
683
00:58:43,200 --> 00:58:45,290
Question: Thanks!
Herald: Okay we have one question
684
00:58:45,290 --> 00:58:47,099
from the internet!
685
00:58:47,099 --> 00:58:52,970
Signal Angel: Somebody wants to know,
how do you avoid DDoS’ing those services
686
00:58:52,970 --> 00:58:56,730
when you just brute-force the booking
numbers?
687
00:58:56,730 --> 00:59:01,813
Karsten: A good question. Of course we
don’t wanna hurt anybody, so we tried to
688
00:59:01,813 --> 00:59:07,490
keep the rates low. And it turns out if
you throw 20 Amazon instances at them
689
00:59:07,490 --> 00:59:09,711
they don’t go down yet. And…
690
00:59:09,711 --> 00:59:11,460
laughter
691
00:59:11,460 --> 00:59:14,260
Herald: Okay. Thank you very much,
Karsten and Nemanja!
692
00:59:14,260 --> 00:59:20,559
applause
693
00:59:20,559 --> 00:59:23,900
postroll music
694
00:59:23,900 --> 00:59:45,000
subtitles created by c3subtitles.de
in the year 2020. Join and help us!