DEF CON 24 - Przemek Jaroszewski - Hacking boarding passes for fun and profit

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
>>So, good morning everyone. >> Morning. >> Hope you're enjoying DefCon so far. >> ?Yes... >> Wooooh! [cheering] Happy to see so many people so early in the morning on the last day. So, hope I won't get you asleep. Uhm, let's start with it, okay, so, aha, uh, bit of an introduction. I am the head of the national Polish CSIRT, that is the Computer Security Incident Response Team. Uhm, that's my job but this research is not related to the job in any way. So, just a disclaimer, that's my research and, uh, not necessarily all opinions are shared by my employer. Uhm, my background is a programmer... [cough] But that was a long time ago, I eventually got a degree in social psychology, that's not social engineering - that's related [audience noise] But I don't think that they give degrees in social engineering yet. [pause] And, uh, I have 15 years of experience in IT security and I also love everything about, you know, flying and aviation. I... I almost became an air-traffic controller trainee at some moment. [pause] And I love to learn how system works, how systems works, you know, how the... how everything is going on in the background. So also because I've, uh, tend to fly a lot - both privately and, because of my employer I enjoy some benefits, uh for frequent flyers. And I have some kind of disregard for "Frequent Flyer Miles", they have any real value to me anymore but I still enjoy the privileges like lounge access, or fast track access, so they really save you time and give you some comfort at the airports. [pause] Except when somebody tries to fix that problem... and the problem doesn't really exist. So about a year ago, my home airport in Warsaw introduced these automatic self-serve gates. [audience noise] That was supposed to speed things up because instead of, you know, waving your boarding pass in front of a person, have them scanning it... you just, uh, use a scanner and the gates let you in. Uhm, the only problem was with the fast track it didn't read my status properly. So, it would let in all the "business class" passengers but I tend to travel on "economy", and I only get the fast track access because I have this gold status. So it wouldn't read that status properly and I had to go up to the guy anyway, show him my boarding pass, make him come to the gate, scan my boarding pass like two or three times like, you know, it's kind of counterproductive. You know, it wastes like 30 seconds of my precious time and the guy probably has better things to do. So I.. let's see if I can fix things. [pause] Uhm, so let's rewind a little bit, what are we talking about? As you probably noticed for the past 10 years or so... uhm, you get this little barcode on your boarding pass, whether it's mobile, on paper, you still get a [cough] nice 2D boarding, uh, nice 2D, uhm, barcode on your boarding pass. [pause] And that was introduced in 2005 by IATA which is International Air Traffic Association, if I, get it properly resolution. I've got 7 9 2, uh, it introduces something called board, uh, barcoded boarding pass standard. Which is adapted by all airlines, airports, anyone who deals with boarding passes have to obey to that standard. [pause] And, uhm... [pause] And so you get four different kinds of, uhm, barcodes which can be used when you have you will, it must always be pdf 4 1 7 which is the nice rectangle one, the wide one; if it's on mobile it has to be the square one, so QR code which you probably know about. And the Aztec and Matrix Data which, we have examples of down here. [pause] So, you know... I get on Google Play search looking for barcode scanners to make my life easier. And, funnily enough you get, like, dozens of them. The, the tool in the middle the barcode scanner by, uh, GeeksLab and Manatee would become my two favorites, but you get a wide choice. [pause] So, there are freely available tools you can see what's inside and you can pretty much code the boarding pax, boarding pass looks like when it's encoded in BCBP. So it's just bunch of characters. And sort of by trial and error and I started figuring out, okay, if it doesn't read the, uh, my frequent flyer status properly - so probably I need to adjust booking class, right? I need to say, I, I'm in business and if that's what it reads let's see if it will let me...[audience noise] So the other tool I would need is a boarding pass generator and funnily enough there is also a bunch of them, uhm, uh, on Google Play store and I'm pretty sure on Apple store as well. So, like I said, first by trial and error I figured out that this would be the travel class character. If you fly a little bit, you kind of get used to this letters so "M" would be for economy or "Y" would be for economy; "C" would be for business, things like that, things like that. Uhm, and also, you can pretty clearly see something's standing out like firstname, lastname, uhm, origin airport, departure airport, uhm, sorry, departure airport, destination airport; flight number, so some things you can make out just by looking at the, uh, the clear text characters. So, let's see if I switch this little character to "C", and, uhm, seriously it, it worked. It will let me in, so fine, I saved you know, 30 seconds about, uh, of my time every time I travelled through the fast track. So it's free fast track for all travellers, neat, but, you know, what else can we get? You know, if this is not verified, what else is not verified? What else can I play with? And, you know, I started changing different things, like firstname, lastname. Funnily enough - let's you in! [pause] So, then I was like, there's one thing that can be verified easily - it's the booking code, right? Because that can be looked up in the reservation system and maybe that could be matched to your boarding pass and... well they could at least know whether you're travelling or not, you know, whether somebody's just making up things. So let's go ahead and change this... it would also let me in! So now I got, getting really confused. So what we are getting here is our airport access for all pretty much. Right? And just a bit of explanation, that was in Warsaw, I tested it in a number of different airports - in the US it would work a bit differently which I will come back to in a minute. [cough] But this works in a lot of airports, it's not, it's not something specific to Warsaw or, you know, just one or two airports. And we will come back to why that is. So it's not just fast track access, it's, you know, airport access for all. [audience noise] And, yea, like, notice like millions of travellers per day, like how come nobody noticed it? That, uh, somebody had to figure this out already... And, yea, this is not entirely news. So, back in 2003 Bruce Schneier already noticed when, uhm, when the concept of print your own boarding pass was introduced, even before the bar coded boarding pass was there that you can spoof a boarding pass and the... with this you could also circumvent the "no-fly list" checks in the US. [pause] That was 2003, until 2007 this was not fixed in any way and, uh, November 2006, Chris Soghoian, uhm, out up a webpage where anybody could produce a fake, i think, it was Southwest, boarding pass and he got into a looooot of trouble for that. [laughter] So, you got FB, much FBI raided his home, you know , he got a nice letter from TSA saying like "You are violating these and these laws, don't do it. Please". ??[coughing] [laughter] Uhm, there's also two articles from 2008 and, uh, 2011 which worked conjointly with Bruce Schneier. Uhm, they also touch a bit on physical security - I totally recommend going and reading them - it's very entertaining. In 2012, uh, John Butler also wrote an article on how you could possibly, uhm, uh, figure out whether you are, uhm, pre-check eligible or make yourself precheck eligible. Uh, most, most of the technical stuff she got wrong in the article, but anyway the idea was kind of cool. And, you know, he made some things right at least. So how did the fly-list bypass work back in 2003? So you would have to buy tickets under a false name because when you are buying the tickets your name, you know, matched against the no-fly list. Uhm, then you print your boarding pass at home, so this is one point where things get checked. So your name against the no-fly list, then you create a copy of the boarding pass, and, uh, put your real name on it, which is on the no-fly list, but we'll come to that. The you present the fake boarding pass to the TSA officer along with your ID, the problem here is that the TSA officers did not have access to the reservation system so they only validated your boarding passes against your ID. So now it's a fake boarding pass but the name matches with your ID - you're good to go. And when you actually board the plane you discard the fake boarding pass and produce the original boarding pass again which matches the reservation system. And you can fly! So that was in 2003, and like I said, it was the same thing described in 2006 and 2007. Uhm, it got a bit improved since then and we'll get to that. [pause] So this is the letter, I dunno if you can see it but it's , uh, it's easy to Google it up, it's, it's the letter that Mr. Soghoian got, it's a letter making up this fake boarding pass creator. So how does bypassing no-fly list in 2016 Europe? So basically buy tickets under a false name, and then you go to the airport and fly. [laughter] So, not exactly an improvement... [laughter] Uh, why is that? First of all, uhm, there's, there's like two impacting factors, one is that some airlines are more business conscious than the other. So they actually will check your ID when you are boarding but again it's not the airport thing - it's the airline thing. So why the airline do is protecting their business so we don't buy cheap tickets and then resell them to somebody else. It's only for that reason and it's mostly local airline which will check your IDs. Regular airlines almost never check your IDs in Europe. And the ID checks by the, at the security, uh, checkpoints have been abandoned like two or three years ago. When you are traveling domestically, but not only domestically because of Schengen area, not sure how many of you is gonna know what it is... That's like 26 countries in Europe, it's not the same as European union. It's 26 countries in Europe which agreed to like abandon border checks. So you have increased boarding, uh, border checks around the Schengen area and a lot information exchange in the countries, uhm, on immigration. But there's not check within the area so you can freely roam, you know, you don't need to follow the border checkpoints you can just hike in the mountains or whatever. And one travelling within the Schengen zone and it was officially asked to the, you know, government's why there's no ID controls at the airports, and it's like - there's no reason to do it. The security is provided by physical security screening, fair enough. [pause] Uhm, okay, let's go back a bit. Turns out I didn't need to be reverse engineering this boarding pass. Uh, Formont, it's you know, it's so public. It's IATA resolution is all public, you can just do, you can go and download it. And, uh, this is the part that is mandatory for the boarding pass. So it's 60 characters and, uh, you get things like firstname, lastname, uh, you get compartment code which is the, the travel class. Can anybody spot a problem here? This is all that is mandatory. Nothing else is mandatory. [pause] So I'm gonna help you here... There's, there's absolutely integrity checks and no authentication provided. It's just 60 characters and they're as good as you provide them. [pause] Just to be fair, this is the full specification. [audience noise] And there's a bunch optional items and one of them in the bottom is the security part where you can provide something that they call a security certificate which is basically a digital signature for the boarding pass. So it CAN be included but it's optional. We will come back to that. [pause] So, the other way to verify it like I said would be to look up the booking number in the reservation system. So let's see, where is this passengers data stored? Where could it be looked up? Uhm, basically it's stored in something called computer reservation systems which, uhm, store your data in terms of passenger name records which include lots of data including lot's of private, private data. Which is not only your, uh, firstname and lastname, physical address, email address but also things like special requests which means whether you need special assistance like a wheel chair or something; whether you have special dietary requirements which could tell you whether you're Muslim, or Jewish or things like that. And, uh, loyalty programs information etc, and uh, also if you provided contacts for your precious ones in case of emergency would also end up there. Uhm... [pause] So this is one of the problems - there's a lot of personal information which is not, you know, allowed to be shared between different parties. The other problem is there's a lot of competing reservation systems out there. It's not like there's a single reservation system for all. So it's not to just go and look up the data by the, uh, PNR, uhm, code and you will pull out whatever you needed. You need to know where to look for it. [cough] And there are a number of global distribution systems which are, like, huge CRSs which are used by multiple airlines - most famous ones are like Sabre, Amadeus, Galileo, Worldspan. But there's also a lot of proprietary ones which are used by small airlines - they don't pay their fees to, uhm, big systems, they just run their own. And as long as it works for them, it's fine. Basically the only place you need to lookup this information is when you check where you by your tickets when you check in and when you're boarding the plane. [pause] So why do many airports not have access to this data? Also to make things more confusion and complicated when you make a single reservation it may end up with bits of data scattered around information systems. When I made, when I made the reservation for my flight here I had a couple of flight co-shared with Polish airlines, the airline was United which was using a different reservations system than a lot of Polish airlines, so at least two reservation systems would be involved. And, if I was making that reservation through a travel agency which is using a third reservation system that would be at least three PNR and three reservations systems and, you know, that's kind of confusing. [pause] And data access is not only limited across, you know, different reservation systems but not everybody, like I said, because of privacy issues - everybody has access to the same pieces of information in the system. And yea, notice of a device, uh, the barcode, uh, uhm [ahem]... Will usually have more information that is just in clear print and if you use that information, uhm... You can access reservations, you can access a lot this private data online and you can even make some changes like cancelling tickets or modifying your itinerary. So just don't post anything without making sure anonymized or blurred or something. And,yea, this is just one of the examples, which is kind of ridiculous because like I said anybody can go, if you know which, uh, which CSR system is used by the airline anybody can go to the website. If you have this PNR look, locator which is also known as booking code or reference, uh, re, reservation number. You put it in and then you put the passenger's name in and you get most of the data. This you can see whether the reservation is there or not. Airports are not allowed to do so. [pause] And, uh, from the reservation system the data is then moved into a couple of other systems. One of them would be departure control system which is basically the system that used after you check in. Uh, to make sure that only the checked-in passengers get on board, it also stores your seat assignments, uh, baggage information etc. Uh, there's also a thing called API -Advanced Passenger Information, not advanced, adverse passenger information which is sent to border agencies of several dozens of countries which require that. So it will let them know who is coming to their country and they can do some pre-screening and tell the airlines, like, this guy needs some additional security before he boards the plane. There's also PNRGOV which is not exactly another system it's just a message exchange format. Uhm to exchange PNR information so the passenger record information with the government agencies - it's not widely used though. Apart from sending an adverse passenger information which, again, has nothing to do with, uhm, looking up information at the airports - it's just for border agencies. And there secure flight program which I will, I will describe in more detail in a moment. [pause] So, okay, to make, to make things easier for me I put up a simple webpage and I hope I will be, you know, able to show it... [pause] Notice, it's all javascript so it all works offline and I found a nice, javascript libraries for producing Aztec codes.. So... [pause] Uhm... [pause] The PNR doesn't matter as I show you... [pause] Uhm... [pause] Whatever... [pause] Uhm... [pause] And there you go! [applause] And uh... wait wait wait... Ahem. [applause] And I forgot to tell you, the only thing that actually needs to work is the flight number and the date. So the flight number actually gets matched against a list of flights that depart from the airport. Also, yea, the departure airport need to match the, the, departure airport configured with the gate and the, the date need to match. It can be also the next day cause you know, enter the airport and your flight is early in the morning so it can be either two. [pause] Uh... [pause] Okay, so with paper it's just i little bit less fun, like I said this automatic gates help things enormously because you don't even have to deal with humans, right? You don't have to produce anything which is even remotely legitimate-looking. It's just a barcode. But when you need a paper it's no big deal, you just need to have this paper so, uh, you need to edit the pdf, probably, and I already have, you know, a couple of templates for, for the airlines I use. And, uh, by the way Microsoft Word is a great pdf editing tool - really, you can, you can just open the pdf and it will, you know, convert it to Word document and you can do all the editing you need. And just remember that, anyway, although people look at the, people tend to look at the paper they will have to scan the coding, the barcode anyway so it should match the information you have on the paper. [pause] So, now let's get some fun, actually, you know... Just, getting to the airport is not much, so, uhm, so how about accessing lounges? So if contract lounges, there's basically, it's almost too easy, right? Because they no way to access this private information so they have no way to lookup the passenger records. So, you know, they will gladly buy whatever you present. Just a bit of advice - it needs to be based on the travel class, because if you present the gold card you will be asked for the physical, uh, gold card. Also your data will be written down and actually, uh, even if you have the card but, the, for example, the site has expired or something they actually have a way to look it up online. Uhm, so, there is apparently a system where you can look up the, uh, status card status and if it's valid and so on... [pause] So, a bit trickier should it be with the airline operated lounges, right? Because they... [ahem] They are the airlines, they have access to the passenger data so they should be able to verify the status. [pause] And, uh, there is at least on airline which attempts to do it, it's Scandinavian Airlines, they also have these lounges... they will let you in with automatic gates, so I thought, alright, this is easy and I travelled through Copenhagen very often so it gives you a lot of opportunities for trial and error. [audience noise] Yea, and they actually do, they seem to do, the checks on the reservation system. So, whenever I've tried to, like, fiddle with, like, booking class, uhm, it would, uh, or my status, it would just bounce me with uh... It would always bounce with the same message like "Depart, departure airport is, uh, not, not right" or something like that. So now, every... after it did so five times I figured it must... must be just one message for, you know, all kinds of errors. So, anyway, they do some checking. Except, you know, there's another, there's lot of other airlines which, uh, passengers of which are also eligible to use the lounge. Like, SAS is in Star Alliance, and there's about 15 or 20 other airline which are on Star Alliance. And when you are travelling on another carrier with, within the same alliance and you are traveling on business you can still get into the lounge. And guess what! Not all airlines use the same reservation system. So all you need is to find that flight which is departing, you know, in a reasonable timeframe operated by another carrier. Hopefully that one uses another reservation system, but, it shouldn't be necessary. And produce a ba... a fake boarding pass for that carrier. And guess what... It worked! [audience noise] That's why I just used Brussels Airlines which is totally different reservation system, I put that information in the boarding pass from that, uh, for the flight and it let me in. [pause] Also, there's some airlines which don't do it properly. Specifically this one, it's, uh, it's the best airline in the world, according to many people. One in Istanbul and it's operated through Turkish airlines, and I thought like, "This is going to be hard", because it's really, 99% of flights are operated from Turkish - uh, form that airport on Star Alliance. So there are very few flights which are Star Alliance but not Turkish. So what am I going to do? Well let's first try if they will let me in with, you know, just a random Turkish flight data. So... [pause] [audience noise] [cough] And I just looked up, you know, the departure, uh, board. I looked up a random flight from Istanbul to London that week. [pause] I like to use the name of Bartholomew Simpson... [laughter] He was a good prank, prankster... [pause] Yea the date needs to match... ??[audience noise] [pause] And I need to warn you, I had the camera hidden in plain sight... So. [laughter] [pause] It was hanging from my shoulder bag. ??[cough] [pause] So this is the automatic gates, no need to talk to the dragon lady. [laughter] [applause] And, by the way, this is the full sized cinema... [audience noise] Inside the lounge... [pause] Yea... and, uh... Yea... [laughter] You don't need to be travelling, like I said. You can do the same to enter the airport, you will still go through security screenings. So they, they will take all your liquids but... [laughter] No need to worries here... [pause] And you know, after Wired, uhm, did an article on this, and they actually published this video I got... lots of requests by the way. This one is from Israeli lawyer. [laughter] Like, what's wrong with Israeli lawyers, really are they paid so bad that they can't afford lounge access? [laughter] [ahem] One other nice thing is, uh, you have duty free shops at the airports, right? And again, you don't need to be traveling. And in many countries it's not like in the US, you don't get your shield bag in the passenger seat, you get it to go... And, uh, the eligibility for tax-free prices is depend, is, uh, determined whether you are travelling inside the EU or outside the EU. So, if it's inside the EU, it's domestic prices, so, uh, including, and if you're travelling outside EU, uh, you get this tax-free price. And here's the difference... [audience noise] So, uh, to convert it to you it's one liter, I have no idea what it is in the US. [chatter] But it's, uh, about 25 shots... And 20... [laughter] And, uh... [applause] And 25 Zloty is about $7, so I think it's a good deal. [cough] So what do we get, it's, uh, airport taxes so we can meet and greet your loved ones, do some sightseeing, fast-track free lunch and booze, duty-free shopping. [laughter] Okay, let's get to some serious stuff, uh, what can be done to prevent it? And what is actually done to prevent it? So, AITA has a nice section, about 80 pages or so document, they have this half a page section on fraud prevention. Uh, which nicely identifies the risks associated with boarding pa, with BSBP. So it can be modified, it can be forged, it can be duplicated, and pretty much all the mitigation they came up with is - check that the passenger is on the passenger name list; and uh, add a certificate. Like, I already said, by certificate they really mean digital signature. [pause] So, let's see how the digital signature is doing. So it was introduced in 2009 by, uh, version three of the standard, and is based on PKI and one thing about PKI is it needs to be deployed properly, right? So it we need to distribute the public keys so it will have to be there at every checkpoint, uh, you'll have to maintain the serials, etc. etc. And also many airlines will still use version one which will not support digital signatures. So all the readers also need to support the old version, and, again, this field is optional and this is quote from the document "This is optional and only to be used only when required by the local security, uh, administration." So it's not even encouraged, like, it's only to be used when it's required. [pause] The specific algorithm is determined by the authority, and, uh, this was enforced by TSA to US carriers, but not entirely. For example, when I was travelling here, uh, I had my boarding card produced in Amsterdam and it was printed neatly on united paper but it had no digital signature, how did you counter that? [pause] Uhm, there's another thing that could be used, it's a standard code BSBP XML, this is for transporting data between checkpoints and the airline systems, so again, it's just the data format which is standardized by AITA. And it could be used to check the PNR data against the reservation systems with no privacy, private information getting transferred. So you, you just send whatever you scanned from PNR and the airline would cut up, come up with a 0 or 1, so "good to go" or "not good to go". Possibly with an explanation if it's not good to go, uh, with a reason. The problem again is the complexity, uhm, many airports are serving, like, more than 200 airlines and they would have to connect to each of their reservation systems, right? And if they don't connect to 10 out of 200 you still have a way to produce a fake boarding pass pretty much and if you don't cover 100% you still get a loophole, right? [pause] So, just the complexity of the solution probably is the reason why it doesn't really work. And, I haven't seen it deployed anywhere. And there's also one thing that TSA seems to be doing right at least starting from, uh, 2013 - so "Secure Flight" is a program that they've implemented in, in 2009, uhm, and the reason for the program was to take over the monitoring of watchlists. So the no-fly lists and the secondary screening lists from the airlines to the TSA authorities. So, instead of relying on airlines, they say like "No, no, no we need this information and we will do the verification", right? Uhm, also part of the secure flight is the TSA pre-check program, uh, into 2011 so you get this nice BCBP, uhm, field specifically for this reason which is called select indicator which tells you whether you are, uh, like, selected for the secondary screening or whether you're eligible for precheck or whether you're just traveling as usual. [pause] And in 2013 TSA started networking their devices, the scanning devices, to put passengers data from this secure flight. But it includes passenger's full name, gender, date of birth, screening status, reservation of their flight itinerary. So it can be verified if it's deployed at all the airports, I'm not sure about that. It can be verified at the screening checkpoint, and if it doesn't match exactly, you know, they have like a nice list of suggestions, like "This, this passenger's name is close enough", you know, "Maybe it's one of these..." so technically they have a way to do it now. Again, whether it's deployed properly and how many airport support it I'm not sure. It just started in 2013 and generally it's, it's the correct way to do it, probably. [pause] And, okay, why is DefCon awesome I felt I had my presentation all fixed and done and then I think it was like Tuesday or Wednesday I get contacted by, uhm, Kyle Kosher saying , like, I saw your talk on the agenda and,uh, here's something that I got from Ebay and maybe you want to play with that. And the something was..[mic contact][groaning] This beauty... [laughter] [cheering] [applause] [mic contact] So it's a device you're normally not allowed to buy. [laughter] [ahem] I think... [chuckles] So this information is on the public website so we've got, you know, this level of specification, but, uh, it would only be sold by limited number of parties. And, this, this is offer is no longer available on Ebay, unfortunately. It was I think 160 Dollars. [chatter] Not a big deal. So I had like two days to play with it and I exchanged couple of messages with Kyle and uhm... [pause] Here's how it works. [pause] So you see the booting... [pause] You'll see airport is dash dash dash... and because departure airport is not configured. So it's, you know, we have some constraints. [pause] So let's try scanning any random boarding pass... So, you know, when you go with the, any random old boarding pass likely the departure airport is not dash dash dash, it's something else. And the date is probably not the same as on the boarding pass, uh, on the scanner, sorry. But it will have a valid signature, let's see what it does. [pause] [beep noise] [machine working] So it says "invalid departure location, refer to counter". So it did not complain about the signature but about the departure airport. So, okay, let's fix that departure airport. [pause] Agh! Damnit... [machine working] Sorry again... [ahem] [pause] This time with audio... [pause] [beep noise] [pause] [audience noise] [pause] [machine working] [click sound] [beep noise] [beep noise] [beep noise] So, three beeps, not good to go. Red light. But all it says is "invalid departure location..." [pause] [machine working] So now you see, using my mobile phone, my, you know... [beep noise] [beep noise] [beep noise] Okay! So now the, the departure location was okay, date was okay but the signature was invalid. [pause] And it says "Refer to superior". Wow... [laughter] [machine working] [click noise] So... [beep noise] [laughter] [applause] [sniff] [applause] So, I dunno if you noticed but it actually said that, that, yea... That the sig is not there so it should go for, for some manual checking. The problem I see here is it still gives you a green light and uh, you know, one beep. So depending, you know, on how, uh, vigilant, you know, the, the TSA agent is and how much noise to radio he has, he has, you know, a good chance missing this. [machine working] [tick sound] [pause] So, yea let's try modifying this select the indicator. [machine working] [click noise] [beep noise] [beep noise] [beep noise] So, three beeps, green light and you see the "LLL". So you're eligible for precheck. [pause] Or, if you fancy you can actually... [laughter] Go for secondary screening... [laughter] [machine working] [click noise] [beep noise] [audience noise] Yea, "SSS"... [pause] [sniff] Okay, so, uh, airport access is confirmed, fast track is confirmed, free lunch and booze is confirmed, duty-free shopping is confirmed, pre-check - I'm not sure, right? Nice idea to play with if you have balls. [laughter] Uhm... so, now for responsible disclosure, right? Actually went out and I tried to talk about this problem to several authorities and airports and airlines because it's their problem eventually. And, this is what I,uh, what came back. So first I contacted LOT Polish Airlines. [laughter] They say like, "We just, we just issue boarding passes and it's the airport the verifies it." So I went to, uh, the airports and in these two cases I was lucky because I actually has, you know, known people on the management board, at the management board level and I was able to talk to them in person and I... And uh, airport authorities said like "Yea, it's a known issues but it's not really a problem", well, you know, "You're following all the laws and guidelines, that's fine." Then the Civil Aviation Authority, like, they, it took them three or four months to reply. The said, all they had to say was like, "Boarding pass forgery is a crime, don't do it". [laughter] So, okay. According to my lawyer, not exactly my lawyer, but a lawyer I know... [ahem] [laughter] Is a, if you want to have a legitimate document you need to have a way to verify it. It's not a document if you can not verify it. It doesn't, you know, bear any signature at all. They said like, it's it's not the exact wording that they used but it was pretty much the message, right... [laughter] And, uhm... this is also what I got from turkish airlines and SAS, so I, you know, I... [laughter] Uh.... no comment here. And the question you might have - will it actually get me flying? [pause] And I, the short answer would be no... [audience noise] There would be very rare circumstances where you would be able to get on the plane but you'd be likely spotted before it even departs. And it would get you into a lot of trouble. [audience noise] So, I don't recommend doing that. [pause] But, you can still, you can still have a nice souvenir, and that's a, a kind of a bonus. So one of the airports in Europe, and I will not name them because they actually have, the, they've communicated very openly with me and they said like "Why... what it is?" they confirmed this because privacy. Uh, they decided to have like loyalty program for the passenger which makes sense because the airport collects fees on every departing passengers. So they want to encourage traffic. So they have this, you know, a list of gadgets that you can get for a certain number of points. And the points you get for every departing flight and to register at departing flight you need to scan your loyalty card and your boarding pass. [laughter] [applause] Right? What can go wrong, right? [laughter] So... here's a simple equation. [chuckles] [laughter] So, I really liked the blanket in the middle it would cost me 600 points which is 6 flights and you see 5 QR codes because, uh, you know, I had one, uh, legit flight. [laughter] I was like, you know, it was, and the funny thing is that, it was, you know, I, I even made it look legit... sort of legit cause I produced the QR codes of the flights, like, over the next, over the next two days. And, uh, it could really fit into a story like "I was flying to Edinburgh and then going in three hours..." and you know I could make it. [laughter] So to wrap it up - it's the priva, privacy and complexity of the system which is preventing this exchange of data, and, uh, you know. Most important part was, while US did a reasonably good job preventing that, uhm, other places actually lowered the bar for us. Especially within introducing the , uh, uhm, the automatic gates. So here are the sources and the, the, don't worry because, uh, this is only for the slides. And most of that will also be on the conference DVD, so thank you. I don't think we have time for questions but, I hope you liked it. [applause]
Info
Channel: DEFCONConference
Views: 12,587
Rating: 4.9480519 out of 5
Keywords: DEF CON, DEFCON, Hacking, Hacker Conference, Computer Security, Security Research, Defcon 24, DEF CON 24, DC-24, DC24, Lockpicking, Hardware hacking, Przemek jaroszewski, boarding passes
Id: qnq0UfOUTlM
Channel Id: undefined
Length: 45min 21sec (2721 seconds)
Published: Sun Nov 13 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.