-
33C3 preroll music
-
Herald: So many of us
traveled to this Congress.
-
Probably most of us. And we all took
-
trains, or planes, or… maybe somebody
-
drove by car. But most
took trains and planes.
-
And have you guys ever wondered
about the infrastructure
-
of those travel booking systems?
-
Even more interesting, have you ever
-
thought how secure those systems are?
-
Karsten Nohl and Nemanja Nikodijevic…
-
Karsten has a really nice record
of security researches.
-
He had talks about GSM protocols
-
and last year he had his talk
about payment system abuse
-
which was really interesting.
-
Together with Nemanja, he will show us
his research on travel booking systems.
-
And probably we will find out
how we can get home free.
-
Please give a really, really warm
welcome to Karsten and Nemanja!
-
applause
-
Karsten Nohl: Thank you very much!
Always feels great to be back!
-
I just today noticed that the first time
I was speaking at this conference
-
is 10 years ago. So 10 years of…
-
applause
.. thanks you.
-
10 years of looking at 10 different legacy
systems and finding vulnerabilities
-
in all of them, so far. A lot of them were
around RFIDs, or mobile protocols.
-
This time we’re looking at something
completely different, travel booking
-
systems. And vulnerabilities in there.
-
Relative to some of the other talks we’ve
been giving, this will have less ‘hacking’
-
in it. Not because we lost our interest in
hacking but because much less hacking
-
was actually needed to exploit
vulnerabilities here. laughter
-
So, sorry for that if you expected a lot
of hacking. There’ll be a little bit,
-
that’s why Nemanja is here, but
a little bit less than usual. So we’re
-
talking about travel systems. And there
are 3 main players, or actors
-
in the commercial travel world. There are
those people who provide travelling,
-
airlines and hotels. There’s those people
who help you book them, Expedia,
-
websites like that or traditional travel
agencies. And then there’s brokers
-
who make sure that whatever is available
can be booked through those agents.
-
So those are really the backbone of travel
systems but you don’t really think
-
about them much, or at least I didn’t
before looking into this research.
-
The systems are very useful, as global
systems. In fact, they’re called “global
-
distribution systems”. And that tells you
how old they are. This is before
-
the internet was there. They go back to
the 80ies and 70ies. So there was only
-
one system that deserved the name
of a global distribution system of,
-
in this case, data. And this was
travel system. So it makes sense
-
to have these systems because, of cause,
one seat on an airplane shouldn’t be sold
-
multiple times, so there needs to be
a global inventory somewhere.
-
Also all airlines should be using just
a few systems so that they can do
-
'codeshare agreements', e.g. so that,
again, the same seats on a flight
-
aren’t booked multiple times. And,
consequently, these booking systems,
-
they maintain three types of information.
The first one, you are probably most
-
aware of, are the prices. Airlines will
put their price lists into these systems
-
for booking sites to fetch. They’re
called ‘fares’ in the travel world.
-
The next important data item in there is
‘availability’. So not everything can be
-
booked that has a price. There needs to be
a seat available at a certain booking class.
-
And, finally, when somebody does find an
available seat to a fare that they want
-
to purchase that is then converted into
a ‘reservation’. So this is after the seat
-
is taken. You may have seen some of this
information before on travel web sites.
-
Let me just show you the one that I like
to use the most. The ‘ita matrix’, has
-
been bought by Google a few years ago.
So you can’t actually book through
-
here any more. But they maintain the
interface for whatever reason. And so,
-
let’s say you search for a flight to
San Francisco from here, at the end
-
of the year. This, like any other web
site will give you plenty of options
-
from the different airlines. What’s
different for this web site is that
-
they give you a lot more details,
if you know where to click.
-
So the cheapest flight, really cheap
actually, 325 bucks to go to San Francisco
-
for New Year’s, a one-way trip, and
what I like on this web site is the rules.
-
So this is real data, that is kept in one
of these GDS systems. And this already
-
looks like the 70ies, right? laughter
This would usually be shown on a terminal,
-
maybe green font on black background, and
somebody would read through here,
-
and I would say, okay, so you wanna book
for a certain day, it’s okay, the dates
-
match, you wanna go on TAP (TP)
– Portugal Airlines – so okay, that matches,
-
and you could also take a few other
airlines, and then you have to meet
-
certain other restrictions, e.g. you can
stop over here. So this flight goes
-
through Lisbon, you can stay in Lisbon
for up to 84 hours before flying on
-
to the U.S. That’d be nice. And then
it has all these other rules in here,
-
e.g. you can not cancel this ticket,
right? It’s non-refundable. But you
-
can change it for a fee. And this goes on
and on and on. For just a single fare,
-
and there’s, of course, tens of thousands
of fares available. Now this, you may be
-
surprised to hear, is the only form in
which these fares are available. There
-
isn’t an XML, there isn’t a web service,
this is how the airlines publish them.
-
And then a web site like Expedia, they
have to write a parser for it to be able
-
to present flight options to you. You
may have noticed if you tried to change
-
or cancel flights they don’t allow that
to web sites often. Expedia e.g. doesn’t,
-
you have to call them. And if you call
them they say: “Give me a moment,
-
I have to read through the fare rules.”
So in that case that just didn’t parse
-
all this information. That’s the first
thing that’s kept in these… or maintained
-
in these large GDS, the booking systems:
the fares. The other thing is
-
the availability. That’s a little bit
harder to access through public web sites.
-
Expert Flyer is probably the best one
to use. And availability is important.
-
If you actually wanted to fly to San
Francisco now for New Year’s
-
we looked at the fare, well,
this is Booking Class 'O', this is
-
always the first letter. And then, if you
look at the availability for Booking Class
-
'O', unfortunately it says ‘C’ for ‘closed’.
So they don’t accept any more bookings.
-
So just because there’s a price available
doesn’t mean that anybody can actually
-
book this flight. And, again, somebody
like Expedia would have to now combine all
-
of these different pieces of information
to present a list of flight options for you.
-
So let’s assume they did that and you did
book something. Then, the third data item
-
is created in one of these GDS. And that’s
the 'passenger name record', PNR.
-
And that looks something like this. Again,
you’ll notice the same 70..80ies style.
-
With lots of private information.
Ed Hasbrouck - he is a
-
privacy advocate in the U.S., probably
the loudest voice to ask for more
-
privacy around travel booking
and he was kind enough to make
-
this available on his web site, for all
to see what information is kept. So,
-
contact information, of course, things
like e-mail. This one shows you again
-
how old these systems are. So they
don’t have the ‘@’ character! This is
-
using a character set from punch cards!
And in punch card you had 6 possible
-
punches per character. So everything here
needs to be encoded with a 6-bit character
-
And there’s no space for ‘@’. So all
ancient stuff. But still, a possible
-
privacy hazard, right? You wouldn’t want
anybody to access this kind of information
-
about yourself. The three main players who
run GDS’s – Amadeus, mostly in Europe,
-
Sabre, mostly in the US, and then there’s
Galileo that merged with a few other
-
things into ‘Travelport’. And Galileo
isn’t really so much used by airlines
-
but it’s more used by travel agencies.
And then, often, multiple of these systems
-
they’re involved in the booking. So let’s
say you go through Expedia and you book
-
an American Airlines flight, the PNR has
to be kept in Amadeus as well as Sabre.
-
So there’s two copies here. Or let’s say
you go through a travel agency that’s
-
connected to Galileo, and you book
a flight that has both Lufthansa and
-
Aeroflot segments it would be kept
in all three of them. So this is lots of
-
redundancy depending on where your flight
segments and booking agents come from.
-
But sufficient to say there are three big
companies, who apparently hold on to the
-
private information of all travelers.
Hundreds of millions of records
-
for each of those systems. And we wanted
to find out whether they can sufficiently
-
protect this information. And there’s, of
course, reasons to believe that they can’t.
-
This is very old technology and it’s
unclear whether they ever did any major
-
security upgrades. But at the same time
there’s reasons to believe that they
-
are very well secured because this PNR
data, this very information about travelers
-
that has been disputed between different
governments for a long time, in particular
-
the U.S. Government, and asking for more
and more information since 9/11 in
-
multiple waves, and the E.U. governments
that say: “No, you can’t have more
-
information than you absolutely need. So
they agree politically that, yes, the U.S.
-
can get information on those travelers
going to the U.S. but only certain data
-
fields, and have to delete them after
a few years. So this was years
-
of negotiation. And you’d imagine that the
systems at the forefront of this dispute
-
they’d be secure enough that, let’s say,
we couldn’t access those same information
-
that even the U.S. Government is supposed
to not access. So we set out to answer
-
this simple question: do these GDS’s,
do they have normal, basic security.
-
Do they constrain access, do they
authenticate users well, do they protect
-
through rate limiting from web attacks,
and do they log to be able to detect any
-
possible type of abuse. We’ll go through
each of them to see where those systems
-
stand. Let’s start with access control.
And this is just drawing
-
from public sources, so, again, Ed
Hasbrouck, this privacy advocate
-
in California, he has been the loudest
voice here, saying, there’s overreach by a
-
lot of players already accessing PNR
information. So e.g. if you have a booking,
-
let’s say a flight booking, anybody who
works at this airline can access
-
your information. But then, if you add,
let’s say, a car reservation to the same
-
booking, anybody who works at the car
rental company can also access
-
let’s say the flight information. And
any agent at the booking agency
-
that you use can access all of this
information. And if you keep adding
-
information all of these people still have
access to it. That’s just how these
-
systems grew over time, but that’s a first
indication to me that this certainly
-
wasn’t built with modern security
in mind. Most concerningly
-
the people working at or for the GDS
companies, they have access to everything,
-
absolutely everything. Including their
support stuff, as far as I understand.
-
So these are external companies that
help debug the system, and they
-
have access to hundreds of millions
of people’s private information.
-
So way too many people have access
to way too much information, e.g. if you
-
did an online booking your IP address
is stored there, basically forever,
-
well, until the flight is over. But any of
these people can now access your
-
IP address, your e-mail address,
phone number and all of this.
-
So definitely that doesn’t seem to be
fine-grained access control. But,
-
as I said earlier, this has been known
for a long time and criticized a lot.
-
Not acted on, though, yet! How about
authentication? The picture is actually
-
even worse for authentication. And I want
to distinguish two different cases here.
-
I wanna distinguish professionals
accessing records, so people working
-
at travel agencies and airlines. And,
as a second case I wanna distinguish
-
travelers accessing their own records,
like when you check-in online e.g.,
-
you access your own record. Professionals,
the way they access it, typically, is that
-
their agency is connected to one of these
GDS’s through basically one account.
-
So an entire agency system, or at least
an entire location uses one account.
-
So years ago somebody typed in some user
name and password, and then it’s long been
-
forgotten because locally they use
a different access management.
-
A few travel agencies were kind enough to
help us in this research, and their access
-
credentials, we saw them using, they’re
just terrible. E.g. for one of the big
-
systems that I won’t name you need the
agent ID, so that you can get pretty
-
easily. And then a password for the web
service, so of the modern way of accessing,
-
this is WS for web service and the date
on which the password was created.
-
So even if you have to brute-force
20 years, how many possible dates
-
does a single year have? Times 20. This is
ridiculously low entropy for an account
-
that is supposed to protect information
of millions of people, if not more.
-
This is the best authenticator
that we found in these systems!
-
laughter
-
It gets worse with travelers accessing
their own information. Because there
-
they just simply forgot to give you
a password, not even a terrible password
-
like this; there just isn’t one. And what
they use instead is the booking code,
-
‘PNR locator’ it is sometimes called.
I call it booking code.
-
It’s a six-digit code. When you
check-in online you need that code.
-
And you only need that code and your
last name. So you’d imagine that,
-
if they treat it as a password equivalent
then they would keep it secret
-
like a password. Only – they don’t,
but rather print it on every piece
-
that you get from the airline, e.g. on
every piece of luggage you have
-
your last name and a six-digit code.
On your boarding pass –
-
it used to be there, and then it
disappeared and then these barcodes
-
showed up. So it’s inside the barcode.
If you decode the barcode there is
-
your PNR in there. I erased it here,
this is still for a valid booking.
-
laughter
-
So, you have this six-digit codes printed
everywhere and you can just find them
-
on pieces of scrap at the airport.
Certainly these tags you find all over,
-
but also people throwing away their
boarding passes when they’re done.
-
And this is supposed to be the only way
of authenticating users. And we’ll
-
show you in a minute what kind
of abuse is possible through that.
-
But let’s first think about where else you
could be able to find these PNR codes.
-
Could it get any worse than somebody
printing your password on a piece of paper
-
that you throw away at the end of your
journey. Of course the internet can make
-
it worse! And what better technology to
worsen the security problem than
-
Instagram? So on Instagram…
laughter and applause
-
So you got all these bookings. And, in
fact, there was one guy here, you see, he
-
actually erased the information. But for
one who knows what’s up, everywhere,
-
there’s a hundred who don’t. And this
is really all information you need.
-
I saw a Lufthansa one just now,
where was that? – Here.
-
So here is a Lufthansa one. This is from
today, posted by markycz at Frankfurt.
-
This is really all you need to get
somebody’s…
-
laughter and applause
-
Let’s see if this works.
Yeah, sure enough. So.
-
laughter
-
'Marky M.' on Instagram is apparently
Marketa Mottlova
-
and this is her booking reference.
-
laughter
-
I was debating whether or not to show this
but you guys are gonna do it anyway
-
when I’m done with this talk.
laughter
-
cheers and applause
-
So a flight today from Munich
to Frankfurt and then, on to Seattle.
-
Let me point out one thing here.
-
Where did I see the ticket number?
-
off camera mumbling on stage
-
Just use mine!
-
It’s AndroidAPKN
Oops.
-
And then let me write down the password.
-
Okay. Alright.
-
So what I wanted to point out is that
this isn’t even a Lufthansa ticket.
-
So she checked in with Lufthansa
in Frankfurt. But if you look at the
-
ticket number, 016, that’s a United
[Airlines] ticket. And it also includes
-
flights on Alaska Airlines e.g.
So any of these airlines have
-
full access to this PNR. And many of them
will just grant people access to it
-
if they know the PNR and the last name.
As Nemanja will show in a minute,
-
even if they don’t know that yet. So...
-
To recap for the moment: airlines give you
a six-digit password that they print
-
on all kinds of pieces of paper and
that you will post on Instagram.
-
Why shouldn’t you, everybody else does,
too, apparently. 75,000 people at least
-
over the last couple of weeks. So
the authentication model here is
-
severely broken, too. And what
kind of abuse arises from this?
-
Of course, you can now use this PNR,
log in on Lufthansa as I have just done
-
or a more generic web site, like
Checkmytrip and look up peoples’
-
contact information at the very least.
So there’s always an email address
-
in there. There’s usually a phone number
in there. If in Lufthansa you click on
-
“I wanna change my booking” probably
they’ll ask you for your payment information
-
and pre-fill the postal address for that.
So you get somebody’s postal address
-
that they used for the booking, passport
information, visa information. If you
-
travel to the U.S. as she does there’s
definitely passport information
-
in the PNR. All of this information is now
readily accessible. Now so far
-
there was zero hacking involved. That’s
why we have Nemanja here who will
-
show you some actual hacking to get even
deeper into these systems.
-
Can we switch the screen?
-
Nemanja Nikodijevic: So when…
laughter
-
When we started this research we needed
to find lots of these boking numbers
-
to see if there is some relation between
them. So luckily we didn’t have to
-
make any bookings that we had to pay
because there are web sites like this one
-
where you can just make a booking
and pay it later but you get
-
the booking reference number at the time.
So let’s make some very normal
-
German name… laughter
..looking for someone from Germany.
-
Actually they check the phone number, so
it has to follow the certain form.
-
Let’s find Germany… from Berlin,
-
1234567.
laughter
-
And then ‘hans@sandiego.com’.
-
As you can see I tried quite some…
laughter
-
So for this one we already got
our booking reference number
-
which is Y56HOY.
And this one, in a minute.
-
Okay, we have to wait a bit. Y5LCF4.
So if you notice
-
they are very close to each other, so
they both start with Y5 which means
-
that they were booked on the same day.
Probably because one is on Lufthansa,
-
the other one is on Air Berlin, there is
slight difference. They are not exactly
-
sequential. But we can say that they are
concentrated in a certain range
-
for a certain day. What we can do now is
-
we can go to one of our servers. At first
-
we have to check if checkmytrip works
-
because I had some issues
with the network.
-
That’s… ooh!
laughter
-
This is a bit unexpected.
We will have to skip this part
-
where we actually look for Carmen
Sandiego in one of our bookings.
-
But…
-
Karsten: Well, this is a side effect of
responsible disclosure. So you tell
-
a company that on this day you’ll do that
thing to that web site, and they just
-
either block the IP ranges here or just
took down the web site which they
-
have done a few times before.
What you can do is… – say it again!!
-
From audience: Can you test the hot spot?
-
Karsten: Actually, I think the whole
web site is turned off.
-
Nemanja: What we can demonstrate, I think,
is that if we go with this booking number,
-
to Air Berlin web site, and then
type last name, “Mueller”.
-
And actually, because it’s six-bit
encoding it has to be “UE”, no Umlauts
-
allowed. So, “Select all the food!”
laughter and applause
-
Let’s see if we can find this flight.
-
Karsten: The part of the demo that you
didn’t show is just brute-forcing
-
these ranges. If you know which ranges
are used in a day you can try them all.
-
Or at least we did many times. That
would then, in theory, give you access
-
to all of this. And not just in theory, in
practice, unless they take down their
-
entire web site which they knew we were
gonna use for this demo.
-
Nemanja: But on this, for example, if we caught
that flight that we wanted to catch…
-
Karsten: We’ll show it later. But at least
the first win for privacy: no information
-
is leaked through this web site
for the rest of this talk, at least!
-
laughter and applause
-
Can we switch back to the other screen?
ongoing applause
-
One thing that you would have noticed had
this not just been a flight reservation
-
but an actual ticket: it would have
given you options to rebook it,
-
to add a frequent flyer number, all of that
good stuff. So what’s the abuse potential
-
here? So far we’ve only talked about
privacy intrusion. And privacy intrusion
-
is bad enough. Imagine somebody is
snapping a picture of your luggage,
-
that person has your email address and
your phone number, right there, right then.
-
But the abuse potential goes much
beyond that. For instance, you can fly for free!
-
You can fly for free using different
methods. You can find somebody else’s
-
booking and just change the date.
The ticket… in fact, we can show it
-
a little bit later. We had prepared for
this demo that we are going to find
-
through a little bit of brute-force that’s
a flexible ticket. So you can just change
-
the date, and change the email address.
You just take that flight yourself.
-
And as the airline checks… compares the
ticket and your passport – oftentimes
-
they do it visually. What they’ll do is
they’ll send you a PDF, you change
-
the name, you take it anyway. But at least
in Schengen, in the EU, people don’t even
-
do that. Let’s say you wanted
to take it in your name. You can,
-
depending on the airline, call them up
or even use their web sites to cancel
-
the ticket, and the issue a refund to you
inside the PNR, and then use the money
-
that’s freed up there to book a new
ticket. Some airlines also give you
-
MCOs – miscellaneous charges orders.
Americans will know this very well,
-
every time you get bumped from a flight
they give you an MCO, “sorry, we can’t
-
fly you home today, you’ll have to go
tomorrow, but here is $1,000 towards
-
a new ticket”. It’s real airline cash.
And those same MCOs you can issue
-
based on flight cancellation. So you
cancel somebody else’s ticket and you get
-
airline money to book your own ticket.
And, again, there are no passwords
-
involved. The only authenticator is this
six-digit sequence that people post
-
on Instagram, print on their boarding
passes and that Nemanja should be able
-
to brute-force on their web sites. What
else can you do, once you have somebody’s
-
PNR? You can change or add a mile number.
And some tickets are really attractive
-
for mile collection. Take a round trip to
Australia in 1st class, get 60,000 miles
-
right there, for one round trip, for one
PNR. And that will get you a sweet, free
-
flight to somewhere nice, or even some
voucher for online and offline shopping.
-
One website that I wish was still
working is, of course, this one.
-
laughter
-
But they shut down business, apparently.
Unrelated to this talk.
-
laughter and single claps
-
So you have access to somebody’s PNR,
you can not just stalk them but change
-
their flights or – which may trigger some
curiosity – that flight can be taken twice.
-
But you can very stealthily add your mile
number everywhere, well, a new mile number
-
matching that name to collect those sweet
miles. Now, are all airlines affected
-
by that? The demo that we didn’t get to
show brute-forced for one last name,
-
Sandiego, all the PNRs for a day. And it
quickly found, in fact, a bunch of records.
-
There’s not just one Sandiego flying that
day. But in some airlines they’re
-
a little bit smarter. For instance American
Airlines, the largest airline in the world,
-
they don’t just want the last name
but also the first name. And if you’re
-
interested in one specific person, let’s
say ‘Carmen Sandiego’, you would still
-
find that person. But if you want to
conduct fraud that becomes a little bit
-
more tricky. A fraudster would just pick
a random, very popular last name and
-
brute-force PNRs there. And that becomes
more difficult if also you have to guess
-
a first name. However, even American
Airlines, those records can be accessed
-
through other web sites. For istance Viewtrip,
this is another generic web site like this
-
infamous Checkmytrip that just went
offline. And Viewtrip allows you
-
to brute-force by just last name and PNR,
again. So there’s multiple ways to access
-
the same information. Some of which are
more secured than others. And, of course,
-
only the weakest link mattered. So
Viewtrip, what they would say is
-
they found the record and they can’t give
you access to the information but then
-
TripCase will which, again, takes only
last name and reservation number.
-
And they will tell you the first name
also that then you can type in to
-
the American Airlines web site again
laughter
-
to change the booking, let’s say. So
there’s all these different ways to access
-
a person’s information here. And everybody
is slightly different. So let’s look at the
-
entire universe of travel web sites,
starting with just three big travel providers.
-
Each of them uses six-digit booking codes.
But they use these six-digits rather
-
differently. Sabre e.g. they don’t use any
numbers which of course severely impacts
-
the entropy. But then others, e.g. Amadeus,
they don’t use 1 and 0, because that could
-
be confused with i and o, and then
Galileo drops a few other characters. So
-
at the end of the day none of them really
used the entropy of even a six-digit
-
pass code. All of them are in entropy
lower than a randomly chosen 5-digit
-
password. And we will never recommend
anybody to use a 5-digit password, right?
-
So this is strictly worse. And what
makes it even worse, at least for
-
privacy-intruding attacks, is the
sequential nature of these bookings.
-
You saw the two that Nemanja just now
generated. Both of them were from
-
the same, very small sub set. So if you
just wanted to know all the bookings
-
that a person did today, you can
brute-force this in 10 minutes
-
with a few computers running in parallel.
It’s not so easy on Sabre because
-
they seem to be chosen more randomly.
However, Sabre has the lowest entropy,
-
so if you just randomly want to find
bookings for popular last names Sabre is
-
your system of choice. They’re all weak,
but the weaknesses differ in shades of grey
-
for this privacy intruding and for the
financial fraud-type attacks.
-
As one example, though, of how easy it is
to find these booking codes, if you
-
look up 1,000 just randomly chosen booking
codes in Sabre for the last name ‘Smith’
-
five will come back with current bookings.
So half a percent of the entire name space
-
is filled with current bookings for people
called ‘Smith’! Now, add in all the other
-
last names, their name space must be
pretty damn full. And it’s only 300 mio.
-
records if you calculate the entropy.
So it looks like almost every record
-
is used up and they’re running out of
space. So they’ll have to fix this anyway
-
at some point. But that, of course, makes
it all the easier to randomly find and
-
abuse other people’s bookings.
Each of those providers runs a website
-
that allows you to access all the PNRs in
their system if you know the PNR and
-
the last name. And one German reporter
writing about this, he calls the
-
websites that you didn’t know existed,
that you have no use for but that, anyway,
-
put your privacy at risk. So there doesn’t
seem to be any up side to these web sites.
-
I certainly don’t need to use them
but they’re there, and they’re bad.
-
Because when we did the research none of
them had any protection from brute-forcing
-
meaning we could try 100,000, even
millions of different combinations
-
– PNR and last name – and those
websites wouldn’t complain even a bit.
-
We did expose Amadeus to way more
queries that the others and at some point
-
they did notice, maybe also because some
reporters just asked them for comments
-
on the research. They have tried to
improve. So the classic checkmytrip.com
-
website that was just killed a few days
ago – R.I.P., thank you, it’s gone,
-
50% of the problem solved. But the other
website, that was still around up until
-
literally half an hour ago. What they
did over the last couple of days was,
-
they added a captcha. But the captcha gave
you a cookie. And the cookie you could
-
again use for indefinite number of queries.
laughter
-
It’s a company that just hasn’t done web
security before. But then they also
-
limited the number of requests per IP
address. Now, we do this from Amazon,
-
so it’s not so difficult to spawn new
IP addresses, but still… it severely
-
slows us down. About 1.000 requests per
IP address. Even if they now took down
-
checkmytrip for good, of course, this is
not the only pass to a reservation.
-
As we’ve seen before you can just use
the provider’s web site directly. And the
-
popular ones in Germany, they differed in
security quite a bit when we checked
-
a few weeks ago. So Lufthansa itself
differed on their different properties.
-
The standard website asked for a captcha,
not the first time, but I think starting
-
from three requests, so a really good
compromise. They make it comfortable
-
to use for really anybody who just wants
to look up their own records. But then
-
they make it a little bit more painful
for somebody who tries to look up
-
too many. But then the mobile version e.g.
didn’t have that captcha. And again,
-
weakest link principle applies. Air
Berlin, they had some rough IP filter,
-
again, 1.000 requests per IP, that’s
a little bit too much, they introduced
-
a captcha today! So, again, in response
to this. This is already showing
-
some effect. Thank you to checkmytrip
and Air Berlin for working on this
-
over the holidays, much appreciated.
Maybe, if you know anybody, thank you!
-
applause
-
On the other GDS’s the situation is much
worse still. They’re still as bruteforceable
-
as they ever were, as are the web sites.
Except for the little bit of first-name
-
extra complication on American Airlines,
every web site we have tried is not protected
-
from brute-forcing. And this is surprising
to me. In my consulting work I have
-
never seen a web site where not the first
pentester ever looking at it would say:
-
“Oh, you didn’t have rate limiting in it,
please add it!” and then, two days later
-
they had. So for most of this industry
that is yet to happen. So no cookie here,
-
either. Let’s talk about one more abuse
scenario that’s… I can say they’re very
-
relevant but that’s maybe because in my
consulting life I’ve been dealing with
-
human security for the last couple of
years, appreciating that technology
-
is mostly not the weakest link but the
the gullibility of people working
-
in the company. And the same probably goes
for travelers. Imagine the scenario where
-
you made a booking, just a few minutes
ago. And now that airline, or at least
-
it looks like that airline, sends you an
e-mail saying “Thank you for making
-
this reservation, here is all your booking
stuff, summarized for you, please update
-
your credit card information, though.
The booking didn’t go through.
-
I would click on that. I expect them to
e-mail me, I know that sometimes
-
credit cards are fuzzy, I would click on
it and enter my credit card information
-
again. And how is this possible? Of course
we can stay ahead of the current pointer
-
in this sequences and find bookings
that were made in the last, let’s say,
-
half an hour, for popular last names
again. And each of those bookings will
-
point us to an e-mail address, and give us
all the context we need to include in this
-
very, very targeted phishing. If nothing
else, I think this should convince
-
the airline industry to close these loop
holes because the evilness of the internet
-
will not ignore this forever. Phishers are
always looking for new targets, and
-
this will be a very juicy one. So we
looked at the three big GDS’s now.
-
There’s a few other players, e.g. SITA.
It looks like on the way out but these two
-
very big airlines, they still use it. So
they’re certainly still relevant. They are
-
even worse. They use, instead of a
six-digit booking code they use five digits.
-
And one digit is fixed per airline. So if
you know you’re looking for Air India
-
you don’t even have to brute-force that
leaving just four digits to go through,
-
and to brute-force. Now we don’t have
a demo for this because we found three
-
other more fun ones to demo. So…
laughter
-
Nemanja will now show you RyanAir, Oman
Air and Pakistan International Airlines.
-
Note that all of these are connected to
big GDS systems. So it’s now the web sites
-
that make it even worse than we already
discussed before. And can we switch over
-
to the other computer again? Thanks.
-
Nemanja: Yeah, I guess, many people
fly with Ryan Air here.
-
They use Navitaire which is now owned by
Amadeus.
-
So they don’t share the same address space.
But on the Ryanair web site you can
-
either search for the reservation with the
e-mail address and the reservation number
-
or the last four digits of the credit card
that you used for booking.
-
laughter
-
Karsten: Again, great authenticator,
right? Ten thousand options.
-
Nemanja: As they don’t have captcha
we can have a look for…
-
So we know that the last four digits of
-
Carmen Sandiego’s card are these.
-
Karsten: And if not we can just try all
ten thousand.
-
Nemanja: We can just try, yeah. We can
do the other way around. So this way
-
we know that… and that it starts
with these characters. And let’s try
-
to brute-force it. In the meantime
let’s have a look at the Oman Air.
-
They ask for the booking reference
and for the departure airport. But
-
departure airport doesn’t have to be just
the departure airport but it can also be
-
any airport that is within the reservation.
So for Oman Air we think that it’s
-
Muscat which is the capital.
So usually… most of these slides
-
go through there. Let’s see
if we can find someone who is…
-
Karsten: And he’s now just trying random
booking codes that are valid within
-
that name space. So, again, they don’t
really use the full entropy. So that makes
-
the search a little bit quicker but other
than that it’s just a pure brute-force.
-
Nemanja: And as there is no captcha as you
can see we can go on to the next one.
-
So this one is the winner!
-
laughter
-
They trust you that it’s yours!
strong applause
-
And let’s see … so we already have one
for the Oman Air. Okay. This is the one…
-
this is where…
-
Karsten: That was RyanAir, huh?
-
Nemanja: This is the RyanAir, yeah.
-
So we didn’t bring these two characters.
-
But… because we wanted to hide it. If we
accidentally hit some booking with that
-
card number we don’t want to show the
booking reference number of someone else.
-
So it might be even some
of the people here. We can try…
-
Even got one from the Pakistan. Carmen
Sandiego is flying from SXF to TSR.
-
And here we can just enter the…
what was the, I think… if I’m right…
-
Let’s see if this will work. Yeah, okay.
-
Hello Carmen Sandiego.
-
Karsten: So now we know where Carmen
Sandiego is, finally. The point is,
-
we made, you can brute-force these web
sites rather easily and you don’t really
-
trigger any alerts there, apparently.
Which, again, coming from
-
an IT security background I find pretty
shocking. Can we switch back to
-
the other screen? Let’s look at the last
security feature that we would expect
-
any IT system to have, these days.
Especially knowing that it has been
-
criticized for lack of IT security for
a long time. And that, of course,
-
is accountability, logging. At least track
who’s legitimately or illegitimately
-
accessing these records. It turns out
that it has been asked for a long time
-
by different people, again most notably
Ed Hasbrouck, this privacy advocate,
-
but also other reporters and other
advocates have come across this
-
for years, saying “there’s rumors that,
let’s say, the Department of Homeland
-
Security in the U.S., they have root access
in these GDS’s. Where are the records,
-
whether they are accessing it or not.
Where are the records for abuse by
-
support stuff in these GDS companies.
Where are any records?
-
The GDS companies have always said,
“oh, we can’t keep any records, it’s
-
not technologically possible.” I call BS
on that. They are logging… in the tiniest
-
minutia, any change to a reservation
there’s a log for. And then access log
-
does not exist? And it’s not
technologically possible? I think there’s
-
a completely different reason behind here.
If, in fact, these companies gave access,
-
unlawful access, or at least in violation
of privacy laws in, let’s say,
-
the E.U. or Canada, if, in fact, they gave
that access to other governments
-
the last thing you want is a trail of
evidence showing that people have
-
access to records. So this has nothing to
do with technological restrictions, this is
-
purely – those companies don’t wanna be
in the middle of a debate where probably
-
some sealed order in the U.S. makes them
disclose all this information but laws
-
in Europe make them not disclose the
information. They just don’t wanna have
-
evidence either way. But that leaves us
in a very peculiar position where now
-
we know that these systems are insecure,
use very bad authenticators, expose this
-
over web sites that can be brute-forced
and don’t keep any record of if that
-
actually happens. So it’s completely
unknown how much abuse may be
-
happening here. I think we can be pretty
certain that the flight changes for people
-
to fly for free, that they are not
happening very frequently because that’s
-
the only one of these attack methods that
would leave very clear evidence, somebody
-
actually complaining, saying “I wanted to
take my flight but apparently somebody
-
else already took it before me, or
canceled it and took off with the money.
-
But the other cases we have no idea
whether or not they’re happening.
-
They’re technologically possible, and
nobody seems to be looking for these
-
abuse patterns. In summary, there’s just
three big global databases, two in the U.S.,
-
one in Europe. They keep all the
information on all the travelers.
-
This information includes your personal
contact information, payment information,
-
your IP address. So lots of stuff that in
a lot of other systems we consider
-
sensitive, private even. And it should be
protected with a good password. We would
-
advise people to use an 8-character or
longer password, with special character.
-
None of that exists here. The passwords
here are six-digits. They are less than
-
five digits at worth of entropy. They’re
printed on scraps of paper that you
-
throw away. They are found on Instagram
an they’re brute-forcable through numerous
-
web sites by the GDS companies and through
the travel providers. So this is very,
-
very far away from even weak internet
security. This really predates the internet
-
in stupidity and insecurity. And while
there’s multiple scenarios in which
-
either privacy of users is at risk or even
fraud could happen none of this is even
-
logged, and nobody knows or has any way
of knowing the magnitude to which
-
these systems are already abused.
So what do we need here?
-
We clearly need more limitations on who
can access what. This is not just my ask.
-
This has been asked for 10 .. 20 years.
But more on the technical level,
-
in a long term, we need passwords for
every traveler. You should be able
-
to post a picture of your boarding pass
on Instagram without having to worry
-
about somebody abusing it. This is a piece
of paper that you will throw away.
-
There should be nothing secret about it.
If you wanna share it – feel free to.
-
Somebody else needs to add a password
to make that safe again.
-
But that’s a very long-term goal. These
travel companies, they’re so interwoven,
-
as we saw today, that all of them really
have to move at the same time.
-
The GDS’s have to do their share. But then
each of interconnected airlines has to do
-
their share. We saw this one random ticket
from Instagram, so this was a Lufthansa
-
ticket with some Alaska Air components
issued by United. So at least those three
-
companies have to work together. And how
many more different airlines today have
-
code-share agreements. So we’re talking
about hundreds of companies who have
-
to come together and decide “we wanna
introduce pass codes, passwords”,
-
whatever you wanna call them, “for each
booking”. So that is a long-term goal.
-
In the short term, though, at the very
least we can expect, is for all these
-
web sites that do give access to travelers’
private information to do the bare minimum
-
of web security. At the very least
some rate limiting. Don’t allow us
-
to throw millions of requests at your
properties, and give us back honest
-
answers. That is unheard of anywhere else
in the “cloud”. But for travel systems
-
who claim for themselves to be the first
cloud ever this seems to be very standard.
-
And then, finally, until all of this can
be guaranteed, until there’s passwords
-
and until there is good rate limiting
I think we have a right to know
-
who accesses our records, and there must
be some accountability. Especially,
-
knowing how insecure these systems are
today. This is a long way, and I can only
-
hope that we are starting a journey by
annoying large companies like Amadeus.
-
They have done their little bit of fixing
over the weekend now, so hopefully
-
some others will follow suit and we
will have better systems. Until then,
-
of course, I can only encourage all of you
to look at more of these travel systems
-
because there’s plenty more to find.
We’re only scratching the surface here.
-
And, more generally, to look at more
legacy systems. I think we’re spending
-
way too much time making some already
really good crypto just a tiny bit better
-
or finding a really good mobile operating
system the next little jailbreak
-
that will be fixed two days later anyhow
ignoring all these huge security issues
-
that have been there for many, many years
in systems that are a little bit less sexy
-
and riddled with bug bounties than
something else that we do spend a lot
-
of time on. So I hope I could encourage
you to do that. I wanna just hand out
-
a few thankyous to members of our team
without whom this research wouldn’t
-
have been possible, and to a few industry
experts who were kind enough to
-
read over these slides and provide
feedback, and help us hopefully
-
not have any major gaps on our
information. And then, to you for
-
showing up in such great numbers,
thank you very much!
-
applause
-
Herald: Wow, great talk. Thank you
very much! We have five minutes
-
for Q&A. So please line up on the
microphones, and we’ll take
-
some questions. First one!
-
Question: Do you have any indication of
how secure the systems are on the other
-
end, that the airlines supply their
fares into the entire systems?
-
Is there any indication that those systems
might be more secure than
-
on the customer side? Or would it
be easy to inject a cheap fare, e.g.
-
by impersonating the airline
with weak passwords?
-
Karsten: Honestly, we don’t know.
It was definitely on our list to research
-
but we don’t have time for everything so
we focus more on the customer privacy.
-
But one thing that I really would want
to test if I had any way of doing it:
-
imagine the parsers for these strings.
Imagine injecting some special characters
-
in that. I don’t know who creates these
strings and maybe I don’t wanna know.
-
But if anybody does and you could play
with some SQL commands I think a lot of
-
web sites would wake up understanding that
on that front they don’t do enough
-
security either.
-
Herald: Okay, question
from the Signal Angel?
-
Signal Angel: A question from IRC.
Recently, U.S. Customs And Border Patrols
-
started collecting social media identifiers
for foreign citizens trying to enter
-
the U.S. on a Visitor Visa. Could that
information be accessible through PNR’s?
-
Karsten: That’s a good question.
I don’t think you would be.
-
From Audience: They are!
-
Karsten: So, I…
-
From Audience: Yes, they are!
-
Karsten: They are in the PNR?
-
From Audience: Yes!
-
Karsten: Okay.
-
laughter
-
I would have imagined that it’s
more a case like this journalist,
-
Cyrus Favia. He requested through
FOIA disclosure all the records that
-
the U.S. Government kept on his
travelling. And he found a lot more stuff
-
than just in the PNR. They had notes in
there like “he’s a journalist”, “we had
-
to search him extra for that”, stuff like
that. So they don’t wanna write that
-
into the PNR. But the Government keeps
separate records that may be indexed
-
by PNR, I don’t know.
-
Herald: Okay, microphone here!
-
Question: Can you say something about
how long information will be stored
-
in those travel systems, and whether users
have a right to get them deleted?
-
Karsten: That’s a good question. I think
that differs by system. So in Amadeus
-
records are removed pretty quickly. Days,
or at most, weeks after the last flight is
-
finally done. But in Sabre I had the
impression that much older records was
-
still in there. Which may explain why
their data set is so dense. If you keep
-
accumulating all the information. By the
end of the day this is all going back
-
to mainframe technology. So I don’t think
anybody understands these algorithms
-
any more. They just kind of work.
-
Question: The deletion?
-
Karsten: The deletion, yeah. I don’t think
you can request anything to be deleted.
-
I don’t think they consider you
a person that they wanna talk to.
-
You’re not the customer!
-
Question: Thanks!
-
Herald: Okay, the microphone
there, in the…
-
Question: It seems that the immediate way
to abuse these systems is, like you said,
-
with abusing money, and the mileage etc.
It seems that those paths are actually
-
somehow monitored by airlines, so if I’m
collecting miles and take it not under
-
my name that would raise some flags.
You think that’s not the case?
-
Karsten: Yes, I should have been more
explicit how this attack works,
-
the mile diversion. So, of course, you
have to have an account in the same name
-
as the person flying. So had his demo
worked, he would have a PNR for
-
a lady Carmen Sandiego. You can just go
to miles&more and create an account
-
under that name. A lot of airlines, though,
they also allow you to change your name.
-
So you just change it whenever you found
a round trip Australia ticket,
-
you change the name to whatever that
target name is. And I know for a fact
-
that people are doing that right now, not
you guys, before even. Based on Instagram
-
photos. So people are diverting miles by
creating new accounts or by keeping
-
changing the names of the accounts.
And yes, airlines do sometimes notice this
-
but only when it becomes excessive.
And sure, that’s their money. I just hope
-
that it will become so excessive that
it’s such a big problem that it can’t be
-
ignored any more. And then the privacy
issues get fixed on the same token
-
where privacy is never enough to convince
a big company. But if you throw in
-
a little bit of fraud it may be enough.
-
applause
-
Herald: Okay, one last question.
Microphone here!
-
Question: Hi Karsten! When people use
like GDS’s they have these really archaic…
-
there are not even… there are like actual
terminals, not even pseudo-terminals.
-
And then they expose like these EPI’s for
the sake of writing your code in like Java
-
or whatever. I’m wondering if there’s
research to be done at that level?
-
Or did you just not look at that, or
that’s just an area of further research?
-
Karsten: We did, quite a bit. But we found
no way of making that public in any way
-
that wouldn’t require a login from a
travel agency and all of that good stuff.
-
So I think the most I wanna say about that
is the logins that travel agencies have,
-
they’re terribly secured. But, of course,
I can’t encourage anybody to go out
-
and hack them. But if you did and you had
access you’d be logging in to something
-
that looks like a terminal. And you’d be
typing some commands. And the next thing
-
you know it throws a Java stack trace at
you. So these just look like terminals.
-
They have moved well beyond that while
still maintaining this look and feel
-
of a mainframe. And they’re terribly
insecure. So these stack traces, they just
-
come left and right even if you
try to do the right thing!
-
laughter
-
Question: Thanks!
Herald: Okay we have one question
-
from the internet!
-
Signal Angel: Somebody wants to know,
how do you avoid DDoS’ing those services
-
when you just brute-force the booking
numbers?
-
Karsten: A good question. Of course we
don’t wanna hurt anybody, so we tried to
-
keep the rates low. And it turns out if
you throw 20 Amazon instances at them
-
they don’t go down yet. And…
-
laughter
-
Herald: Okay. Thank you very much,
Karsten and Nemanja!
-
applause
-
postroll music
-
subtitles created by c3subtitles.de
in the year 2020. Join and help us!
