<i>33C3 preroll music</i>

Herald: So many of us
traveled to this Congress.

Probably most of us. And we all took

trains, or planes, or… maybe somebody

drove by car. But most
took trains and planes.

And have you guys ever wondered
about the infrastructure

of those travel booking systems?

Even more interesting, have you ever

thought how secure those systems are?

Karsten Nohl and Nemanja Nikodijevic…

Karsten has a really nice record
of security researches.

He had talks about GSM protocols

and last year he had his talk
about payment system abuse

which was really interesting.

Together with Nemanja, he will show us
his research on travel booking systems.

And probably we will find out
how we can get home free.

Please give a really, really warm
welcome to Karsten and Nemanja!

<i>applause</i>

Karsten Nohl: Thank you very much!
Always feels great to be back!

I just today noticed that the first time
I was speaking at this conference

is 10 years ago. So 10 years of…

<i>applause</i>
.. thanks you.

10 years of looking at 10 different legacy
systems and finding vulnerabilities

in all of them, so far. A lot of them were
around RFIDs, or mobile protocols.

This time we’re looking at something
completely different, travel booking

systems. And vulnerabilities in there.

Relative to some of the other talks we’ve
been giving, this will have less ‘hacking’

in it. Not because we lost our interest in
hacking but because much less hacking

was actually needed to exploit
vulnerabilities here. <i>laughter</i>

So, sorry for that if you expected a lot
of hacking. There’ll be a little bit,

that’s why Nemanja is here, but
a little bit less than usual. So we’re

talking about travel systems. And there
are 3 main players, or actors

in the commercial travel world. There are
those people who provide travelling,

airlines and hotels. There’s those people
who help you book them, Expedia,

websites like that or traditional travel
agencies. And then there’s brokers

who make sure that whatever is available
can be booked through those agents.

So those are really the backbone of travel
systems but you don’t really think

about them much, or at least I didn’t
before looking into this research.

The systems are very useful, as global
systems. In fact, they’re called “global

distribution systems”. And that tells you
how old they are. This is before

the internet was there. They go back to
the 80ies and 70ies. So there was only

one system that deserved the name
of a global distribution system of,

in this case, data. And this was 
travel system. So it makes sense

to have these systems because, of cause,
one seat on an airplane shouldn’t be sold

multiple times, so there needs to be
a global inventory somewhere.

Also all airlines should be using just
a few systems so that they can do

'codeshare agreements', e.g. so that,
again, the same seats on a flight

aren’t booked multiple times. And,
consequently, these booking systems,

they maintain three types of information.
The first one, you are probably most

aware of, are the prices. Airlines will
put their price lists into these systems

for booking sites to fetch. They’re
called ‘fares’ in the travel world.

The next important data item in there is
‘availability’. So not everything can be

booked that has a price. There needs to be
a seat available at a certain booking class.

And, finally, when somebody does find an
available seat to a fare that they want

to purchase that is then converted into
a ‘reservation’. So this is after the seat

is taken. You may have seen some of this
information before on travel web sites.

Let me just show you the one that I like
to use the most. The ‘ita matrix’, has

been bought by Google a few years ago.
So you can’t actually book through

here any more. But they maintain the
interface for whatever reason. And so,

let’s say you search for a flight to
San Francisco from here, at the end

of the year. This, like any other web
site will give you plenty of options

from the different airlines. What’s
different for this web site is that

they give you a lot more details,
if you know where to click.

So the cheapest flight, really cheap
actually, 325 bucks to go to San Francisco

for New Year’s, a one-way trip, and
what I like on this web site is the rules.

So this is real data, that is kept in one
of these GDS systems. And this already

looks like the 70ies, right? <i>laughter</i>
This would usually be shown on a terminal,

maybe green font on black background, and
somebody would read through here,

and I would say, okay, so you wanna book
for a certain day, it’s okay, the dates

match, you wanna go on TAP (TP)
– Portugal Airlines – so okay, that matches,

and you could also take a few other
airlines, and then you have to meet

certain other restrictions, e.g. you can
stop over here. So this flight goes

through Lisbon, you can stay in Lisbon
for up to 84 hours before flying on

to the U.S. That’d be nice. And then
it has all these other rules in here,

e.g. you can not cancel this ticket,
right? It’s non-refundable. But you

can change it for a fee. And this goes on
and on and on. For just a single fare,

and there’s, of course, tens of thousands
of fares available. Now this, you may be

surprised to hear, is the only form in
which these fares are available. There

isn’t an XML, there isn’t a web service,
this is how the airlines publish them.

And then a web site like Expedia, they
have to write a parser for it to be able

to present flight options to you. You
may have noticed if you tried to change

or cancel flights they don’t allow that
to web sites often. Expedia e.g. doesn’t,

you have to call them. And if you call
them they say: “Give me a moment,

I have to read through the fare rules.”
So in that case that just didn’t parse

all this information. That’s the first
thing that’s kept in these… or maintained

in these large GDS, the booking systems:
the fares. The other thing is

the availability. That’s a little bit
harder to access through public web sites.

Expert Flyer is probably the best one
to use. And availability is important.

If you actually wanted to fly to San
Francisco now for New Year’s

we looked at the fare, well,
this is Booking Class 'O', this is

always the first letter. And then, if you
look at the availability for Booking Class

'O', unfortunately it says ‘C’ for ‘closed’.
So they don’t accept any more bookings.

So just because there’s a price available
doesn’t mean that anybody can actually

book this flight. And, again, somebody
like Expedia would have to now combine all

of these different pieces of information
to present a list of flight options for you.

So let’s assume they did that and you did
book something. Then, the third data item

is created in one of these GDS. And that’s
the 'passenger name record', PNR.

And that looks something like this. Again,
you’ll notice the same 70..80ies style.

With lots of private information.
Ed Hasbrouck - he is a

privacy advocate in the U.S., probably 
the loudest voice to ask for more

privacy around travel booking
and he was kind enough to make

this available on his web site, for all
to see what information is kept. So,

contact information, of course, things
like e-mail. This one shows you again

how old these systems are. So they
don’t have the ‘@’ character! This is

using a character set from punch cards!
And in punch card you had 6 possible

punches per character. So everything here
needs to be encoded with a 6-bit character

And there’s no space for ‘@’. So all
ancient stuff. But still, a possible

privacy hazard, right? You wouldn’t want
anybody to access this kind of information

about yourself. The three main players who
run GDS’s – Amadeus, mostly in Europe,

Sabre, mostly in the US, and then there’s
Galileo that merged with a few other

things into ‘Travelport’. And Galileo
isn’t really so much used by airlines

but it’s more used by travel agencies.
And then, often, multiple of these systems

they’re involved in the booking. So let’s
say you go through Expedia and you book

an American Airlines flight, the PNR has
to be kept in Amadeus as well as Sabre.

So there’s two copies here. Or let’s say
you go through a travel agency that’s

connected to Galileo, and you book
a flight that has both Lufthansa and

Aeroflot segments it would be kept
in all three of them. So this is lots of

redundancy depending on where your flight
segments and booking agents come from.

But sufficient to say there are three big
companies, who apparently hold on to the

private information of all travelers.
Hundreds of millions of records

for each of those systems. And we wanted
to find out whether they can sufficiently

protect this information. And there’s, of
course, reasons to believe that they can’t.

This is very old technology and it’s
unclear whether they ever did any major

security upgrades. But at the same time
there’s reasons to believe that they

are very well secured because this PNR
data, this very information about travelers

that has been disputed between different
governments for a long time, in particular

the U.S. Government, and asking for more
and more information since 9/11 in

multiple waves, and the E.U. governments
that say: “No, you can’t have more

information than you absolutely need. So
they agree politically that, yes, the U.S.

can get information on those travelers
going to the U.S. but only certain data

fields, and have to delete them after
a few years. So this was years

of negotiation. And you’d imagine that the
systems at the forefront of this dispute

they’d be secure enough that, let’s say,
we couldn’t access those same information

that even the U.S. Government is supposed
to not access. So we set out to answer

this simple question: do these GDS’s,
do they have normal, basic security.

Do they constrain access, do they
authenticate users well, do they protect

through rate limiting from web attacks,
and do they log to be able to detect any

possible type of abuse. We’ll go through
each of them to see where those systems

stand. Let’s start with access control.
And this is just drawing

from public sources, so, again, Ed
Hasbrouck, this privacy advocate

in California, he has been the loudest
voice here, saying, there’s overreach by a

lot of players already accessing PNR
information. So e.g. if you have a booking,

let’s say a flight booking, anybody who
works at this airline can access

your information. But then, if you add,
let’s say, a car reservation to the same

booking, anybody who works at the car
rental company can also access

let’s say the flight information. And
any agent at the booking agency

that you use can access all of this
information. And if you keep adding

information all of these people still have
access to it. That’s just how these

systems grew over time, but that’s a first
indication to me that this certainly

wasn’t built with modern security
in mind. Most concerningly

the people working at or for the GDS
companies, they have access to everything,

absolutely everything. Including their
support stuff, as far as I understand.

So these are external companies that
help debug the system, and they

have access to hundreds of millions
of people’s private information.

So way too many people have access
to way too much information, e.g. if you

did an online booking your IP address
is stored there, basically forever,

well, until the flight is over. But any of
these people can now access your

IP address, your e-mail address,
phone number and all of this.

So definitely that doesn’t seem to be
fine-grained access control. But,

as I said earlier, this has been known
for a long time and criticized a lot.

Not acted on, though, yet! How about
authentication? The picture is actually

even worse for authentication. And I want
to distinguish two different cases here.

I wanna distinguish professionals
accessing records, so people working

at travel agencies and airlines. And,
as a second case I wanna distinguish

travelers accessing their own records,
like when you check-in online e.g.,

you access your own record. Professionals,
the way they access it, typically, is that

their agency is connected to one of these
GDS’s through basically one account.

So an entire agency system, or at least
an entire location uses one account.

So years ago somebody typed in some user
name and password, and then it’s long been

forgotten because locally they use
a different access management.

A few travel agencies were kind enough to
help us in this research, and their access

credentials, we saw them using, they’re
just terrible. E.g. for one of the big

systems that I won’t name you need the
agent ID, so that you can get pretty

easily. And then a password for the web
service, so of the modern way of accessing,

this is WS for web service and the date
on which the password was created.

So even if you have to brute-force
20 years, how many possible dates

does a single year have? Times 20. This is
ridiculously low entropy for an account

that is supposed to protect information
of millions of people, if not more.

This is the best authenticator
that we found in these systems!

<i>laughter</i>

It gets worse with travelers accessing
their own information. Because there

they just simply forgot to give you
a password, not even a terrible password

like this; there just isn’t one. And what
they use instead is the booking code,

‘PNR locator’ it is sometimes called.
I call it booking code.

It’s a six-digit code. When you
check-in online you need that code.

And you only need that code and your
last name. So you’d imagine that,

if they treat it as a password equivalent
then they would keep it secret

like a password. Only – they don’t,
but rather print it on every piece

that you get from the airline, e.g. on
every piece of luggage you have

your last name and a six-digit code.
On your boarding pass –

it used to be there, and then it
disappeared and then these barcodes

showed up. So it’s inside the barcode.
If you decode the barcode there is

your PNR in there. I erased it here,
this is still for a valid booking.

<i>laughter</i>

So, you have this six-digit codes printed
everywhere and you can just find them

on pieces of scrap at the airport.
Certainly these tags you find all over,

but also people throwing away their
boarding passes when they’re done.

And this is supposed to be the only way
of authenticating users. And we’ll

show you in a minute what kind
of abuse is possible through that.

But let’s first think about where else you
could be able to find these PNR codes.

Could it get any worse than somebody
printing your password on a piece of paper

that you throw away at the end of your
journey. Of course the internet can make

it worse! And what better technology to
worsen the security problem than

Instagram? So on Instagram…
<i>laughter and applause</i>

So you got all these bookings. And, in
fact, there was one guy here, you see, he

actually erased the information. But for
one who knows what’s up, everywhere,

there’s a hundred who don’t. And this
is really all information you need.

I saw a Lufthansa one just now,
where was that? – Here.

So here is a Lufthansa one. This is from
today, posted by markycz at Frankfurt.

This is really all you need to get
somebody’s…

<i>laughter and applause</i>

Let’s see if this works.
Yeah, sure enough. So.

<i>laughter</i>

'Marky M.' on Instagram is apparently
Marketa Mottlova

and this is her booking reference.

<i>laughter</i>

I was debating whether or not to show this
but you guys are gonna do it anyway

when I’m done with this talk.
<i>laughter</i>

<i>cheers and applause</i>

So a flight today from Munich
to Frankfurt and then, on to Seattle.

Let me point out one thing here.

Where did I see the ticket number?

<i>off camera mumbling on stage</i>

Just use mine!

It’s AndroidAPKN
Oops.

And then let me write down the password.

Okay. Alright.

So what I wanted to point out is that
this isn’t even a Lufthansa ticket.

So she checked in with Lufthansa
in Frankfurt. But if you look at the

ticket number, 016, that’s a United
[Airlines] ticket. And it also includes

flights on Alaska Airlines e.g.
So any of these airlines have

full access to this PNR. And many of them
will just grant people access to it

if they know the PNR and the last name.
As Nemanja will show in a minute,

even if they don’t know that yet. So...

To recap for the moment: airlines give you
a six-digit password that they print

on all kinds of pieces of paper and
that you will post on Instagram.

Why shouldn’t you, everybody else does,
too, apparently. 75,000 people at least

over the last couple of weeks. So
the authentication model here is

severely broken, too. And what
kind of abuse arises from this?

Of course, you can now use this PNR,
log in on Lufthansa as I have just done

or a more generic web site, like
Checkmytrip and look up peoples’

contact information at the very least.
So there’s always an email address

in there. There’s usually a phone number
in there. If in Lufthansa you click on

“I wanna change my booking” probably
they’ll ask you for your payment information

and pre-fill the postal address for that.
So you get somebody’s postal address

that they used for the booking, passport
information, visa information. If you

travel to the U.S. as she does there’s
definitely passport information

in the PNR. All of this information is now
readily accessible. Now so far

there was zero hacking involved. That’s
why we have Nemanja here who will

show you some actual hacking to get even
deeper into these systems.

Can we switch the screen?

Nemanja Nikodijevic: So when…
<i>laughter</i>

When we started this research we needed
to find lots of these boking numbers

to see if there is some relation between
them. So luckily we didn’t have to

make any bookings that we had to pay
because there are web sites like this one

where you can just make a booking
and pay it later but you get

the booking reference number at the time.
So let’s make some very normal

German name… <i>laughter</i>
..looking for someone from Germany.

Actually they check the phone number, so
it has to follow the certain form.

Let’s find Germany… from Berlin,

1234567.
<i>laughter</i>

And then ‘hans@sandiego.com’.

As you can see I tried quite some…
<i>laughter</i>

So for this one we already got
our booking reference number

which is Y56HOY.
And this one, in a minute.

Okay, we have to wait a bit. Y5LCF4.
So if you notice

they are very close to each other, so
they both start with Y5 which means

that they were booked on the same day.
Probably because one is on Lufthansa,

the other one is on Air Berlin, there is
slight difference. They are not exactly

sequential. But we can say that they are
concentrated in a certain range

for a certain day. What we can do now is

we can go to one of our servers. At first

we have to check if checkmytrip works

because I had some issues
with the network.

That’s… ooh!
<i>laughter</i>

This is a bit unexpected.
We will have to skip this part

where we actually look for Carmen
Sandiego in one of our bookings.

But…

Karsten: Well, this is a side effect of
responsible disclosure. So you tell

a company that on this day you’ll do that
thing to that web site, and they just

either block the IP ranges here or just
took down the web site which they

have done a few times before.
What you can do is… – say it again!!

From audience: Can you test the hot spot?

Karsten: Actually, I think the whole
web site is turned off.

Nemanja: What we can demonstrate, I think,
is that if we go with this booking number,

to Air Berlin web site, and then
type last name, “Mueller”.

And actually, because it’s six-bit
encoding it has to be “UE”, no Umlauts

allowed. So, “Select all the food!”
<i>laughter and applause</i>

Let’s see if we can find this flight.

Karsten: The part of the demo that you
didn’t show is just brute-forcing

these ranges. If you know which ranges
are used in a day you can try them all.

Or at least we did many times. That
would then, in theory, give you access

to all of this. And not just in theory, in
practice, unless they take down their

entire web site which they knew we were
gonna use for this demo.

Nemanja: But on this, for example, if we caught
that flight that we wanted to catch…

Karsten: We’ll show it later. But at least
the first win for privacy: no information

is leaked through this web site
for the rest of this talk, at least!

<i>laughter and applause</i>

Can we switch back to the other screen?
<i>ongoing applause</i>

One thing that you would have noticed had
this not just been a flight reservation

but an actual ticket: it would have
given you options to rebook it,

to add a frequent flyer number, all of that
good stuff. So what’s the abuse potential

here? So far we’ve only talked about
privacy intrusion. And privacy intrusion

is bad enough. Imagine somebody is
snapping a picture of your luggage,

that person has your email address and
your phone number, right there, right then.

But the abuse potential goes much
beyond that. For instance, you can fly for free!

You can fly for free using different
methods. You can find somebody else’s

booking and just change the date.
The ticket… in fact, we can show it

a little bit later. We had prepared for
this demo that we are going to find

through a little bit of brute-force that’s
a flexible ticket. So you can just change

the date, and change the email address.
You just take that flight yourself.

And as the airline checks… compares the
ticket and your passport – oftentimes

they do it visually. What they’ll do is
they’ll send you a PDF, you change

the name, you take it anyway. But at least
in Schengen, in the EU, people don’t even

do that. Let’s say you wanted
to take it in your name. You can,

depending on the airline, call them up
or even use their web sites to cancel

the ticket, and the issue a refund to you
inside the PNR, and then use the money

that’s freed up there to book a new
ticket. Some airlines also give you

MCOs – miscellaneous charges orders.
Americans will know this very well,

every time you get bumped from a flight
they give you an MCO, “sorry, we can’t

fly you home today, you’ll have to go
tomorrow, but here is $1,000 towards

a new ticket”. It’s real airline cash.
And those same MCOs you can issue

based on flight cancellation. So you
cancel somebody else’s ticket and you get

airline money to book your own ticket.
And, again, there are no passwords

involved. The only authenticator is this
six-digit sequence that people post

on Instagram, print on their boarding
passes and that Nemanja should be able

to brute-force on their web sites. What
else can you do, once you have somebody’s

PNR? You can change or add a mile number.
And some tickets are really attractive

for mile collection. Take a round trip to
Australia in 1st class, get 60,000 miles

right there, for one round trip, for one
PNR. And that will get you a sweet, free

flight to somewhere nice, or even some 
voucher for online and offline shopping.

One website that I wish was still
working is, of course, this one.

<i>laughter</i>

But they shut down business, apparently.
Unrelated to this talk.

<i>laughter and single claps</i>

So you have access to somebody’s PNR,
you can not just stalk them but change

their flights or – which may trigger some
curiosity – that flight can be taken twice.

But you can very stealthily add your mile
number everywhere, well, a new mile number

matching that name to collect those sweet
miles. Now, are all airlines affected

by that? The demo that we didn’t get to
show brute-forced for one last name,

Sandiego, all the PNRs for a day. And it
quickly found, in fact, a bunch of records.

There’s not just one Sandiego flying that
day. But in some airlines they’re

a little bit smarter. For instance American
Airlines, the largest airline in the world,

they don’t just want the last name
but also the first name. And if you’re

interested in one specific person, let’s
say ‘Carmen Sandiego’, you would still

find that person. But if you want to
conduct fraud that becomes a little bit

more tricky. A fraudster would just pick
a random, very popular last name and

brute-force PNRs there. And that becomes
more difficult if also you have to guess

a first name. However, even American
Airlines, those records can be accessed

through other web sites. For istance Viewtrip,
this is another generic web site like this

infamous Checkmytrip that just went
offline. And Viewtrip allows you

to brute-force by just last name and PNR,
again. So there’s multiple ways to access

the same information. Some of which are
more secured than others. And, of course,

only the weakest link mattered. So
Viewtrip, what they would say is

they found the record and they can’t give
you access to the information but then

TripCase will which, again, takes only
last name and reservation number.

And they will tell you the first name
also that then you can type in to

the American Airlines web site again
<i>laughter</i>

to change the booking, let’s say. So
there’s all these different ways to access

a person’s information here. And everybody
is slightly different. So let’s look at the

entire universe of travel web sites,
starting with just three big travel providers.

Each of them uses six-digit booking codes.
But they use these six-digits rather

differently. Sabre e.g. they don’t use any
numbers which of course severely impacts

the entropy. But then others, e.g. Amadeus,
they don’t use 1 and 0, because that could

be confused with i and o, and then
Galileo drops a few other characters. So

at the end of the day none of them really
used the entropy of even a six-digit

pass code. All of them are in entropy
lower than a randomly chosen 5-digit

password. And we will never recommend
anybody to use a 5-digit password, right?

So this is strictly worse. And what
makes it even worse, at least for

privacy-intruding attacks, is the
sequential nature of these bookings.

You saw the two that Nemanja just now
generated. Both of them were from

the same, very small sub set. So if you
just wanted to know all the bookings

that a person did today, you can
brute-force this in 10 minutes

with a few computers running in parallel.
It’s not so easy on Sabre because

they seem to be chosen more randomly.
However, Sabre has the lowest entropy,

so if you just randomly want to find
bookings for popular last names Sabre is

your system of choice. They’re all weak,
but the weaknesses differ in shades of grey

for this privacy intruding and for the
financial fraud-type attacks.

As one example, though, of how easy it is
to find these booking codes, if you

look up 1,000 just randomly chosen booking
codes in Sabre for the last name ‘Smith’

five will come back with current bookings.
So half a percent of the entire name space

is filled with current bookings for people
called ‘Smith’! Now, add in all the other

last names, their name space must be
pretty damn full. And it’s only 300 mio.

records if you calculate the entropy.
So it looks like almost every record

is used up and they’re running out of
space. So they’ll have to fix this anyway

at some point. But that, of course, makes
it all the easier to randomly find and

abuse other people’s bookings.
Each of those providers runs a website

that allows you to access all the PNRs in
their system if you know the PNR and

the last name. And one German reporter
writing about this, he calls the

websites that you didn’t know existed,
that you have no use for but that, anyway,

put your privacy at risk. So there doesn’t
seem to be any up side to these web sites.

I certainly don’t need to use them
but they’re there, and they’re bad.

Because when we did the research none of
them had any protection from brute-forcing

meaning we could try 100,000, even
millions of different combinations

– PNR and last name – and those
websites wouldn’t complain even a bit.

We did expose Amadeus to way more
queries that the others and at some point

they did notice, maybe also because some
reporters just asked them for comments

on the research. They have tried to
improve. So the classic checkmytrip.com

website that was just killed a few days
ago – R.I.P., thank you, it’s gone,

50% of the problem solved. But the other
website, that was still around up until

literally half an hour ago. What they
did over the last couple of days was,

they added a captcha. But the captcha gave
you a cookie. And the cookie you could

again use for indefinite number of queries.
<i>laughter</i>

It’s a company that just hasn’t done web
security before. But then they also

limited the number of requests per IP
address. Now, we do this from Amazon,

so it’s not so difficult to spawn new
IP addresses, but still… it severely

slows us down. About 1.000 requests per
IP address. Even if they now took down

checkmytrip for good, of course, this is
not the only pass to a reservation.

As we’ve seen before you can just use
the provider’s web site directly. And the

popular ones in Germany, they differed in
security quite a bit when we checked

a few weeks ago. So Lufthansa itself
differed on their different properties.

The standard website asked for a captcha,
not the first time, but I think starting

from three requests, so a really good
compromise. They make it comfortable

to use for really anybody who just wants
to look up their own records. But then

they make it a little bit more painful
for somebody who tries to look up

too many. But then the mobile version e.g.
didn’t have that captcha. And again,

weakest link principle applies. Air
Berlin, they had some rough IP filter,

again, 1.000 requests per IP, that’s
a little bit too much, they introduced

a captcha today! So, again, in response
to this. This is already showing

some effect. Thank you to checkmytrip
and Air Berlin for working on this

over the holidays, much appreciated.
Maybe, if you know anybody, thank you!

<i>applause</i>

On the other GDS’s the situation is much
worse still. They’re still as bruteforceable

as they ever were, as are the web sites.
Except for the little bit of first-name

extra complication on American Airlines,
every web site we have tried is not protected

from brute-forcing. And this is surprising
to me. In my consulting work I have

never seen a web site where not the first
pentester ever looking at it would say:

“Oh, you didn’t have rate limiting in it,
please add it!” and then, two days later

they had. So for most of this industry
that is yet to happen. So no cookie here,

either. Let’s talk about one more abuse
scenario that’s… I can say they’re very

relevant but that’s maybe because in my
consulting life I’ve been dealing with

human security for the last couple of
years, appreciating that technology

is mostly not the weakest link but the
the gullibility of people working

in the company. And the same probably goes
for travelers. Imagine the scenario where

you made a booking, just a few minutes
ago. And now that airline, or at least

it looks like that airline, sends you an
e-mail saying “Thank you for making

this reservation, here is all your booking
stuff, summarized for you, please update

your credit card information, though.
The booking didn’t go through.

I would click on that. I expect them to
e-mail me, I know that sometimes

credit cards are fuzzy, I would click on
it and enter my credit card information

again. And how is this possible? Of course
we can stay ahead of the current pointer

in this sequences and find bookings
that were made in the last, let’s say,

half an hour, for popular last names
again. And each of those bookings will

point us to an e-mail address, and give us
all the context we need to include in this

very, very targeted phishing. If nothing
else, I think this should convince

the airline industry to close these loop
holes because the evilness of the internet

will not ignore this forever. Phishers are
always looking for new targets, and

this will be a very juicy one. So we
looked at the three big GDS’s now.

There’s a few other players, e.g. SITA.
It looks like on the way out but these two

very big airlines, they still use it. So
they’re certainly still relevant. They are

even worse. They use, instead of a
six-digit booking code they use five digits.

And one digit is fixed per airline. So if
you know you’re looking for Air India

you don’t even have to brute-force that
leaving just four digits to go through,

and to brute-force. Now we don’t have
a demo for this because we found three

other more fun ones to demo. So…
<i>laughter</i>

Nemanja will now show you RyanAir, Oman
Air and Pakistan International Airlines.

Note that all of these are connected to
big GDS systems. So it’s now the web sites

that make it even worse than we already
discussed before. And can we switch over

to the other computer again? Thanks.

Nemanja: Yeah, I guess, many people
fly with Ryan Air here.

They use Navitaire which is now owned by
Amadeus.

So they don’t share the same address space.
But on the Ryanair web site you can

either search for the reservation with the
e-mail address and the reservation number

or the last four digits of the credit card
that you used for booking.

<i>laughter</i>

Karsten: Again, great authenticator,
right? Ten thousand options.

Nemanja: As they don’t have captcha
we can have a look for…

So we know that the last four digits of

Carmen Sandiego’s card are these.

Karsten: And if not we can just try all
ten thousand.

Nemanja: We can just try, yeah. We can
do the other way around. So this way

we know that… and that it starts
with these characters. And let’s try

to brute-force it. In the meantime
let’s have a look at the Oman Air.

They ask for the booking reference
and for the departure airport. But

departure airport doesn’t have to be just
the departure airport but it can also be

any airport that is within the reservation.
So for Oman Air we think that it’s

Muscat which is the capital.
So usually… most of these slides

go through there. Let’s see
if we can find someone who is…

Karsten: And he’s now just trying random
booking codes that are valid within

that name space. So, again, they don’t
really use the full entropy. So that makes

the search a little bit quicker but other
than that it’s just a pure brute-force.

Nemanja: And as there is no captcha as you
can see we can go on to the next one.

So this one is the winner!

<i>laughter</i>

They trust you that it’s yours!
<i>strong applause</i>

And let’s see … so we already have one
for the Oman Air. Okay. This is the one…

this is where…

Karsten: That was RyanAir, huh?

Nemanja: This is the RyanAir, yeah.

So we didn’t bring these two characters.

But… because we wanted to hide it. If we
accidentally hit some booking with that

card number we don’t want to show the
booking reference number of someone else.

So it might be even some
of the people here. We can try…

Even got one from the Pakistan. Carmen
Sandiego is flying from SXF to TSR.

And here we can just enter the…
what was the, I think… if I’m right…

Let’s see if this will work. Yeah, okay.

Hello Carmen Sandiego.

Karsten: So now we know where Carmen
Sandiego is, finally. The point is,

we made, you can brute-force these web
sites rather easily and you don’t really

trigger any alerts there, apparently.
Which, again, coming from

an IT security background I find pretty
shocking. Can we switch back to

the other screen? Let’s look at the last
security feature that we would expect

any IT system to have, these days.
Especially knowing that it has been

criticized for lack of IT security for
a long time. And that, of course,

is accountability, logging. At least track
who’s legitimately or illegitimately

accessing these records. It turns out
that it has been asked for a long time

by different people, again most notably
Ed Hasbrouck, this privacy advocate,

but also other reporters and other
advocates have come across this

for years, saying “there’s rumors that,
let’s say, the Department of Homeland

Security in the U.S., they have root access
in these GDS’s. Where are the records,

whether they are accessing it or not.
Where are the records for abuse by

support stuff in these GDS companies.
Where are any records?

The GDS companies have always said,
“oh, we can’t keep any records, it’s

not technologically possible.” I call BS
on that. They are logging… in the tiniest

minutia, any change to a reservation
there’s a log for. And then access log

does not exist? And it’s not
technologically possible? I think there’s

a completely different reason behind here.
If, in fact, these companies gave access,

unlawful access, or at least in violation
of privacy laws in, let’s say,

the E.U. or Canada, if, in fact, they gave
that access to other governments

the last thing you want is a trail of
evidence showing that people have

access to records. So this has nothing to
do with technological restrictions, this is

purely – those companies don’t wanna be
in the middle of a debate where probably

some sealed order in the U.S. makes them
disclose all this information but laws

in Europe make them not disclose the
information. They just don’t wanna have

evidence either way. But that leaves us
in a very peculiar position where now

we know that these systems are insecure,
use very bad authenticators, expose this

over web sites that can be brute-forced
and don’t keep any record of if that

actually happens. So it’s completely
unknown how much abuse may be

happening here. I think we can be pretty
certain that the flight changes for people

to fly for free, that they are not
happening very frequently because that’s

the only one of these attack methods that
would leave very clear evidence, somebody

actually complaining, saying “I wanted to
take my flight but apparently somebody

else already took it before me, or
canceled it and took off with the money.

But the other cases we have no idea
whether or not they’re happening.

They’re technologically possible, and
nobody seems to be looking for these

abuse patterns. In summary, there’s just
three big global databases, two in the U.S.,

one in Europe. They keep all the
information on all the travelers.

This information includes your personal
contact information, payment information,

your IP address. So lots of stuff that in
a lot of other systems we consider

sensitive, private even. And it should be
protected with a good password. We would

advise people to use an 8-character or
longer password, with special character.

None of that exists here. The passwords
here are six-digits. They are less than

five digits at worth of entropy. They’re
printed on scraps of paper that you

throw away. They are found on Instagram
an they’re brute-forcable through numerous

web sites by the GDS companies and through
the travel providers. So this is very,

very far away from even weak internet
security. This really predates the internet

in stupidity and insecurity. And while
there’s multiple scenarios in which

either privacy of users is at risk or even
fraud could happen none of this is even

logged, and nobody knows or has any way
of knowing the magnitude to which

these systems are already abused.
So what do we need here?

We clearly need more limitations on who
can access what. This is not just my ask.

This has been asked for 10 .. 20 years.
But more on the technical level,

in a long term, we need passwords for
every traveler. You should be able

to post a picture of your boarding pass
on Instagram without having to worry

about somebody abusing it. This is a piece
of paper that you will throw away.

There should be nothing secret about it.
If you wanna share it – feel free to.

Somebody else needs to add a password
to make that safe again.

But that’s a very long-term goal. These
travel companies, they’re so interwoven,

as we saw today, that all of them really
have to move at the same time.

The GDS’s have to do their share. But then
each of interconnected airlines has to do

their share. We saw this one random ticket
from Instagram, so this was a Lufthansa

ticket with some Alaska Air components
issued by United. So at least those three

companies have to work together. And how
many more different airlines today have

code-share agreements. So we’re talking
about hundreds of companies who have

to come together and decide “we wanna
introduce pass codes, passwords”,

whatever you wanna call them, “for each
booking”. So that is a long-term goal.

In the short term, though, at the very
least we can expect, is for all these

web sites that do give access to travelers’
private information to do the bare minimum

of web security. At the very least
some rate limiting. Don’t allow us

to throw millions of requests at your
properties, and give us back honest

answers. That is unheard of anywhere else
in the “cloud”. But for travel systems

who claim for themselves to be the first
cloud ever this seems to be very standard.

And then, finally, until all of this can
be guaranteed, until there’s passwords

and until there is good rate limiting
I think we have a right to know

who accesses our records, and there must
be some accountability. Especially,

knowing how insecure these systems are
today. This is a long way, and I can only

hope that we are starting a journey by
annoying large companies like Amadeus.

They have done their little bit of fixing
over the weekend now, so hopefully

some others will follow suit and we
will have better systems. Until then,

of course, I can only encourage all of you
to look at more of these travel systems

because there’s plenty more to find.
We’re only scratching the surface here.

And, more generally, to look at more
legacy systems. I think we’re spending

way too much time making some already
really good crypto just a tiny bit better

or finding a really good mobile operating
system the next little jailbreak

that will be fixed two days later anyhow
ignoring all these huge security issues

that have been there for many, many years
in systems that are a little bit less sexy

and riddled with bug bounties than
something else that we do spend a lot

of time on. So I hope I could encourage
you to do that. I wanna just hand out

a few thankyous to members of our team
without whom this research wouldn’t

have been possible, and to a few industry
experts who were kind enough to

read over these slides and provide
feedback, and help us hopefully

not have any major gaps on our
information. And then, to you for

showing up in such great numbers,
thank you very much!

<i>applause</i>

Herald: Wow, great talk. Thank you
very much! We have five minutes

for Q&amp;A. So please line up on the
microphones, and we’ll take

some questions. First one!

Question: Do you have any indication of
how secure the systems are on the other

end, that the airlines supply their
fares into the entire systems?

Is there any indication that those systems
might be more secure than

on the customer side? Or would it
be easy to inject a cheap fare, e.g.

by impersonating the airline
with weak passwords?

Karsten: Honestly, we don’t know.
It was definitely on our list to research

but we don’t have time for everything so
we focus more on the customer privacy.

But one thing that I really would want
to test if I had any way of doing it:

imagine the parsers for these strings.
Imagine injecting some special characters

in that. I don’t know who creates these
strings and maybe I don’t wanna know.

But if anybody does and you could play
with some SQL commands I think a lot of

web sites would wake up understanding that
on that front they don’t do enough

security either.

Herald: Okay, question
from the Signal Angel?

Signal Angel: A question from IRC.
Recently, U.S. Customs And Border Patrols

started collecting social media identifiers
for foreign citizens trying to enter

the U.S. on a Visitor Visa. Could that
information be accessible through PNR’s?

Karsten: That’s a good question.
I don’t think you would be.

From Audience: They are!

Karsten: So, I…

From Audience: Yes, they are!

Karsten: They are in the PNR?

From Audience: Yes!

Karsten: Okay.

<i>laughter</i>

I would have imagined that it’s
more a case like this journalist,

Cyrus Favia. He requested through
FOIA disclosure all the records that

the U.S. Government kept on his
travelling. And he found a lot more stuff

than just in the PNR. They had notes in
there like “he’s a journalist”, “we had

to search him extra for that”, stuff like
that. So they don’t wanna write that

into the PNR. But the Government keeps
separate records that may be indexed

by PNR, I don’t know.

Herald: Okay, microphone here!

Question: Can you say something about
how long information will be stored

in those travel systems, and whether users
have a right to get them deleted?

Karsten: That’s a good question. I think
that differs by system. So in Amadeus

records are removed pretty quickly. Days,
or at most, weeks after the last flight is

finally done. But in Sabre I had the
impression that much older records was

still in there. Which may explain why
their data set is so dense. If you keep

accumulating all the information. By the
end of the day this is all going back

to mainframe technology. So I don’t think
anybody understands these algorithms

any more. They just kind of work.

Question: The deletion?

Karsten: The deletion, yeah. I don’t think
you can request anything to be deleted.

I don’t think they consider you
a person that they wanna talk to.

You’re not the customer!

Question: Thanks!

Herald: Okay, the microphone
there, in the…

Question: It seems that the immediate way
to abuse these systems is, like you said,

with abusing money, and the mileage etc.
It seems that those paths are actually

somehow monitored by airlines, so if I’m
collecting miles and take it not under

my name that would raise some flags.
You think that’s not the case?

Karsten: Yes, I should have been more
explicit how this attack works,

the mile diversion. So, of course, you
have to have an account in the same name

as the person flying. So had his demo
worked, he would have a PNR for

a lady Carmen Sandiego. You can just go
to miles&amp;more and create an account

under that name. A lot of airlines, though,
they also allow you to change your name.

So you just change it whenever you found
a round trip Australia ticket,

you change the name to whatever that
target name is. And I know for a fact

that people are doing that right now, not
you guys, before even. Based on Instagram

photos. So people are diverting miles by
creating new accounts or by keeping

changing the names of the accounts.
And yes, airlines do sometimes notice this

but only when it becomes excessive.
And sure, that’s their money. I just hope

that it will become so excessive that
it’s such a big problem that it can’t be

ignored any more. And then the privacy
issues get fixed on the same token

where privacy is never enough to convince
a big company. But if you throw in

a little bit of fraud it may be enough.

<i>applause</i>

Herald: Okay, one last question.
Microphone here!

Question: Hi Karsten! When people use
like GDS’s they have these really archaic…

there are not even… there are like actual
terminals, not even pseudo-terminals.

And then they expose like these EPI’s for
the sake of writing your code in like Java

or whatever. I’m wondering if there’s
research to be done at that level?

Or did you just not look at that, or
that’s just an area of further research?

Karsten: We did, quite a bit. But we found
no way of making that public in any way

that wouldn’t require a login from a
travel agency and all of that good stuff.

So I think the most I wanna say about that
is the logins that travel agencies have,

they’re terribly secured. But, of course,
I can’t encourage anybody to go out

and hack them. But if you did and you had
access you’d be logging in to something

that looks like a terminal. And you’d be
typing some commands. And the next thing

you know it throws a Java stack trace at
you. So these just look like terminals.

They have moved well beyond that while
still maintaining this look and feel

of a mainframe. And they’re terribly
insecure. So these stack traces, they just

come left and right even if you
try to do the right thing!

<i>laughter</i>

Question: Thanks!
Herald: Okay we have one question

from the internet!

Signal Angel: Somebody wants to know,
how do you avoid DDoS’ing those services

when you just brute-force the booking
numbers?

Karsten: A good question. Of course we
don’t wanna hurt anybody, so we tried to

keep the rates low. And it turns out if
you throw 20 Amazon instances at them

they don’t go down yet. And…

<i>laughter</i>

Herald: Okay. Thank you very much,
Karsten and Nemanja!

<i>applause</i>

<i>postroll music</i>

subtitles created by c3subtitles.de
in the year 2020. Join and help us!