WEBVTT

00:00:00.000 --> 00:00:16.602
<i>33C3 preroll music</i>

00:00:16.602 --> 00:00:21.660
Herald: So many of us
traveled to this Congress.

00:00:21.660 --> 00:00:24.870
Probably most of us. And we all took

00:00:24.870 --> 00:00:29.650
trains, or planes, or… maybe somebody

00:00:29.650 --> 00:00:33.250
drove by car. But most
took trains and planes.

00:00:33.250 --> 00:00:36.870
And have you guys ever wondered
about the infrastructure

00:00:36.870 --> 00:00:40.970
of those travel booking systems?

00:00:40.970 --> 00:00:45.249
Even more interesting, have you ever

00:00:45.249 --> 00:00:49.359
thought how secure those systems are?

00:00:49.359 --> 00:00:56.730
Karsten Nohl and Nemanja Nikodijevic…

00:00:56.730 --> 00:01:02.030
Karsten has a really nice record
of security researches.

00:01:02.030 --> 00:01:06.974
He had talks about GSM protocols

00:01:06.974 --> 00:01:11.240
and last year he had his talk
about payment system abuse

00:01:11.240 --> 00:01:13.340
which was really interesting.

00:01:13.340 --> 00:01:21.079
Together with Nemanja, he will show us
his research on travel booking systems.

00:01:21.079 --> 00:01:25.380
And probably we will find out
how we can get home free.

00:01:25.380 --> 00:01:31.841
Please give a really, really warm
welcome to Karsten and Nemanja!

00:01:31.841 --> 00:01:41.422
<i>applause</i>

00:01:41.422 --> 00:01:45.330
Karsten Nohl: Thank you very much!
Always feels great to be back!

00:01:45.330 --> 00:01:49.970
I just today noticed that the first time
I was speaking at this conference

00:01:49.970 --> 00:01:54.482
is 10 years ago. So 10 years of…

00:01:54.482 --> 00:01:59.536
<i>applause</i>
.. thanks you.

00:01:59.536 --> 00:02:04.549
10 years of looking at 10 different legacy
systems and finding vulnerabilities

00:02:04.549 --> 00:02:10.788
in all of them, so far. A lot of them were
around RFIDs, or mobile protocols.

00:02:10.788 --> 00:02:14.613
This time we’re looking at something
completely different, travel booking

00:02:14.613 --> 00:02:18.929
systems. And vulnerabilities in there.

00:02:18.929 --> 00:02:23.154
Relative to some of the other talks we’ve
been giving, this will have less ‘hacking’

00:02:23.154 --> 00:02:28.803
in it. Not because we lost our interest in
hacking but because much less hacking

00:02:28.803 --> 00:02:32.317
was actually needed to exploit
vulnerabilities here. <i>laughter</i>

00:02:32.317 --> 00:02:36.758
So, sorry for that if you expected a lot
of hacking. There’ll be a little bit,

00:02:36.758 --> 00:02:41.934
that’s why Nemanja is here, but
a little bit less than usual. So we’re

00:02:41.934 --> 00:02:48.136
talking about travel systems. And there
are 3 main players, or actors

00:02:48.136 --> 00:02:53.334
in the commercial travel world. There are
those people who provide travelling,

00:02:53.334 --> 00:02:59.103
airlines and hotels. There’s those people
who help you book them, Expedia,

00:02:59.103 --> 00:03:04.187
websites like that or traditional travel
agencies. And then there’s brokers

00:03:04.187 --> 00:03:10.084
who make sure that whatever is available
can be booked through those agents.

00:03:10.084 --> 00:03:15.450
So those are really the backbone of travel
systems but you don’t really think

00:03:15.450 --> 00:03:19.376
about them much, or at least I didn’t
before looking into this research.

00:03:19.376 --> 00:03:25.970
The systems are very useful, as global
systems. In fact, they’re called “global

00:03:25.970 --> 00:03:30.254
distribution systems”. And that tells you
how old they are. This is before

00:03:30.254 --> 00:03:34.204
the internet was there. They go back to
the 80ies and 70ies. So there was only

00:03:34.204 --> 00:03:38.304
one system that deserved the name
of a global distribution system of,

00:03:38.304 --> 00:03:43.032
in this case, data. And this was 
travel system. So it makes sense

00:03:43.032 --> 00:03:48.090
to have these systems because, of cause,
one seat on an airplane shouldn’t be sold

00:03:48.090 --> 00:03:51.282
multiple times, so there needs to be
a global inventory somewhere.

00:03:51.282 --> 00:03:55.799
Also all airlines should be using just
a few systems so that they can do

00:03:55.799 --> 00:04:00.158
'codeshare agreements', e.g. so that,
again, the same seats on a flight

00:04:00.158 --> 00:04:05.458
aren’t booked multiple times. And,
consequently, these booking systems,

00:04:05.458 --> 00:04:13.110
they maintain three types of information.
The first one, you are probably most

00:04:13.110 --> 00:04:19.380
aware of, are the prices. Airlines will
put their price lists into these systems

00:04:19.380 --> 00:04:23.960
for booking sites to fetch. They’re
called ‘fares’ in the travel world.

00:04:23.960 --> 00:04:28.639
The next important data item in there is
‘availability’. So not everything can be

00:04:28.639 --> 00:04:33.290
booked that has a price. There needs to be
a seat available at a certain booking class.

00:04:33.290 --> 00:04:37.805
And, finally, when somebody does find an
available seat to a fare that they want

00:04:37.805 --> 00:04:42.050
to purchase that is then converted into
a ‘reservation’. So this is after the seat

00:04:42.050 --> 00:04:48.770
is taken. You may have seen some of this
information before on travel web sites.

00:04:48.770 --> 00:04:54.663
Let me just show you the one that I like
to use the most. The ‘ita matrix’, has

00:04:54.663 --> 00:04:57.933
been bought by Google a few years ago.
So you can’t actually book through

00:04:57.933 --> 00:05:03.340
here any more. But they maintain the
interface for whatever reason. And so,

00:05:03.340 --> 00:05:07.170
let’s say you search for a flight to
San Francisco from here, at the end

00:05:07.170 --> 00:05:13.650
of the year. This, like any other web
site will give you plenty of options

00:05:13.650 --> 00:05:19.500
from the different airlines. What’s
different for this web site is that

00:05:19.500 --> 00:05:25.309
they give you a lot more details,
if you know where to click.

00:05:25.309 --> 00:05:31.042
So the cheapest flight, really cheap
actually, 325 bucks to go to San Francisco

00:05:31.042 --> 00:05:37.240
for New Year’s, a one-way trip, and
what I like on this web site is the rules.

00:05:37.240 --> 00:05:42.983
So this is real data, that is kept in one
of these GDS systems. And this already

00:05:42.983 --> 00:05:50.019
looks like the 70ies, right? <i>laughter</i>
This would usually be shown on a terminal,

00:05:50.019 --> 00:05:54.520
maybe green font on black background, and
somebody would read through here,

00:05:54.520 --> 00:05:59.373
and I would say, okay, so you wanna book
for a certain day, it’s okay, the dates

00:05:59.373 --> 00:06:05.550
match, you wanna go on TAP (TP)
– Portugal Airlines – so okay, that matches,

00:06:05.550 --> 00:06:10.490
and you could also take a few other
airlines, and then you have to meet

00:06:10.490 --> 00:06:16.982
certain other restrictions, e.g. you can
stop over here. So this flight goes

00:06:16.982 --> 00:06:20.310
through Lisbon, you can stay in Lisbon
for up to 84 hours before flying on

00:06:20.310 --> 00:06:26.399
to the U.S. That’d be nice. And then
it has all these other rules in here,

00:06:26.399 --> 00:06:30.500
e.g. you can not cancel this ticket,
right? It’s non-refundable. But you

00:06:30.500 --> 00:06:36.340
can change it for a fee. And this goes on
and on and on. For just a single fare,

00:06:36.340 --> 00:06:41.638
and there’s, of course, tens of thousands
of fares available. Now this, you may be

00:06:41.638 --> 00:06:45.274
surprised to hear, is the only form in
which these fares are available. There

00:06:45.274 --> 00:06:49.477
isn’t an XML, there isn’t a web service,
this is how the airlines publish them.

00:06:49.477 --> 00:06:52.980
And then a web site like Expedia, they
have to write a parser for it to be able

00:06:52.980 --> 00:06:59.240
to present flight options to you. You
may have noticed if you tried to change

00:06:59.240 --> 00:07:03.570
or cancel flights they don’t allow that
to web sites often. Expedia e.g. doesn’t,

00:07:03.570 --> 00:07:06.459
you have to call them. And if you call
them they say: “Give me a moment,

00:07:06.459 --> 00:07:10.890
I have to read through the fare rules.”
So in that case that just didn’t parse

00:07:10.890 --> 00:07:19.330
all this information. That’s the first
thing that’s kept in these… or maintained

00:07:19.330 --> 00:07:25.460
in these large GDS, the booking systems:
the fares. The other thing is

00:07:25.460 --> 00:07:29.337
the availability. That’s a little bit
harder to access through public web sites.

00:07:29.337 --> 00:07:36.651
Expert Flyer is probably the best one
to use. And availability is important.

00:07:36.651 --> 00:07:40.772
If you actually wanted to fly to San
Francisco now for New Year’s

00:07:40.772 --> 00:07:45.571
we looked at the fare, well,
this is Booking Class 'O', this is

00:07:45.571 --> 00:07:49.569
always the first letter. And then, if you
look at the availability for Booking Class

00:07:49.569 --> 00:07:54.599
'O', unfortunately it says ‘C’ for ‘closed’.
So they don’t accept any more bookings.

00:07:54.599 --> 00:07:58.069
So just because there’s a price available
doesn’t mean that anybody can actually

00:07:58.069 --> 00:08:03.430
book this flight. And, again, somebody
like Expedia would have to now combine all

00:08:03.430 --> 00:08:07.800
of these different pieces of information
to present a list of flight options for you.

00:08:07.800 --> 00:08:12.669
So let’s assume they did that and you did
book something. Then, the third data item

00:08:12.669 --> 00:08:18.195
is created in one of these GDS. And that’s
the 'passenger name record', PNR.

00:08:18.195 --> 00:08:24.890
And that looks something like this. Again,
you’ll notice the same 70..80ies style.

00:08:24.890 --> 00:08:30.638
With lots of private information.
Ed Hasbrouck - he is a

00:08:30.638 --> 00:08:36.368
privacy advocate in the U.S., probably 
the loudest voice to ask for more

00:08:36.368 --> 00:08:39.180
privacy around travel booking
and he was kind enough to make

00:08:39.180 --> 00:08:44.214
this available on his web site, for all
to see what information is kept. So,

00:08:44.214 --> 00:08:47.940
contact information, of course, things
like e-mail. This one shows you again

00:08:47.940 --> 00:08:53.462
how old these systems are. So they
don’t have the ‘@’ character! This is

00:08:53.462 --> 00:08:58.112
using a character set from punch cards!
And in punch card you had 6 possible

00:08:58.112 --> 00:09:02.301
punches per character. So everything here
needs to be encoded with a 6-bit character

00:09:02.301 --> 00:09:07.950
And there’s no space for ‘@’. So all
ancient stuff. But still, a possible

00:09:07.950 --> 00:09:12.710
privacy hazard, right? You wouldn’t want
anybody to access this kind of information

00:09:12.710 --> 00:09:20.780
about yourself. The three main players who
run GDS’s – Amadeus, mostly in Europe,

00:09:20.780 --> 00:09:25.197
Sabre, mostly in the US, and then there’s
Galileo that merged with a few other

00:09:25.197 --> 00:09:29.760
things into ‘Travelport’. And Galileo
isn’t really so much used by airlines

00:09:29.760 --> 00:09:36.259
but it’s more used by travel agencies.
And then, often, multiple of these systems

00:09:36.259 --> 00:09:40.160
they’re involved in the booking. So let’s
say you go through Expedia and you book

00:09:40.160 --> 00:09:47.260
an American Airlines flight, the PNR has
to be kept in Amadeus as well as Sabre.

00:09:47.260 --> 00:09:51.470
So there’s two copies here. Or let’s say
you go through a travel agency that’s

00:09:51.470 --> 00:09:55.450
connected to Galileo, and you book
a flight that has both Lufthansa and

00:09:55.450 --> 00:09:59.420
Aeroflot segments it would be kept
in all three of them. So this is lots of

00:09:59.420 --> 00:10:06.375
redundancy depending on where your flight
segments and booking agents come from.

00:10:06.375 --> 00:10:11.150
But sufficient to say there are three big
companies, who apparently hold on to the

00:10:11.150 --> 00:10:15.340
private information of all travelers.
Hundreds of millions of records

00:10:15.340 --> 00:10:21.250
for each of those systems. And we wanted
to find out whether they can sufficiently

00:10:21.250 --> 00:10:25.730
protect this information. And there’s, of
course, reasons to believe that they can’t.

00:10:25.730 --> 00:10:31.330
This is very old technology and it’s
unclear whether they ever did any major

00:10:31.330 --> 00:10:35.890
security upgrades. But at the same time
there’s reasons to believe that they

00:10:35.890 --> 00:10:42.985
are very well secured because this PNR
data, this very information about travelers

00:10:42.985 --> 00:10:47.412
that has been disputed between different
governments for a long time, in particular

00:10:47.412 --> 00:10:51.630
the U.S. Government, and asking for more
and more information since 9/11 in

00:10:51.630 --> 00:10:56.350
multiple waves, and the E.U. governments
that say: “No, you can’t have more

00:10:56.350 --> 00:11:01.569
information than you absolutely need. So
they agree politically that, yes, the U.S.

00:11:01.569 --> 00:11:05.634
can get information on those travelers
going to the U.S. but only certain data

00:11:05.634 --> 00:11:08.990
fields, and have to delete them after
a few years. So this was years

00:11:08.990 --> 00:11:14.730
of negotiation. And you’d imagine that the
systems at the forefront of this dispute

00:11:14.730 --> 00:11:21.212
they’d be secure enough that, let’s say,
we couldn’t access those same information

00:11:21.212 --> 00:11:26.440
that even the U.S. Government is supposed
to not access. So we set out to answer

00:11:26.440 --> 00:11:33.970
this simple question: do these GDS’s,
do they have normal, basic security.

00:11:33.970 --> 00:11:39.990
Do they constrain access, do they
authenticate users well, do they protect

00:11:39.990 --> 00:11:46.419
through rate limiting from web attacks,
and do they log to be able to detect any

00:11:46.419 --> 00:11:51.841
possible type of abuse. We’ll go through
each of them to see where those systems

00:11:51.841 --> 00:11:57.193
stand. Let’s start with access control.
And this is just drawing

00:11:57.193 --> 00:12:02.000
from public sources, so, again, Ed
Hasbrouck, this privacy advocate

00:12:02.000 --> 00:12:09.489
in California, he has been the loudest
voice here, saying, there’s overreach by a

00:12:09.489 --> 00:12:15.720
lot of players already accessing PNR
information. So e.g. if you have a booking,

00:12:15.720 --> 00:12:20.604
let’s say a flight booking, anybody who
works at this airline can access

00:12:20.604 --> 00:12:24.641
your information. But then, if you add,
let’s say, a car reservation to the same

00:12:24.641 --> 00:12:28.860
booking, anybody who works at the car
rental company can also access

00:12:28.860 --> 00:12:35.630
let’s say the flight information. And
any agent at the booking agency

00:12:35.630 --> 00:12:39.903
that you use can access all of this
information. And if you keep adding

00:12:39.903 --> 00:12:43.630
information all of these people still have
access to it. That’s just how these

00:12:43.630 --> 00:12:49.360
systems grew over time, but that’s a first
indication to me that this certainly

00:12:49.361 --> 00:12:54.711
wasn’t built with modern security
in mind. Most concerningly

00:12:54.711 --> 00:13:01.110
the people working at or for the GDS
companies, they have access to everything,

00:13:01.110 --> 00:13:05.140
absolutely everything. Including their
support stuff, as far as I understand.

00:13:05.140 --> 00:13:09.030
So these are external companies that
help debug the system, and they

00:13:09.030 --> 00:13:15.253
have access to hundreds of millions
of people’s private information.

00:13:15.253 --> 00:13:20.034
So way too many people have access
to way too much information, e.g. if you

00:13:20.034 --> 00:13:24.200
did an online booking your IP address
is stored there, basically forever,

00:13:24.200 --> 00:13:28.570
well, until the flight is over. But any of
these people can now access your

00:13:28.570 --> 00:13:33.252
IP address, your e-mail address,
phone number and all of this.

00:13:33.252 --> 00:13:37.896
So definitely that doesn’t seem to be
fine-grained access control. But,

00:13:37.896 --> 00:13:42.886
as I said earlier, this has been known
for a long time and criticized a lot.

00:13:42.886 --> 00:13:49.366
Not acted on, though, yet! How about
authentication? The picture is actually

00:13:49.366 --> 00:13:53.820
even worse for authentication. And I want
to distinguish two different cases here.

00:13:53.820 --> 00:13:57.690
I wanna distinguish professionals
accessing records, so people working

00:13:57.690 --> 00:14:02.230
at travel agencies and airlines. And,
as a second case I wanna distinguish

00:14:02.230 --> 00:14:06.110
travelers accessing their own records,
like when you check-in online e.g.,

00:14:06.110 --> 00:14:11.750
you access your own record. Professionals,
the way they access it, typically, is that

00:14:11.750 --> 00:14:16.530
their agency is connected to one of these
GDS’s through basically one account.

00:14:16.530 --> 00:14:20.980
So an entire agency system, or at least
an entire location uses one account.

00:14:20.980 --> 00:14:25.350
So years ago somebody typed in some user
name and password, and then it’s long been

00:14:25.350 --> 00:14:30.250
forgotten because locally they use
a different access management.

00:14:30.250 --> 00:14:34.890
A few travel agencies were kind enough to
help us in this research, and their access

00:14:34.890 --> 00:14:39.470
credentials, we saw them using, they’re
just terrible. E.g. for one of the big

00:14:39.470 --> 00:14:44.365
systems that I won’t name you need the
agent ID, so that you can get pretty

00:14:44.365 --> 00:14:48.870
easily. And then a password for the web
service, so of the modern way of accessing,

00:14:48.870 --> 00:14:54.791
this is WS for web service and the date
on which the password was created.

00:14:54.791 --> 00:14:58.960
So even if you have to brute-force
20 years, how many possible dates

00:14:58.960 --> 00:15:05.440
does a single year have? Times 20. This is
ridiculously low entropy for an account

00:15:05.440 --> 00:15:12.535
that is supposed to protect information
of millions of people, if not more.

00:15:12.535 --> 00:15:16.414
This is the best authenticator
that we found in these systems!

00:15:16.414 --> 00:15:19.210
<i>laughter</i>

00:15:19.210 --> 00:15:24.486
It gets worse with travelers accessing
their own information. Because there

00:15:24.486 --> 00:15:27.600
they just simply forgot to give you
a password, not even a terrible password

00:15:27.600 --> 00:15:33.090
like this; there just isn’t one. And what
they use instead is the booking code,

00:15:33.090 --> 00:15:37.120
‘PNR locator’ it is sometimes called.
I call it booking code.

00:15:37.120 --> 00:15:42.237
It’s a six-digit code. When you
check-in online you need that code.

00:15:42.237 --> 00:15:46.640
And you only need that code and your
last name. So you’d imagine that,

00:15:46.640 --> 00:15:51.810
if they treat it as a password equivalent
then they would keep it secret

00:15:51.810 --> 00:15:56.630
like a password. Only – they don’t,
but rather print it on every piece

00:15:56.630 --> 00:16:00.940
that you get from the airline, e.g. on
every piece of luggage you have

00:16:00.940 --> 00:16:07.390
your last name and a six-digit code.
On your boarding pass –

00:16:07.390 --> 00:16:11.433
it used to be there, and then it
disappeared and then these barcodes

00:16:11.433 --> 00:16:15.198
showed up. So it’s inside the barcode.
If you decode the barcode there is

00:16:15.198 --> 00:16:20.320
your PNR in there. I erased it here,
this is still for a valid booking.

00:16:20.320 --> 00:16:23.968
<i>laughter</i>

00:16:23.968 --> 00:16:30.910
So, you have this six-digit codes printed
everywhere and you can just find them

00:16:30.910 --> 00:16:36.491
on pieces of scrap at the airport.
Certainly these tags you find all over,

00:16:36.491 --> 00:16:39.700
but also people throwing away their
boarding passes when they’re done.

00:16:39.700 --> 00:16:44.555
And this is supposed to be the only way
of authenticating users. And we’ll

00:16:44.555 --> 00:16:51.240
show you in a minute what kind
of abuse is possible through that.

00:16:51.240 --> 00:16:56.190
But let’s first think about where else you
could be able to find these PNR codes.

00:16:56.190 --> 00:17:00.930
Could it get any worse than somebody
printing your password on a piece of paper

00:17:00.930 --> 00:17:04.650
that you throw away at the end of your
journey. Of course the internet can make

00:17:04.650 --> 00:17:11.050
it worse! And what better technology to
worsen the security problem than

00:17:11.050 --> 00:17:28.390
Instagram? So on Instagram…
<i>laughter and applause</i>

00:17:28.390 --> 00:17:33.550
So you got all these bookings. And, in
fact, there was one guy here, you see, he

00:17:33.550 --> 00:17:38.580
actually erased the information. But for
one who knows what’s up, everywhere,

00:17:38.580 --> 00:17:43.240
there’s a hundred who don’t. And this
is really all information you need.

00:17:43.240 --> 00:17:47.860
I saw a Lufthansa one just now,
where was that? – Here.

00:17:47.860 --> 00:17:59.190
So here is a Lufthansa one. This is from
today, posted by markycz at Frankfurt.

00:17:59.190 --> 00:18:04.370
This is really all you need to get
somebody’s…

00:18:04.370 --> 00:18:15.114
<i>laughter and applause</i>

00:18:15.114 --> 00:18:17.410
Let’s see if this works.
Yeah, sure enough. So.

00:18:17.410 --> 00:18:18.590
<i>laughter</i>

00:18:18.590 --> 00:18:24.550
'Marky M.' on Instagram is apparently
Marketa Mottlova

00:18:24.550 --> 00:18:28.160
and this is her booking reference.

00:18:28.160 --> 00:18:33.280
<i>laughter</i>

00:18:33.280 --> 00:18:37.050
I was debating whether or not to show this
but you guys are gonna do it anyway

00:18:37.050 --> 00:18:40.900
when I’m done with this talk.
<i>laughter</i>

00:18:49.242 --> 00:19:01.600
<i>cheers and applause</i>

00:19:01.600 --> 00:19:06.960
So a flight today from Munich
to Frankfurt and then, on to Seattle.

00:19:06.960 --> 00:19:11.670
Let me point out one thing here.

00:19:11.670 --> 00:19:15.260
Where did I see the ticket number?

00:19:15.260 --> 00:19:23.040
<i>off camera mumbling on stage</i>

00:19:23.040 --> 00:19:32.555
Just use mine!

00:19:32.555 --> 00:19:38.740
It’s AndroidAPKN
Oops.

00:19:38.740 --> 00:19:50.080
And then let me write down the password.

00:19:50.080 --> 00:19:57.060
Okay. Alright.

00:19:57.060 --> 00:20:02.000
So what I wanted to point out is that
this isn’t even a Lufthansa ticket.

00:20:02.000 --> 00:20:08.830
So she checked in with Lufthansa
in Frankfurt. But if you look at the

00:20:08.830 --> 00:20:14.950
ticket number, 016, that’s a United
[Airlines] ticket. And it also includes

00:20:14.950 --> 00:20:19.950
flights on Alaska Airlines e.g.
So any of these airlines have

00:20:19.950 --> 00:20:27.230
full access to this PNR. And many of them
will just grant people access to it

00:20:27.230 --> 00:20:32.860
if they know the PNR and the last name.
As Nemanja will show in a minute,

00:20:32.860 --> 00:20:38.570
even if they don’t know that yet. So...

00:20:38.570 --> 00:20:43.200
To recap for the moment: airlines give you
a six-digit password that they print

00:20:43.200 --> 00:20:50.470
on all kinds of pieces of paper and
that you will post on Instagram.

00:20:50.470 --> 00:20:54.690
Why shouldn’t you, everybody else does,
too, apparently. 75,000 people at least

00:20:54.690 --> 00:20:59.650
over the last couple of weeks. So
the authentication model here is

00:20:59.650 --> 00:21:05.420
severely broken, too. And what
kind of abuse arises from this?

00:21:05.420 --> 00:21:10.180
Of course, you can now use this PNR,
log in on Lufthansa as I have just done

00:21:10.180 --> 00:21:15.950
or a more generic web site, like
Checkmytrip and look up peoples’

00:21:15.950 --> 00:21:19.040
contact information at the very least.
So there’s always an email address

00:21:19.040 --> 00:21:23.620
in there. There’s usually a phone number
in there. If in Lufthansa you click on

00:21:23.620 --> 00:21:29.200
“I wanna change my booking” probably
they’ll ask you for your payment information

00:21:29.200 --> 00:21:32.910
and pre-fill the postal address for that.
So you get somebody’s postal address

00:21:32.910 --> 00:21:38.320
that they used for the booking, passport
information, visa information. If you

00:21:38.320 --> 00:21:41.520
travel to the U.S. as she does there’s
definitely passport information

00:21:41.520 --> 00:21:48.610
in the PNR. All of this information is now
readily accessible. Now so far

00:21:48.610 --> 00:21:53.120
there was zero hacking involved. That’s
why we have Nemanja here who will

00:21:53.120 --> 00:22:00.190
show you some actual hacking to get even
deeper into these systems.

00:22:00.190 --> 00:22:03.230
Can we switch the screen?

00:22:03.230 --> 00:22:09.560
Nemanja Nikodijevic: So when…
<i>laughter</i>

00:22:09.560 --> 00:22:18.590
When we started this research we needed
to find lots of these boking numbers

00:22:18.590 --> 00:22:24.600
to see if there is some relation between
them. So luckily we didn’t have to

00:22:24.600 --> 00:22:28.960
make any bookings that we had to pay
because there are web sites like this one

00:22:28.960 --> 00:22:33.270
where you can just make a booking
and pay it later but you get

00:22:33.270 --> 00:22:39.490
the booking reference number at the time.
So let’s make some very normal

00:22:39.490 --> 00:22:45.786
German name… <i>laughter</i>
..looking for someone from Germany.

00:22:45.786 --> 00:22:52.550
Actually they check the phone number, so
it has to follow the certain form.

00:22:52.550 --> 00:22:59.968
Let’s find Germany… from Berlin,

00:22:59.968 --> 00:23:04.435
1234567.
<i>laughter</i>

00:23:04.435 --> 00:23:09.390
And then ‘hans@sandiego.com’.

00:23:09.390 --> 00:23:14.940
As you can see I tried quite some…
<i>laughter</i>

00:23:14.940 --> 00:23:19.950
So for this one we already got
our booking reference number

00:23:19.950 --> 00:23:28.584
which is Y56HOY.
And this one, in a minute.

00:23:28.584 --> 00:23:33.340
Okay, we have to wait a bit. Y5LCF4.
So if you notice

00:23:33.340 --> 00:23:39.110
they are very close to each other, so
they both start with Y5 which means

00:23:39.110 --> 00:23:44.160
that they were booked on the same day.
Probably because one is on Lufthansa,

00:23:44.160 --> 00:23:49.560
the other one is on Air Berlin, there is
slight difference. They are not exactly

00:23:49.560 --> 00:23:53.160
sequential. But we can say that they are
concentrated in a certain range

00:23:53.160 --> 00:23:58.410
for a certain day. What we can do now is

00:23:58.410 --> 00:24:03.910
we can go to one of our servers. At first

00:24:03.910 --> 00:24:08.380
we have to check if checkmytrip works

00:24:08.380 --> 00:24:12.840
because I had some issues
with the network.

00:24:12.840 --> 00:24:17.510
That’s… ooh!
<i>laughter</i>

00:24:17.510 --> 00:24:22.260
This is a bit unexpected.
We will have to skip this part

00:24:22.260 --> 00:24:28.210
where we actually look for Carmen
Sandiego in one of our bookings.

00:24:28.210 --> 00:24:29.210
But…

00:24:29.210 --> 00:24:32.990
Karsten: Well, this is a side effect of
responsible disclosure. So you tell

00:24:32.990 --> 00:24:37.881
a company that on this day you’ll do that
thing to that web site, and they just

00:24:37.881 --> 00:24:41.580
either block the IP ranges here or just
took down the web site which they

00:24:41.580 --> 00:24:48.430
have done a few times before.
What you can do is… – say it again!!

00:24:48.430 --> 00:24:52.590
From audience: Can you test the hot spot?

00:24:52.590 --> 00:24:56.880
Karsten: Actually, I think the whole
web site is turned off.

00:24:56.880 --> 00:25:03.710
Nemanja: What we can demonstrate, I think,
is that if we go with this booking number,

00:25:03.710 --> 00:25:10.309
to Air Berlin web site, and then
type last name, “Mueller”.

00:25:10.309 --> 00:25:16.850
And actually, because it’s six-bit
encoding it has to be “UE”, no Umlauts

00:25:16.850 --> 00:25:27.263
allowed. So, “Select all the food!”
<i>laughter and applause</i>

00:25:27.263 --> 00:25:29.353
Let’s see if we can find this flight.

00:25:29.353 --> 00:25:32.420
Karsten: The part of the demo that you
didn’t show is just brute-forcing

00:25:32.420 --> 00:25:37.440
these ranges. If you know which ranges
are used in a day you can try them all.

00:25:37.440 --> 00:25:44.590
Or at least we did many times. That
would then, in theory, give you access

00:25:44.590 --> 00:25:48.360
to all of this. And not just in theory, in
practice, unless they take down their

00:25:48.360 --> 00:25:52.592
entire web site which they knew we were
gonna use for this demo.

00:25:52.592 --> 00:25:58.270
Nemanja: But on this, for example, if we caught
that flight that we wanted to catch…

00:25:58.270 --> 00:26:05.670
Karsten: We’ll show it later. But at least
the first win for privacy: no information

00:26:05.670 --> 00:26:09.690
is leaked through this web site
for the rest of this talk, at least!

00:26:09.690 --> 00:26:12.300
<i>laughter and applause</i>

00:26:12.300 --> 00:26:21.010
Can we switch back to the other screen?
<i>ongoing applause</i>

00:26:21.010 --> 00:26:24.870
One thing that you would have noticed had
this not just been a flight reservation

00:26:24.870 --> 00:26:29.390
but an actual ticket: it would have
given you options to rebook it,

00:26:29.390 --> 00:26:34.250
to add a frequent flyer number, all of that
good stuff. So what’s the abuse potential

00:26:34.250 --> 00:26:38.850
here? So far we’ve only talked about
privacy intrusion. And privacy intrusion

00:26:38.850 --> 00:26:43.130
is bad enough. Imagine somebody is
snapping a picture of your luggage,

00:26:43.130 --> 00:26:48.320
that person has your email address and
your phone number, right there, right then.

00:26:48.320 --> 00:26:55.559
But the abuse potential goes much
beyond that. For instance, you can fly for free!

00:26:55.559 --> 00:26:59.540
You can fly for free using different
methods. You can find somebody else’s

00:26:59.540 --> 00:27:04.120
booking and just change the date.
The ticket… in fact, we can show it

00:27:04.120 --> 00:27:09.740
a little bit later. We had prepared for
this demo that we are going to find

00:27:09.740 --> 00:27:13.200
through a little bit of brute-force that’s
a flexible ticket. So you can just change

00:27:13.200 --> 00:27:16.890
the date, and change the email address.
You just take that flight yourself.

00:27:16.890 --> 00:27:22.770
And as the airline checks… compares the
ticket and your passport – oftentimes

00:27:22.770 --> 00:27:26.110
they do it visually. What they’ll do is
they’ll send you a PDF, you change

00:27:26.110 --> 00:27:31.760
the name, you take it anyway. But at least
in Schengen, in the EU, people don’t even

00:27:31.760 --> 00:27:38.450
do that. Let’s say you wanted
to take it in your name. You can,

00:27:38.450 --> 00:27:43.100
depending on the airline, call them up
or even use their web sites to cancel

00:27:43.100 --> 00:27:48.900
the ticket, and the issue a refund to you
inside the PNR, and then use the money

00:27:48.900 --> 00:27:54.600
that’s freed up there to book a new
ticket. Some airlines also give you

00:27:54.600 --> 00:28:01.370
MCOs – miscellaneous charges orders.
Americans will know this very well,

00:28:01.370 --> 00:28:05.760
every time you get bumped from a flight
they give you an MCO, “sorry, we can’t

00:28:05.760 --> 00:28:09.420
fly you home today, you’ll have to go
tomorrow, but here is $1,000 towards

00:28:09.420 --> 00:28:17.309
a new ticket”. It’s real airline cash.
And those same MCOs you can issue

00:28:17.309 --> 00:28:21.059
based on flight cancellation. So you
cancel somebody else’s ticket and you get

00:28:21.059 --> 00:28:26.090
airline money to book your own ticket.
And, again, there are no passwords

00:28:26.090 --> 00:28:30.960
involved. The only authenticator is this
six-digit sequence that people post

00:28:30.960 --> 00:28:36.480
on Instagram, print on their boarding
passes and that Nemanja should be able

00:28:36.480 --> 00:28:42.270
to brute-force on their web sites. What
else can you do, once you have somebody’s

00:28:42.270 --> 00:28:47.820
PNR? You can change or add a mile number.
And some tickets are really attractive

00:28:47.820 --> 00:28:54.880
for mile collection. Take a round trip to
Australia in 1st class, get 60,000 miles

00:28:54.880 --> 00:29:01.870
right there, for one round trip, for one
PNR. And that will get you a sweet, free

00:29:01.870 --> 00:29:11.280
flight to somewhere nice, or even some 
voucher for online and offline shopping.

00:29:11.280 --> 00:29:17.779
One website that I wish was still
working is, of course, this one.

00:29:17.779 --> 00:29:20.439
<i>laughter</i>

00:29:20.439 --> 00:29:26.602
But they shut down business, apparently.
Unrelated to this talk.

00:29:26.602 --> 00:29:30.070
<i>laughter and single claps</i>

00:29:30.070 --> 00:29:36.740
So you have access to somebody’s PNR,
you can not just stalk them but change

00:29:36.740 --> 00:29:44.260
their flights or – which may trigger some
curiosity – that flight can be taken twice.

00:29:44.260 --> 00:29:48.840
But you can very stealthily add your mile
number everywhere, well, a new mile number

00:29:48.840 --> 00:29:57.400
matching that name to collect those sweet
miles. Now, are all airlines affected

00:29:57.400 --> 00:30:03.267
by that? The demo that we didn’t get to
show brute-forced for one last name,

00:30:03.267 --> 00:30:10.250
Sandiego, all the PNRs for a day. And it
quickly found, in fact, a bunch of records.

00:30:10.250 --> 00:30:15.080
There’s not just one Sandiego flying that
day. But in some airlines they’re

00:30:15.080 --> 00:30:19.050
a little bit smarter. For instance American
Airlines, the largest airline in the world,

00:30:19.050 --> 00:30:24.790
they don’t just want the last name
but also the first name. And if you’re

00:30:24.790 --> 00:30:28.150
interested in one specific person, let’s
say ‘Carmen Sandiego’, you would still

00:30:28.150 --> 00:30:32.920
find that person. But if you want to
conduct fraud that becomes a little bit

00:30:32.920 --> 00:30:39.580
more tricky. A fraudster would just pick
a random, very popular last name and

00:30:39.580 --> 00:30:45.610
brute-force PNRs there. And that becomes
more difficult if also you have to guess

00:30:45.610 --> 00:30:51.990
a first name. However, even American
Airlines, those records can be accessed

00:30:51.990 --> 00:30:57.200
through other web sites. For istance Viewtrip,
this is another generic web site like this

00:30:57.200 --> 00:31:02.050
infamous Checkmytrip that just went
offline. And Viewtrip allows you

00:31:02.050 --> 00:31:08.880
to brute-force by just last name and PNR,
again. So there’s multiple ways to access

00:31:08.880 --> 00:31:13.570
the same information. Some of which are
more secured than others. And, of course,

00:31:13.570 --> 00:31:18.831
only the weakest link mattered. So
Viewtrip, what they would say is

00:31:18.831 --> 00:31:24.549
they found the record and they can’t give
you access to the information but then

00:31:24.549 --> 00:31:29.090
TripCase will which, again, takes only
last name and reservation number.

00:31:29.090 --> 00:31:32.980
And they will tell you the first name
also that then you can type in to

00:31:32.980 --> 00:31:34.960
the American Airlines web site again
<i>laughter</i>

00:31:34.960 --> 00:31:42.559
to change the booking, let’s say. So
there’s all these different ways to access

00:31:42.559 --> 00:31:47.920
a person’s information here. And everybody
is slightly different. So let’s look at the

00:31:47.920 --> 00:31:55.830
entire universe of travel web sites,
starting with just three big travel providers.

00:31:55.830 --> 00:32:02.950
Each of them uses six-digit booking codes.
But they use these six-digits rather

00:32:02.950 --> 00:32:08.250
differently. Sabre e.g. they don’t use any
numbers which of course severely impacts

00:32:08.250 --> 00:32:16.530
the entropy. But then others, e.g. Amadeus,
they don’t use 1 and 0, because that could

00:32:16.530 --> 00:32:23.860
be confused with i and o, and then
Galileo drops a few other characters. So

00:32:23.860 --> 00:32:27.950
at the end of the day none of them really
used the entropy of even a six-digit

00:32:27.950 --> 00:32:34.490
pass code. All of them are in entropy
lower than a randomly chosen 5-digit

00:32:34.490 --> 00:32:38.410
password. And we will never recommend
anybody to use a 5-digit password, right?

00:32:38.410 --> 00:32:44.030
So this is strictly worse. And what
makes it even worse, at least for

00:32:44.030 --> 00:32:47.910
privacy-intruding attacks, is the
sequential nature of these bookings.

00:32:47.910 --> 00:32:53.181
You saw the two that Nemanja just now
generated. Both of them were from

00:32:53.181 --> 00:32:57.930
the same, very small sub set. So if you
just wanted to know all the bookings

00:32:57.930 --> 00:33:01.820
that a person did today, you can
brute-force this in 10 minutes

00:33:01.820 --> 00:33:06.900
with a few computers running in parallel.
It’s not so easy on Sabre because

00:33:06.900 --> 00:33:12.160
they seem to be chosen more randomly.
However, Sabre has the lowest entropy,

00:33:12.160 --> 00:33:18.460
so if you just randomly want to find
bookings for popular last names Sabre is

00:33:18.460 --> 00:33:27.410
your system of choice. They’re all weak,
but the weaknesses differ in shades of grey

00:33:27.410 --> 00:33:31.610
for this privacy intruding and for the
financial fraud-type attacks.

00:33:31.610 --> 00:33:37.390
As one example, though, of how easy it is
to find these booking codes, if you

00:33:37.390 --> 00:33:45.030
look up 1,000 just randomly chosen booking
codes in Sabre for the last name ‘Smith’

00:33:45.030 --> 00:33:50.970
five will come back with current bookings.
So half a percent of the entire name space

00:33:50.970 --> 00:33:55.900
is filled with current bookings for people
called ‘Smith’! Now, add in all the other

00:33:55.900 --> 00:34:01.670
last names, their name space must be
pretty damn full. And it’s only 300 mio.

00:34:01.670 --> 00:34:05.549
records if you calculate the entropy.
So it looks like almost every record

00:34:05.549 --> 00:34:09.650
is used up and they’re running out of
space. So they’ll have to fix this anyway

00:34:09.650 --> 00:34:14.580
at some point. But that, of course, makes
it all the easier to randomly find and

00:34:14.580 --> 00:34:22.409
abuse other people’s bookings.
Each of those providers runs a website

00:34:22.409 --> 00:34:26.239
that allows you to access all the PNRs in
their system if you know the PNR and

00:34:26.239 --> 00:34:31.540
the last name. And one German reporter
writing about this, he calls the

00:34:31.540 --> 00:34:38.280
websites that you didn’t know existed,
that you have no use for but that, anyway,

00:34:38.280 --> 00:34:43.510
put your privacy at risk. So there doesn’t
seem to be any up side to these web sites.

00:34:43.510 --> 00:34:47.590
I certainly don’t need to use them
but they’re there, and they’re bad.

00:34:47.590 --> 00:34:52.469
Because when we did the research none of
them had any protection from brute-forcing

00:34:52.469 --> 00:34:56.599
meaning we could try 100,000, even
millions of different combinations

00:34:56.599 --> 00:35:01.869
– PNR and last name – and those
websites wouldn’t complain even a bit.

00:35:01.869 --> 00:35:09.390
We did expose Amadeus to way more
queries that the others and at some point

00:35:09.390 --> 00:35:13.040
they did notice, maybe also because some
reporters just asked them for comments

00:35:13.040 --> 00:35:19.480
on the research. They have tried to
improve. So the classic checkmytrip.com

00:35:19.480 --> 00:35:24.090
website that was just killed a few days
ago – R.I.P., thank you, it’s gone,

00:35:24.090 --> 00:35:29.780
50% of the problem solved. But the other
website, that was still around up until

00:35:29.780 --> 00:35:35.710
literally half an hour ago. What they
did over the last couple of days was,

00:35:35.710 --> 00:35:41.390
they added a captcha. But the captcha gave
you a cookie. And the cookie you could

00:35:41.390 --> 00:35:45.890
again use for indefinite number of queries.
<i>laughter</i>

00:35:45.890 --> 00:35:51.840
It’s a company that just hasn’t done web
security before. But then they also

00:35:51.840 --> 00:35:56.820
limited the number of requests per IP
address. Now, we do this from Amazon,

00:35:56.820 --> 00:36:01.920
so it’s not so difficult to spawn new
IP addresses, but still… it severely

00:36:01.920 --> 00:36:10.720
slows us down. About 1.000 requests per
IP address. Even if they now took down

00:36:10.720 --> 00:36:15.500
checkmytrip for good, of course, this is
not the only pass to a reservation.

00:36:15.500 --> 00:36:21.242
As we’ve seen before you can just use
the provider’s web site directly. And the

00:36:21.242 --> 00:36:26.350
popular ones in Germany, they differed in
security quite a bit when we checked

00:36:26.350 --> 00:36:30.080
a few weeks ago. So Lufthansa itself
differed on their different properties.

00:36:30.080 --> 00:36:35.190
The standard website asked for a captcha,
not the first time, but I think starting

00:36:35.190 --> 00:36:39.740
from three requests, so a really good
compromise. They make it comfortable

00:36:39.740 --> 00:36:44.540
to use for really anybody who just wants
to look up their own records. But then

00:36:44.540 --> 00:36:48.250
they make it a little bit more painful
for somebody who tries to look up

00:36:48.250 --> 00:36:52.958
too many. But then the mobile version e.g.
didn’t have that captcha. And again,

00:36:52.958 --> 00:36:58.690
weakest link principle applies. Air
Berlin, they had some rough IP filter,

00:36:58.690 --> 00:37:02.359
again, 1.000 requests per IP, that’s
a little bit too much, they introduced

00:37:02.359 --> 00:37:08.590
a captcha today! So, again, in response
to this. This is already showing

00:37:08.590 --> 00:37:13.940
some effect. Thank you to checkmytrip
and Air Berlin for working on this

00:37:13.940 --> 00:37:19.649
over the holidays, much appreciated.
Maybe, if you know anybody, thank you!

00:37:19.649 --> 00:37:28.340
<i>applause</i>

00:37:28.340 --> 00:37:35.020
On the other GDS’s the situation is much
worse still. They’re still as bruteforceable

00:37:35.020 --> 00:37:41.970
as they ever were, as are the web sites.
Except for the little bit of first-name

00:37:41.970 --> 00:37:48.810
extra complication on American Airlines,
every web site we have tried is not protected

00:37:48.810 --> 00:37:55.540
from brute-forcing. And this is surprising
to me. In my consulting work I have

00:37:55.540 --> 00:38:00.480
never seen a web site where not the first
pentester ever looking at it would say:

00:38:00.480 --> 00:38:04.190
“Oh, you didn’t have rate limiting in it,
please add it!” and then, two days later

00:38:04.190 --> 00:38:10.310
they had. So for most of this industry
that is yet to happen. So no cookie here,

00:38:10.310 --> 00:38:18.950
either. Let’s talk about one more abuse
scenario that’s… I can say they’re very

00:38:18.950 --> 00:38:22.400
relevant but that’s maybe because in my
consulting life I’ve been dealing with

00:38:22.400 --> 00:38:28.109
human security for the last couple of
years, appreciating that technology

00:38:28.109 --> 00:38:32.609
is mostly not the weakest link but the
the gullibility of people working

00:38:32.609 --> 00:38:38.220
in the company. And the same probably goes
for travelers. Imagine the scenario where

00:38:38.220 --> 00:38:42.400
you made a booking, just a few minutes
ago. And now that airline, or at least

00:38:42.400 --> 00:38:46.859
it looks like that airline, sends you an
e-mail saying “Thank you for making

00:38:46.859 --> 00:38:53.160
this reservation, here is all your booking
stuff, summarized for you, please update

00:38:53.160 --> 00:38:57.480
your credit card information, though.
The booking didn’t go through.

00:38:57.480 --> 00:39:03.310
I would click on that. I expect them to
e-mail me, I know that sometimes

00:39:03.310 --> 00:39:08.170
credit cards are fuzzy, I would click on
it and enter my credit card information

00:39:08.170 --> 00:39:13.830
again. And how is this possible? Of course
we can stay ahead of the current pointer

00:39:13.830 --> 00:39:18.410
in this sequences and find bookings
that were made in the last, let’s say,

00:39:18.410 --> 00:39:23.950
half an hour, for popular last names
again. And each of those bookings will

00:39:23.950 --> 00:39:28.369
point us to an e-mail address, and give us
all the context we need to include in this

00:39:28.369 --> 00:39:33.740
very, very targeted phishing. If nothing
else, I think this should convince

00:39:33.740 --> 00:39:38.480
the airline industry to close these loop
holes because the evilness of the internet

00:39:38.480 --> 00:39:43.190
will not ignore this forever. Phishers are
always looking for new targets, and

00:39:43.190 --> 00:39:52.369
this will be a very juicy one. So we
looked at the three big GDS’s now.

00:39:52.369 --> 00:39:59.330
There’s a few other players, e.g. SITA.
It looks like on the way out but these two

00:39:59.330 --> 00:40:03.830
very big airlines, they still use it. So
they’re certainly still relevant. They are

00:40:03.830 --> 00:40:08.430
even worse. They use, instead of a
six-digit booking code they use five digits.

00:40:08.430 --> 00:40:12.540
And one digit is fixed per airline. So if
you know you’re looking for Air India

00:40:12.540 --> 00:40:18.770
you don’t even have to brute-force that
leaving just four digits to go through,

00:40:18.770 --> 00:40:23.560
and to brute-force. Now we don’t have
a demo for this because we found three

00:40:23.560 --> 00:40:28.670
other more fun ones to demo. So…
<i>laughter</i>

00:40:28.670 --> 00:40:35.910
Nemanja will now show you RyanAir, Oman
Air and Pakistan International Airlines.

00:40:35.910 --> 00:40:42.710
Note that all of these are connected to
big GDS systems. So it’s now the web sites

00:40:42.710 --> 00:40:48.359
that make it even worse than we already
discussed before. And can we switch over

00:40:48.359 --> 00:40:51.850
to the other computer again? Thanks.

00:40:51.850 --> 00:40:57.900
Nemanja: Yeah, I guess, many people
fly with Ryan Air here.

00:40:57.900 --> 00:41:02.359
They use Navitaire which is now owned by
Amadeus.

00:41:02.359 --> 00:41:06.780
So they don’t share the same address space.
But on the Ryanair web site you can

00:41:06.780 --> 00:41:10.510
either search for the reservation with the
e-mail address and the reservation number

00:41:10.510 --> 00:41:15.020
or the last four digits of the credit card
that you used for booking.

00:41:15.020 --> 00:41:16.020
<i>laughter</i>

00:41:16.020 --> 00:41:20.770
Karsten: Again, great authenticator,
right? Ten thousand options.

00:41:20.770 --> 00:41:29.820
Nemanja: As they don’t have captcha
we can have a look for…

00:41:29.820 --> 00:41:34.430
So we know that the last four digits of

00:41:34.430 --> 00:41:36.300
Carmen Sandiego’s card are these.

00:41:36.300 --> 00:41:38.551
Karsten: And if not we can just try all
ten thousand.

00:41:38.551 --> 00:41:42.130
Nemanja: We can just try, yeah. We can
do the other way around. So this way

00:41:42.130 --> 00:41:48.270
we know that… and that it starts
with these characters. And let’s try

00:41:48.270 --> 00:41:54.130
to brute-force it. In the meantime
let’s have a look at the Oman Air.

00:41:54.130 --> 00:41:57.890
They ask for the booking reference
and for the departure airport. But

00:41:57.890 --> 00:42:01.900
departure airport doesn’t have to be just
the departure airport but it can also be

00:42:01.900 --> 00:42:07.082
any airport that is within the reservation.
So for Oman Air we think that it’s

00:42:07.082 --> 00:42:13.090
Muscat which is the capital.
So usually… most of these slides

00:42:13.090 --> 00:42:18.420
go through there. Let’s see
if we can find someone who is…

00:42:18.420 --> 00:42:24.430
Karsten: And he’s now just trying random
booking codes that are valid within

00:42:24.430 --> 00:42:28.820
that name space. So, again, they don’t
really use the full entropy. So that makes

00:42:28.820 --> 00:42:32.830
the search a little bit quicker but other
than that it’s just a pure brute-force.

00:42:32.830 --> 00:42:37.830
Nemanja: And as there is no captcha as you
can see we can go on to the next one.

00:42:37.830 --> 00:42:39.869
So this one is the winner!

00:42:39.869 --> 00:42:44.180
<i>laughter</i>

00:42:44.180 --> 00:42:53.609
They trust you that it’s yours!
<i>strong applause</i>

00:42:53.609 --> 00:43:00.780
And let’s see … so we already have one
for the Oman Air. Okay. This is the one…

00:43:00.780 --> 00:43:01.780
this is where…

00:43:01.780 --> 00:43:04.910
Karsten: That was RyanAir, huh?

00:43:04.910 --> 00:43:07.180
Nemanja: This is the RyanAir, yeah.

00:43:07.180 --> 00:43:10.670
So we didn’t bring these two characters.

00:43:10.670 --> 00:43:15.110
But… because we wanted to hide it. If we
accidentally hit some booking with that

00:43:15.110 --> 00:43:18.840
card number we don’t want to show the
booking reference number of someone else.

00:43:18.840 --> 00:43:27.820
So it might be even some
of the people here. We can try…

00:43:27.820 --> 00:43:33.950
Even got one from the Pakistan. Carmen
Sandiego is flying from SXF to TSR.

00:43:33.950 --> 00:43:45.750
And here we can just enter the…
what was the, I think… if I’m right…

00:43:45.750 --> 00:43:54.140
Let’s see if this will work. Yeah, okay.

00:43:54.140 --> 00:43:55.400
Hello Carmen Sandiego.

00:43:55.400 --> 00:44:01.099
Karsten: So now we know where Carmen
Sandiego is, finally. The point is,

00:44:01.099 --> 00:44:05.450
we made, you can brute-force these web
sites rather easily and you don’t really

00:44:05.450 --> 00:44:10.410
trigger any alerts there, apparently.
Which, again, coming from

00:44:10.410 --> 00:44:15.180
an IT security background I find pretty
shocking. Can we switch back to

00:44:15.180 --> 00:44:25.140
the other screen? Let’s look at the last
security feature that we would expect

00:44:25.140 --> 00:44:30.090
any IT system to have, these days.
Especially knowing that it has been

00:44:30.090 --> 00:44:33.880
criticized for lack of IT security for
a long time. And that, of course,

00:44:33.880 --> 00:44:40.260
is accountability, logging. At least track
who’s legitimately or illegitimately

00:44:40.260 --> 00:44:45.010
accessing these records. It turns out
that it has been asked for a long time

00:44:45.010 --> 00:44:50.410
by different people, again most notably
Ed Hasbrouck, this privacy advocate,

00:44:50.410 --> 00:44:55.400
but also other reporters and other
advocates have come across this

00:44:55.400 --> 00:44:59.950
for years, saying “there’s rumors that,
let’s say, the Department of Homeland

00:44:59.950 --> 00:45:05.040
Security in the U.S., they have root access
in these GDS’s. Where are the records,

00:45:05.040 --> 00:45:10.310
whether they are accessing it or not.
Where are the records for abuse by

00:45:10.310 --> 00:45:15.390
support stuff in these GDS companies.
Where are any records?

00:45:15.390 --> 00:45:19.250
The GDS companies have always said,
“oh, we can’t keep any records, it’s

00:45:19.250 --> 00:45:26.240
not technologically possible.” I call BS
on that. They are logging… in the tiniest

00:45:26.240 --> 00:45:30.520
minutia, any change to a reservation
there’s a log for. And then access log

00:45:30.520 --> 00:45:34.910
does not exist? And it’s not
technologically possible? I think there’s

00:45:34.910 --> 00:45:40.119
a completely different reason behind here.
If, in fact, these companies gave access,

00:45:40.119 --> 00:45:45.130
unlawful access, or at least in violation
of privacy laws in, let’s say,

00:45:45.130 --> 00:45:49.580
the E.U. or Canada, if, in fact, they gave
that access to other governments

00:45:49.580 --> 00:45:54.530
the last thing you want is a trail of
evidence showing that people have

00:45:54.530 --> 00:46:01.070
access to records. So this has nothing to
do with technological restrictions, this is

00:46:01.070 --> 00:46:05.570
purely – those companies don’t wanna be
in the middle of a debate where probably

00:46:05.570 --> 00:46:10.810
some sealed order in the U.S. makes them
disclose all this information but laws

00:46:10.810 --> 00:46:14.820
in Europe make them not disclose the
information. They just don’t wanna have

00:46:14.820 --> 00:46:20.920
evidence either way. But that leaves us
in a very peculiar position where now

00:46:20.920 --> 00:46:26.020
we know that these systems are insecure,
use very bad authenticators, expose this

00:46:26.020 --> 00:46:31.160
over web sites that can be brute-forced
and don’t keep any record of if that

00:46:31.160 --> 00:46:36.780
actually happens. So it’s completely
unknown how much abuse may be

00:46:36.780 --> 00:46:41.810
happening here. I think we can be pretty
certain that the flight changes for people

00:46:41.810 --> 00:46:45.470
to fly for free, that they are not
happening very frequently because that’s

00:46:45.470 --> 00:46:50.580
the only one of these attack methods that
would leave very clear evidence, somebody

00:46:50.580 --> 00:46:55.400
actually complaining, saying “I wanted to
take my flight but apparently somebody

00:46:55.400 --> 00:47:01.180
else already took it before me, or
canceled it and took off with the money.

00:47:01.180 --> 00:47:04.630
But the other cases we have no idea
whether or not they’re happening.

00:47:04.630 --> 00:47:08.480
They’re technologically possible, and
nobody seems to be looking for these

00:47:08.480 --> 00:47:17.040
abuse patterns. In summary, there’s just
three big global databases, two in the U.S.,

00:47:17.040 --> 00:47:24.240
one in Europe. They keep all the
information on all the travelers.

00:47:24.240 --> 00:47:29.230
This information includes your personal
contact information, payment information,

00:47:29.230 --> 00:47:34.250
your IP address. So lots of stuff that in
a lot of other systems we consider

00:47:34.250 --> 00:47:39.700
sensitive, private even. And it should be
protected with a good password. We would

00:47:39.700 --> 00:47:44.490
advise people to use an 8-character or
longer password, with special character.

00:47:44.490 --> 00:47:48.839
None of that exists here. The passwords
here are six-digits. They are less than

00:47:48.839 --> 00:47:53.770
five digits at worth of entropy. They’re
printed on scraps of paper that you

00:47:53.770 --> 00:47:58.720
throw away. They are found on Instagram
an they’re brute-forcable through numerous

00:47:58.720 --> 00:48:04.290
web sites by the GDS companies and through
the travel providers. So this is very,

00:48:04.290 --> 00:48:10.920
very far away from even weak internet
security. This really predates the internet

00:48:10.920 --> 00:48:17.970
in stupidity and insecurity. And while
there’s multiple scenarios in which

00:48:17.970 --> 00:48:23.980
either privacy of users is at risk or even
fraud could happen none of this is even

00:48:23.980 --> 00:48:28.570
logged, and nobody knows or has any way
of knowing the magnitude to which

00:48:28.570 --> 00:48:33.130
these systems are already abused.
So what do we need here?

00:48:33.130 --> 00:48:38.260
We clearly need more limitations on who
can access what. This is not just my ask.

00:48:38.260 --> 00:48:43.020
This has been asked for 10 .. 20 years.
But more on the technical level,

00:48:43.020 --> 00:48:48.730
in a long term, we need passwords for
every traveler. You should be able

00:48:48.730 --> 00:48:53.380
to post a picture of your boarding pass
on Instagram without having to worry

00:48:53.380 --> 00:48:57.140
about somebody abusing it. This is a piece
of paper that you will throw away.

00:48:57.140 --> 00:49:02.870
There should be nothing secret about it.
If you wanna share it – feel free to.

00:49:02.870 --> 00:49:08.010
Somebody else needs to add a password
to make that safe again.

00:49:08.010 --> 00:49:12.760
But that’s a very long-term goal. These
travel companies, they’re so interwoven,

00:49:12.760 --> 00:49:18.080
as we saw today, that all of them really
have to move at the same time.

00:49:18.080 --> 00:49:24.860
The GDS’s have to do their share. But then
each of interconnected airlines has to do

00:49:24.860 --> 00:49:29.119
their share. We saw this one random ticket
from Instagram, so this was a Lufthansa

00:49:29.119 --> 00:49:35.810
ticket with some Alaska Air components
issued by United. So at least those three

00:49:35.810 --> 00:49:40.020
companies have to work together. And how
many more different airlines today have

00:49:40.020 --> 00:49:44.670
code-share agreements. So we’re talking
about hundreds of companies who have

00:49:44.670 --> 00:49:50.260
to come together and decide “we wanna
introduce pass codes, passwords”,

00:49:50.260 --> 00:49:54.730
whatever you wanna call them, “for each
booking”. So that is a long-term goal.

00:49:54.730 --> 00:49:59.100
In the short term, though, at the very
least we can expect, is for all these

00:49:59.100 --> 00:50:04.720
web sites that do give access to travelers’
private information to do the bare minimum

00:50:04.720 --> 00:50:09.460
of web security. At the very least
some rate limiting. Don’t allow us

00:50:09.460 --> 00:50:16.000
to throw millions of requests at your
properties, and give us back honest

00:50:16.000 --> 00:50:22.230
answers. That is unheard of anywhere else
in the “cloud”. But for travel systems

00:50:22.230 --> 00:50:27.800
who claim for themselves to be the first
cloud ever this seems to be very standard.

00:50:27.800 --> 00:50:32.240
And then, finally, until all of this can
be guaranteed, until there’s passwords

00:50:32.240 --> 00:50:36.349
and until there is good rate limiting
I think we have a right to know

00:50:36.349 --> 00:50:40.849
who accesses our records, and there must
be some accountability. Especially,

00:50:40.849 --> 00:50:46.300
knowing how insecure these systems are
today. This is a long way, and I can only

00:50:46.300 --> 00:50:52.540
hope that we are starting a journey by
annoying large companies like Amadeus.

00:50:52.540 --> 00:50:58.260
They have done their little bit of fixing
over the weekend now, so hopefully

00:50:58.260 --> 00:51:02.410
some others will follow suit and we
will have better systems. Until then,

00:51:02.410 --> 00:51:07.050
of course, I can only encourage all of you
to look at more of these travel systems

00:51:07.050 --> 00:51:10.950
because there’s plenty more to find.
We’re only scratching the surface here.

00:51:10.950 --> 00:51:14.650
And, more generally, to look at more
legacy systems. I think we’re spending

00:51:14.650 --> 00:51:20.119
way too much time making some already
really good crypto just a tiny bit better

00:51:20.119 --> 00:51:25.060
or finding a really good mobile operating
system the next little jailbreak

00:51:25.060 --> 00:51:31.780
that will be fixed two days later anyhow
ignoring all these huge security issues

00:51:31.780 --> 00:51:36.250
that have been there for many, many years
in systems that are a little bit less sexy

00:51:36.250 --> 00:51:40.290
and riddled with bug bounties than
something else that we do spend a lot

00:51:40.290 --> 00:51:46.970
of time on. So I hope I could encourage
you to do that. I wanna just hand out

00:51:46.970 --> 00:51:52.690
a few thankyous to members of our team
without whom this research wouldn’t

00:51:52.690 --> 00:51:58.310
have been possible, and to a few industry
experts who were kind enough to

00:51:58.310 --> 00:52:02.630
read over these slides and provide
feedback, and help us hopefully

00:52:02.630 --> 00:52:07.880
not have any major gaps on our
information. And then, to you for

00:52:07.880 --> 00:52:11.500
showing up in such great numbers,
thank you very much!

00:52:11.500 --> 00:52:29.920
<i>applause</i>

00:52:29.920 --> 00:52:33.560
Herald: Wow, great talk. Thank you
very much! We have five minutes

00:52:33.560 --> 00:52:38.550
for Q&amp;A. So please line up on the
microphones, and we’ll take

00:52:38.550 --> 00:52:40.560
some questions. First one!

00:52:40.560 --> 00:52:44.300
Question: Do you have any indication of
how secure the systems are on the other

00:52:44.300 --> 00:52:48.674
end, that the airlines supply their
fares into the entire systems?

00:52:48.674 --> 00:52:53.869
Is there any indication that those systems
might be more secure than

00:52:53.869 --> 00:52:59.180
on the customer side? Or would it
be easy to inject a cheap fare, e.g.

00:52:59.180 --> 00:53:02.859
by impersonating the airline
with weak passwords?

00:53:02.859 --> 00:53:08.450
Karsten: Honestly, we don’t know.
It was definitely on our list to research

00:53:08.450 --> 00:53:14.160
but we don’t have time for everything so
we focus more on the customer privacy.

00:53:14.160 --> 00:53:18.660
But one thing that I really would want
to test if I had any way of doing it:

00:53:18.660 --> 00:53:24.280
imagine the parsers for these strings.
Imagine injecting some special characters

00:53:24.280 --> 00:53:32.190
in that. I don’t know who creates these
strings and maybe I don’t wanna know.

00:53:32.190 --> 00:53:37.990
But if anybody does and you could play
with some SQL commands I think a lot of

00:53:37.990 --> 00:53:42.880
web sites would wake up understanding that
on that front they don’t do enough

00:53:42.880 --> 00:53:44.970
security either.

00:53:44.970 --> 00:53:48.300
Herald: Okay, question
from the Signal Angel?

00:53:48.300 --> 00:53:52.040
Signal Angel: A question from IRC.
Recently, U.S. Customs And Border Patrols

00:53:52.040 --> 00:53:56.430
started collecting social media identifiers
for foreign citizens trying to enter

00:53:56.430 --> 00:54:00.470
the U.S. on a Visitor Visa. Could that
information be accessible through PNR’s?

00:54:00.470 --> 00:54:04.830
Karsten: That’s a good question.
I don’t think you would be.

00:54:04.830 --> 00:54:07.030
From Audience: They are!

00:54:07.030 --> 00:54:08.680
Karsten: So, I…

00:54:08.680 --> 00:54:11.430
From Audience: Yes, they are!

00:54:11.430 --> 00:54:13.580
Karsten: They are in the PNR?

00:54:13.580 --> 00:54:15.140
From Audience: Yes!

00:54:15.140 --> 00:54:16.390
Karsten: Okay.

00:54:16.390 --> 00:54:18.650
<i>laughter</i>

00:54:18.650 --> 00:54:25.590
I would have imagined that it’s
more a case like this journalist,

00:54:25.590 --> 00:54:32.589
Cyrus Favia. He requested through
FOIA disclosure all the records that

00:54:32.589 --> 00:54:36.600
the U.S. Government kept on his
travelling. And he found a lot more stuff

00:54:36.600 --> 00:54:41.899
than just in the PNR. They had notes in
there like “he’s a journalist”, “we had

00:54:41.899 --> 00:54:45.560
to search him extra for that”, stuff like
that. So they don’t wanna write that

00:54:45.560 --> 00:54:49.930
into the PNR. But the Government keeps
separate records that may be indexed

00:54:49.930 --> 00:54:51.880
by PNR, I don’t know.

00:54:51.880 --> 00:54:54.780
Herald: Okay, microphone here!

00:54:54.780 --> 00:54:58.690
Question: Can you say something about
how long information will be stored

00:54:58.690 --> 00:55:04.700
in those travel systems, and whether users
have a right to get them deleted?

00:55:04.700 --> 00:55:11.500
Karsten: That’s a good question. I think
that differs by system. So in Amadeus

00:55:11.500 --> 00:55:17.180
records are removed pretty quickly. Days,
or at most, weeks after the last flight is

00:55:17.180 --> 00:55:21.349
finally done. But in Sabre I had the
impression that much older records was

00:55:21.349 --> 00:55:25.960
still in there. Which may explain why
their data set is so dense. If you keep

00:55:25.960 --> 00:55:29.500
accumulating all the information. By the
end of the day this is all going back

00:55:29.500 --> 00:55:33.859
to mainframe technology. So I don’t think
anybody understands these algorithms

00:55:33.859 --> 00:55:36.210
any more. They just kind of work.

00:55:36.210 --> 00:55:38.170
Question: The deletion?

00:55:38.170 --> 00:55:41.750
Karsten: The deletion, yeah. I don’t think
you can request anything to be deleted.

00:55:41.750 --> 00:55:45.890
I don’t think they consider you
a person that they wanna talk to.

00:55:45.890 --> 00:55:47.560
You’re not the customer!

00:55:47.560 --> 00:55:49.680
Question: Thanks!

00:55:49.680 --> 00:55:52.150
Herald: Okay, the microphone
there, in the…

00:55:52.150 --> 00:55:56.430
Question: It seems that the immediate way
to abuse these systems is, like you said,

00:55:56.430 --> 00:56:01.710
with abusing money, and the mileage etc.
It seems that those paths are actually

00:56:01.710 --> 00:56:05.800
somehow monitored by airlines, so if I’m
collecting miles and take it not under

00:56:05.800 --> 00:56:09.460
my name that would raise some flags.
You think that’s not the case?

00:56:09.460 --> 00:56:15.700
Karsten: Yes, I should have been more
explicit how this attack works,

00:56:15.700 --> 00:56:19.950
the mile diversion. So, of course, you
have to have an account in the same name

00:56:19.950 --> 00:56:24.570
as the person flying. So had his demo
worked, he would have a PNR for

00:56:24.570 --> 00:56:28.650
a lady Carmen Sandiego. You can just go
to miles&amp;more and create an account

00:56:28.650 --> 00:56:33.589
under that name. A lot of airlines, though,
they also allow you to change your name.

00:56:33.589 --> 00:56:38.470
So you just change it whenever you found
a round trip Australia ticket,

00:56:38.470 --> 00:56:42.510
you change the name to whatever that
target name is. And I know for a fact

00:56:42.510 --> 00:56:49.040
that people are doing that right now, not
you guys, before even. Based on Instagram

00:56:49.040 --> 00:56:53.720
photos. So people are diverting miles by
creating new accounts or by keeping

00:56:53.720 --> 00:56:58.109
changing the names of the accounts.
And yes, airlines do sometimes notice this

00:56:58.109 --> 00:57:04.790
but only when it becomes excessive.
And sure, that’s their money. I just hope

00:57:04.790 --> 00:57:08.790
that it will become so excessive that
it’s such a big problem that it can’t be

00:57:08.790 --> 00:57:13.760
ignored any more. And then the privacy
issues get fixed on the same token

00:57:13.760 --> 00:57:18.470
where privacy is never enough to convince
a big company. But if you throw in

00:57:18.470 --> 00:57:20.800
a little bit of fraud it may be enough.

00:57:20.800 --> 00:57:29.080
<i>applause</i>

00:57:29.080 --> 00:57:31.624
Herald: Okay, one last question.
Microphone here!

00:57:31.624 --> 00:57:36.600
Question: Hi Karsten! When people use
like GDS’s they have these really archaic…

00:57:36.600 --> 00:57:41.180
there are not even… there are like actual
terminals, not even pseudo-terminals.

00:57:41.180 --> 00:57:45.190
And then they expose like these EPI’s for
the sake of writing your code in like Java

00:57:45.190 --> 00:57:49.260
or whatever. I’m wondering if there’s
research to be done at that level?

00:57:49.260 --> 00:57:53.880
Or did you just not look at that, or
that’s just an area of further research?

00:57:53.880 --> 00:57:59.329
Karsten: We did, quite a bit. But we found
no way of making that public in any way

00:57:59.329 --> 00:58:05.720
that wouldn’t require a login from a
travel agency and all of that good stuff.

00:58:05.720 --> 00:58:11.550
So I think the most I wanna say about that
is the logins that travel agencies have,

00:58:11.550 --> 00:58:15.630
they’re terribly secured. But, of course,
I can’t encourage anybody to go out

00:58:15.630 --> 00:58:20.630
and hack them. But if you did and you had
access you’d be logging in to something

00:58:20.630 --> 00:58:24.760
that looks like a terminal. And you’d be
typing some commands. And the next thing

00:58:24.760 --> 00:58:29.940
you know it throws a Java stack trace at
you. So these just look like terminals.

00:58:29.940 --> 00:58:33.579
They have moved well beyond that while
still maintaining this look and feel

00:58:33.579 --> 00:58:38.110
of a mainframe. And they’re terribly
insecure. So these stack traces, they just

00:58:38.110 --> 00:58:41.510
come left and right even if you
try to do the right thing!

00:58:41.510 --> 00:58:43.200
<i>laughter</i>

00:58:43.200 --> 00:58:45.290
Question: Thanks!
Herald: Okay we have one question

00:58:45.290 --> 00:58:47.099
from the internet!

00:58:47.099 --> 00:58:52.970
Signal Angel: Somebody wants to know,
how do you avoid DDoS’ing those services

00:58:52.970 --> 00:58:56.730
when you just brute-force the booking
numbers?

00:58:56.730 --> 00:59:01.813
Karsten: A good question. Of course we
don’t wanna hurt anybody, so we tried to

00:59:01.813 --> 00:59:07.490
keep the rates low. And it turns out if
you throw 20 Amazon instances at them

00:59:07.490 --> 00:59:09.711
they don’t go down yet. And…

00:59:09.711 --> 00:59:11.460
<i>laughter</i>

00:59:11.460 --> 00:59:14.260
Herald: Okay. Thank you very much,
Karsten and Nemanja!

00:59:14.260 --> 00:59:20.559
<i>applause</i>

00:59:20.559 --> 00:59:23.900
<i>postroll music</i>

00:59:23.900 --> 00:59:45.000
subtitles created by c3subtitles.de
in the year 2020. Join and help us!