>>So, good morning everyone. >>
Morning. >> Hope you're enjoying DefCon so far. >> ?Yes... >>
Wooooh! [cheering] Happy to see so many people so early in the
morning on the last day. So, hope I won't get you asleep.
Uhm, let's start with it, okay, so, aha, uh, bit of an
introduction. I am the head of the national Polish CSIRT, that
is the Computer Security Incident Response Team. Uhm,
that's my job but this research is not related to the job in any
way. So, just a disclaimer, that's my research and, uh, not
necessarily all opinions are shared by my employer. Uhm, my
background is a programmer... [cough] But that was a long time
ago, I eventually got a degree in social psychology, that's not
social engineering - that's related [audience noise] But I
don't think that they give degrees in social engineering
yet. [pause] And, uh, I have 15 years of experience in IT
security and I also love everything about, you know,
flying and aviation. I... I almost became an air-traffic
controller trainee at some moment. [pause] And I love to
learn how system works, how systems works, you know, how
the... how everything is going on in the background. So also
because I've, uh, tend to fly a lot - both privately and,
because of my employer I enjoy some benefits, uh for frequent
flyers. And I have some kind of disregard for "Frequent Flyer
Miles", they have any real value to me anymore but I still enjoy
the privileges like lounge access, or fast track access, so
they really save you time and give you some comfort at the
airports. [pause] Except when somebody tries to fix that
problem... and the problem doesn't really exist. So about a
year ago, my home airport in Warsaw introduced these
automatic self-serve gates. [audience noise] That was
supposed to speed things up because instead of, you know,
waving your boarding pass in front of a person, have them
scanning it... you just, uh, use a scanner and the gates let you
in. Uhm, the only problem was with the fast track it didn't
read my status properly. So, it would let in all the "business
class" passengers but I tend to travel on "economy", and I only
get the fast track access because I have this gold status.
So it wouldn't read that status properly and I had to go up to
the guy anyway, show him my boarding pass, make him come to
the gate, scan my boarding pass like two or three times like,
you know, it's kind of counterproductive. You know, it
wastes like 30 seconds of my precious time and the guy
probably has better things to do. So I.. let's see if I can
fix things. [pause] Uhm, so let's rewind a little bit, what
are we talking about? As you probably noticed for the past 10
years or so... uhm, you get this little barcode on your boarding
pass, whether it's mobile, on paper, you still get a [cough]
nice 2D boarding, uh, nice 2D, uhm, barcode on your boarding
pass. [pause] And that was introduced in 2005 by IATA which
is International Air Traffic Association, if I, get it
properly resolution. I've got 7 9 2, uh, it introduces something
called board, uh, barcoded boarding pass standard. Which is
adapted by all airlines, airports, anyone who deals with
boarding passes have to obey to that standard. [pause] And,
uhm... [pause] And so you get four different kinds of, uhm,
barcodes which can be used when you have you will, it must
always be pdf 4 1 7 which is the nice rectangle one, the wide
one; if it's on mobile it has to be the square one, so QR code
which you probably know about. And the Aztec and Matrix Data
which, we have examples of down here. [pause] So, you know... I
get on Google Play search looking for barcode scanners to
make my life easier. And, funnily enough you get, like,
dozens of them. The, the tool in the middle the barcode scanner
by, uh, GeeksLab and Manatee would become my two favorites,
but you get a wide choice. [pause] So, there are freely
available tools you can see what's inside and you can pretty
much code the boarding pax, boarding pass looks like when
it's encoded in BCBP. So it's just bunch of characters. And
sort of by trial and error and I started figuring out, okay, if
it doesn't read the, uh, my frequent flyer status properly -
so probably I need to adjust booking class, right? I need to
say, I, I'm in business and if that's what it reads let's see
if it will let me...[audience noise] So the other tool I would
need is a boarding pass generator and funnily enough
there is also a bunch of them, uhm, uh, on Google Play store
and I'm pretty sure on Apple store as well. So, like I said,
first by trial and error I figured out that this would be
the travel class character. If you fly a little bit, you kind
of get used to this letters so "M" would be for economy or "Y"
would be for economy; "C" would be for business, things like
that, things like that. Uhm, and also, you can pretty clearly see
something's standing out like firstname, lastname, uhm, origin
airport, departure airport, uhm, sorry, departure airport,
destination airport; flight number, so some things you can
make out just by looking at the, uh, the clear text characters.
So, let's see if I switch this little character to "C", and,
uhm, seriously it, it worked. It will let me in, so fine, I saved
you know, 30 seconds about, uh, of my time every time I
travelled through the fast track. So it's free fast track
for all travellers, neat, but, you know, what else can we get?
You know, if this is not verified, what else is not
verified? What else can I play with? And, you know, I started
changing different things, like firstname, lastname. Funnily
enough - let's you in! [pause] So, then I was like, there's one
thing that can be verified easily - it's the booking code,
right? Because that can be looked up in the reservation
system and maybe that could be matched to your boarding pass
and... well they could at least know whether you're travelling
or not, you know, whether somebody's just making up
things. So let's go ahead and change this... it would also let
me in! So now I got, getting really confused. So what we are
getting here is our airport access for all pretty much.
Right? And just a bit of explanation, that was in Warsaw,
I tested it in a number of different airports - in the US
it would work a bit differently which I will come back to in a
minute. [cough] But this works in a lot of airports, it's not,
it's not something specific to Warsaw or, you know, just one or
two airports. And we will come back to why that is. So it's not
just fast track access, it's, you know, airport access for
all. [audience noise] And, yea, like, notice like millions of
travellers per day, like how come nobody noticed it? That,
uh, somebody had to figure this out already... And, yea, this is
not entirely news. So, back in 2003 Bruce Schneier already
noticed when, uhm, when the concept of print your own
boarding pass was introduced, even before the bar coded
boarding pass was there that you can spoof a boarding pass and
the... with this you could also circumvent the "no-fly list"
checks in the US. [pause] That was 2003, until 2007 this was
not fixed in any way and, uh, November 2006, Chris Soghoian,
uhm, out up a webpage where anybody could produce a fake, i
think, it was Southwest, boarding pass and he got into a
looooot of trouble for that. [laughter] So, you got FB, much
FBI raided his home, you know , he got a nice letter from TSA
saying like "You are violating these and these laws, don't do
it. Please". ??[coughing] [laughter] Uhm, there's also two
articles from 2008 and, uh, 2011 which worked conjointly with
Bruce Schneier. Uhm, they also touch a bit on physical security
- I totally recommend going and reading them - it's very
entertaining. In 2012, uh, John Butler also wrote an article on
how you could possibly, uhm, uh, figure out whether you are, uhm,
pre-check eligible or make yourself precheck eligible. Uh,
most, most of the technical stuff she got wrong in the
article, but anyway the idea was kind of cool. And, you know, he
made some things right at least. So how did the fly-list bypass
work back in 2003? So you would have to buy tickets under a
false name because when you are buying the tickets your name,
you know, matched against the no-fly list. Uhm, then you print
your boarding pass at home, so this is one point where things
get checked. So your name against the no-fly list, then
you create a copy of the boarding pass, and, uh, put your
real name on it, which is on the no-fly list, but we'll come to
that. The you present the fake boarding pass to the TSA officer
along with your ID, the problem here is that the TSA officers
did not have access to the reservation system so they only
validated your boarding passes against your ID. So now it's a
fake boarding pass but the name matches with your ID - you're
good to go. And when you actually board the plane you
discard the fake boarding pass and produce the original
boarding pass again which matches the reservation system.
And you can fly! So that was in 2003, and like I said, it was
the same thing described in 2006 and 2007. Uhm, it got a bit
improved since then and we'll get to that. [pause] So this is
the letter, I dunno if you can see it but it's , uh, it's easy
to Google it up, it's, it's the letter that Mr. Soghoian got,
it's a letter making up this fake boarding pass creator. So
how does bypassing no-fly list in 2016 Europe? So basically buy
tickets under a false name, and then you go to the airport and
fly. [laughter] So, not exactly an improvement... [laughter] Uh,
why is that? First of all, uhm, there's, there's like two
impacting factors, one is that some airlines are more business
conscious than the other. So they actually will check your ID
when you are boarding but again it's not the airport thing -
it's the airline thing. So why the airline do is protecting
their business so we don't buy cheap tickets and then resell
them to somebody else. It's only for that reason and it's mostly
local airline which will check your IDs. Regular airlines
almost never check your IDs in Europe. And the ID checks by
the, at the security, uh, checkpoints have been abandoned
like two or three years ago. When you are traveling
domestically, but not only domestically because of Schengen
area, not sure how many of you is gonna know what it is...
That's like 26 countries in Europe, it's not the same as
European union. It's 26 countries in Europe which agreed
to like abandon border checks. So you have increased boarding,
uh, border checks around the Schengen area and a lot
information exchange in the countries, uhm, on immigration.
But there's not check within the area so you can freely roam, you
know, you don't need to follow the border checkpoints you can
just hike in the mountains or whatever. And one travelling
within the Schengen zone and it was officially asked to the, you
know, government's why there's no ID controls at the airports,
and it's like - there's no reason to do it. The security is
provided by physical security screening, fair enough. [pause]
Uhm, okay, let's go back a bit. Turns out I didn't need to be
reverse engineering this boarding pass. Uh, Formont, it's
you know, it's so public. It's IATA resolution is all public,
you can just do, you can go and download it. And, uh, this is
the part that is mandatory for the boarding pass. So it's 60
characters and, uh, you get things like firstname, lastname,
uh, you get compartment code which is the, the travel class.
Can anybody spot a problem here? This is all that is mandatory.
Nothing else is mandatory. [pause] So I'm gonna help you
here... There's, there's absolutely integrity checks and
no authentication provided. It's just 60 characters and they're
as good as you provide them. [pause] Just to be fair, this is
the full specification. [audience noise] And there's a
bunch optional items and one of them in the bottom is the
security part where you can provide something that they call
a security certificate which is basically a digital signature
for the boarding pass. So it CAN be included but it's optional.
We will come back to that. [pause] So, the other way to
verify it like I said would be to look up the booking number in
the reservation system. So let's see, where is this passengers
data stored? Where could it be looked up? Uhm, basically it's
stored in something called computer reservation systems
which, uhm, store your data in terms of passenger name records
which include lots of data including lot's of private,
private data. Which is not only your, uh, firstname and
lastname, physical address, email address but also things
like special requests which means whether you need special
assistance like a wheel chair or something; whether you have
special dietary requirements which could tell you whether
you're Muslim, or Jewish or things like that. And, uh,
loyalty programs information etc, and uh, also if you
provided contacts for your precious ones in case of
emergency would also end up there. Uhm... [pause] So this is
one of the problems - there's a lot of personal information
which is not, you know, allowed to be shared between different
parties. The other problem is there's a lot of competing
reservation systems out there. It's not like there's a single
reservation system for all. So it's not to just go and look up
the data by the, uh, PNR, uhm, code and you will pull out
whatever you needed. You need to know where to look for it.
[cough] And there are a number of global distribution systems
which are, like, huge CRSs which are used by multiple airlines -
most famous ones are like Sabre, Amadeus, Galileo, Worldspan. But
there's also a lot of proprietary ones which are used
by small airlines - they don't pay their fees to, uhm, big
systems, they just run their own. And as long as it works for
them, it's fine. Basically the only place you need to lookup
this information is when you check where you by your tickets
when you check in and when you're boarding the plane.
[pause] So why do many airports not have access to this data?
Also to make things more confusion and complicated when
you make a single reservation it may end up with bits of data
scattered around information systems. When I made, when I
made the reservation for my flight here I had a couple of
flight co-shared with Polish airlines, the airline was United
which was using a different reservations system than a lot
of Polish airlines, so at least two reservation systems would be
involved. And, if I was making that reservation through a
travel agency which is using a third reservation system that
would be at least three PNR and three reservations systems and,
you know, that's kind of confusing. [pause] And data
access is not only limited across, you know, different
reservation systems but not everybody, like I said, because
of privacy issues - everybody has access to the same pieces of
information in the system. And yea, notice of a device, uh, the
barcode, uh, uhm [ahem]... Will usually have more information
that is just in clear print and if you use that information,
uhm... You can access reservations, you can access a
lot this private data online and you can even make some changes
like cancelling tickets or modifying your itinerary. So
just don't post anything without making sure anonymized or
blurred or something. And,yea, this is just one of the
examples, which is kind of ridiculous because like I said
anybody can go, if you know which, uh, which CSR system is
used by the airline anybody can go to the website. If you have
this PNR look, locator which is also known as booking code or
reference, uh, re, reservation number. You put it in and then
you put the passenger's name in and you get most of the data.
This you can see whether the reservation is there or not.
Airports are not allowed to do so. [pause] And, uh, from the
reservation system the data is then moved into a couple of
other systems. One of them would be departure control system
which is basically the system that used after you check in.
Uh, to make sure that only the checked-in passengers get on
board, it also stores your seat assignments, uh, baggage
information etc. Uh, there's also a thing called API
-Advanced Passenger Information, not advanced, adverse passenger
information which is sent to border agencies of several
dozens of countries which require that. So it will let
them know who is coming to their country and they can do some
pre-screening and tell the airlines, like, this guy needs
some additional security before he boards the plane. There's
also PNRGOV which is not exactly another system it's just a
message exchange format. Uhm to exchange PNR information so the
passenger record information with the government agencies -
it's not widely used though. Apart from sending an adverse
passenger information which, again, has nothing to do with,
uhm, looking up information at the airports - it's just for
border agencies. And there secure flight program which I
will, I will describe in more detail in a moment. [pause] So,
okay, to make, to make things easier for me I put up a simple
webpage and I hope I will be, you know, able to show it...
[pause] Notice, it's all javascript so it all works
offline and I found a nice, javascript libraries for
producing Aztec codes.. So... [pause] Uhm... [pause] The PNR
doesn't matter as I show you... [pause] Uhm... [pause]
Whatever... [pause] Uhm... [pause] And there you go!
[applause] And uh... wait wait wait... Ahem. [applause] And I
forgot to tell you, the only thing that actually needs to
work is the flight number and the date. So the flight number
actually gets matched against a list of flights that depart from
the airport. Also, yea, the departure airport need to match
the, the, departure airport configured with the gate and
the, the date need to match. It can be also the next day cause
you know, enter the airport and your flight is early in the
morning so it can be either two. [pause] Uh... [pause] Okay, so
with paper it's just i little bit less fun, like I said this
automatic gates help things enormously because you don't
even have to deal with humans, right? You don't have to produce
anything which is even remotely legitimate-looking. It's just a
barcode. But when you need a paper it's no big deal, you just
need to have this paper so, uh, you need to edit the pdf,
probably, and I already have, you know, a couple of templates
for, for the airlines I use. And, uh, by the way Microsoft
Word is a great pdf editing tool - really, you can, you can just
open the pdf and it will, you know, convert it to Word
document and you can do all the editing you need. And just
remember that, anyway, although people look at the, people tend
to look at the paper they will have to scan the coding, the
barcode anyway so it should match the information you have
on the paper. [pause] So, now let's get some fun, actually,
you know... Just, getting to the airport is not much, so, uhm, so
how about accessing lounges? So if contract lounges, there's
basically, it's almost too easy, right? Because they no way to
access this private information so they have no way to lookup
the passenger records. So, you know, they will gladly buy
whatever you present. Just a bit of advice - it needs to be based
on the travel class, because if you present the gold card you
will be asked for the physical, uh, gold card. Also your data
will be written down and actually, uh, even if you have
the card but, the, for example, the site has expired or
something they actually have a way to look it up online. Uhm,
so, there is apparently a system where you can look up the, uh,
status card status and if it's valid and so on... [pause] So, a
bit trickier should it be with the airline operated lounges,
right? Because they... [ahem] They are the airlines, they have
access to the passenger data so they should be able to verify
the status. [pause] And, uh, there is at least on airline
which attempts to do it, it's Scandinavian Airlines, they also
have these lounges... they will let you in with automatic gates,
so I thought, alright, this is easy and I travelled through
Copenhagen very often so it gives you a lot of opportunities
for trial and error. [audience noise] Yea, and they actually
do, they seem to do, the checks on the reservation system. So,
whenever I've tried to, like, fiddle with, like, booking
class, uhm, it would, uh, or my status, it would just bounce me
with uh... It would always bounce with the same message
like "Depart, departure airport is, uh, not, not right" or
something like that. So now, every... after it did so five
times I figured it must... must be just one message for, you
know, all kinds of errors. So, anyway, they do some checking.
Except, you know, there's another, there's lot of other
airlines which, uh, passengers of which are also eligible to
use the lounge. Like, SAS is in Star Alliance, and there's about
15 or 20 other airline which are on Star Alliance. And when you
are travelling on another carrier with, within the same
alliance and you are traveling on business you can still get
into the lounge. And guess what! Not all airlines use the same
reservation system. So all you need is to find that flight
which is departing, you know, in a reasonable timeframe operated
by another carrier. Hopefully that one uses another
reservation system, but, it shouldn't be necessary. And
produce a ba... a fake boarding pass for that carrier. And guess
what... It worked! [audience noise] That's why I just used
Brussels Airlines which is totally different reservation
system, I put that information in the boarding pass from that,
uh, for the flight and it let me in. [pause] Also, there's some
airlines which don't do it properly. Specifically this one,
it's, uh, it's the best airline in the world, according to many
people. One in Istanbul and it's operated through Turkish
airlines, and I thought like, "This is going to be hard",
because it's really, 99% of flights are operated from
Turkish - uh, form that airport on Star Alliance. So there are
very few flights which are Star Alliance but not Turkish. So
what am I going to do? Well let's first try if they will let
me in with, you know, just a random Turkish flight data.
So... [pause] [audience noise] [cough] And I just looked up,
you know, the departure, uh, board. I looked up a random
flight from Istanbul to London that week. [pause] I like to use
the name of Bartholomew Simpson... [laughter] He was a
good prank, prankster... [pause] Yea the date needs to match...
??[audience noise] [pause] And I need to warn you, I had the
camera hidden in plain sight... So. [laughter] [pause] It was
hanging from my shoulder bag. ??[cough] [pause] So this is the
automatic gates, no need to talk to the dragon lady. [laughter]
[applause] And, by the way, this is the full sized cinema...
[audience noise] Inside the lounge... [pause] Yea... and,
uh... Yea... [laughter] You don't need to be travelling,
like I said. You can do the same to enter the airport, you will
still go through security screenings. So they, they will
take all your liquids but... [laughter] No need to worries
here... [pause] And you know, after Wired, uhm, did an article
on this, and they actually published this video I got...
lots of requests by the way. This one is from Israeli lawyer.
[laughter] Like, what's wrong with Israeli lawyers, really are
they paid so bad that they can't afford lounge access? [laughter]
[ahem] One other nice thing is, uh, you have duty free shops at
the airports, right? And again, you don't need to be traveling.
And in many countries it's not like in the US, you don't get
your shield bag in the passenger seat, you get it to go... And,
uh, the eligibility for tax-free prices is depend, is, uh,
determined whether you are travelling inside the EU or
outside the EU. So, if it's inside the EU, it's domestic
prices, so, uh, including, and if you're travelling outside EU,
uh, you get this tax-free price. And here's the difference...
[audience noise] So, uh, to convert it to you it's one
liter, I have no idea what it is in the US. [chatter] But it's,
uh, about 25 shots... And 20... [laughter] And, uh... [applause]
And 25 Zloty is about $7, so I think it's a good deal. [cough]
So what do we get, it's, uh, airport taxes so we can meet and
greet your loved ones, do some sightseeing, fast-track free
lunch and booze, duty-free shopping. [laughter] Okay, let's
get to some serious stuff, uh, what can be done to prevent it?
And what is actually done to prevent it? So, AITA has a nice
section, about 80 pages or so document, they have this half a
page section on fraud prevention. Uh, which nicely
identifies the risks associated with boarding pa, with BSBP. So
it can be modified, it can be forged, it can be duplicated,
and pretty much all the mitigation they came up with is
- check that the passenger is on the passenger name list; and uh,
add a certificate. Like, I already said, by certificate
they really mean digital signature. [pause] So, let's see
how the digital signature is doing. So it was introduced in
2009 by, uh, version three of the standard, and is based on
PKI and one thing about PKI is it needs to be deployed
properly, right? So it we need to distribute the public keys so
it will have to be there at every checkpoint, uh, you'll
have to maintain the serials, etc. etc. And also many airlines
will still use version one which will not support digital
signatures. So all the readers also need to support the old
version, and, again, this field is optional and this is quote
from the document "This is optional and only to be used
only when required by the local security, uh, administration."
So it's not even encouraged, like, it's only to be used when
it's required. [pause] The specific algorithm is determined
by the authority, and, uh, this was enforced by TSA to US
carriers, but not entirely. For example, when I was travelling
here, uh, I had my boarding card produced in Amsterdam and it was
printed neatly on united paper but it had no digital signature,
how did you counter that? [pause] Uhm, there's another
thing that could be used, it's a standard code BSBP XML, this is
for transporting data between checkpoints and the airline
systems, so again, it's just the data format which is
standardized by AITA. And it could be used to check the PNR
data against the reservation systems with no privacy, private
information getting transferred. So you, you just send whatever
you scanned from PNR and the airline would cut up, come up
with a 0 or 1, so "good to go" or "not good to go". Possibly
with an explanation if it's not good to go, uh, with a reason.
The problem again is the complexity, uhm, many airports
are serving, like, more than 200 airlines and they would have to
connect to each of their reservation systems, right? And
if they don't connect to 10 out of 200 you still have a way to
produce a fake boarding pass pretty much and if you don't
cover 100% you still get a loophole, right? [pause] So,
just the complexity of the solution probably is the reason
why it doesn't really work. And, I haven't seen it deployed
anywhere. And there's also one thing that TSA seems to be doing
right at least starting from, uh, 2013 - so "Secure Flight" is
a program that they've implemented in, in 2009, uhm,
and the reason for the program was to take over the monitoring
of watchlists. So the no-fly lists and the secondary
screening lists from the airlines to the TSA authorities.
So, instead of relying on airlines, they say like "No, no,
no we need this information and we will do the verification",
right? Uhm, also part of the secure flight is the TSA
pre-check program, uh, into 2011 so you get this nice BCBP, uhm,
field specifically for this reason which is called select
indicator which tells you whether you are, uh, like,
selected for the secondary screening or whether you're
eligible for precheck or whether you're just traveling as usual.
[pause] And in 2013 TSA started networking their devices, the
scanning devices, to put passengers data from this secure
flight. But it includes passenger's full name, gender,
date of birth, screening status, reservation of their flight
itinerary. So it can be verified if it's deployed at all the
airports, I'm not sure about that. It can be verified at the
screening checkpoint, and if it doesn't match exactly, you know,
they have like a nice list of suggestions, like "This, this
passenger's name is close enough", you know, "Maybe it's
one of these..." so technically they have a way to do it now.
Again, whether it's deployed properly and how many airport
support it I'm not sure. It just started in 2013 and generally
it's, it's the correct way to do it, probably. [pause] And, okay,
why is DefCon awesome I felt I had my presentation all fixed
and done and then I think it was like Tuesday or Wednesday I get
contacted by, uhm, Kyle Kosher saying , like, I saw your talk
on the agenda and,uh, here's something that I got from Ebay
and maybe you want to play with that. And the something
was..[mic contact][groaning] This beauty... [laughter]
[cheering] [applause] [mic contact] So it's a device you're
normally not allowed to buy. [laughter] [ahem] I think...
[chuckles] So this information is on the public website so
we've got, you know, this level of specification, but, uh, it
would only be sold by limited number of parties. And, this,
this is offer is no longer available on Ebay,
unfortunately. It was I think 160 Dollars. [chatter] Not a big
deal. So I had like two days to play with it and I exchanged
couple of messages with Kyle and uhm... [pause] Here's how it
works. [pause] So you see the booting... [pause] You'll see
airport is dash dash dash... and because departure airport is not
configured. So it's, you know, we have some constraints.
[pause] So let's try scanning any random boarding pass... So,
you know, when you go with the, any random old boarding pass
likely the departure airport is not dash dash dash, it's
something else. And the date is probably not the same as on the
boarding pass, uh, on the scanner, sorry. But it will have
a valid signature, let's see what it does. [pause] [beep
noise] [machine working] So it says "invalid departure
location, refer to counter". So it did not complain about the
signature but about the departure airport. So, okay,
let's fix that departure airport. [pause] Agh! Damnit...
[machine working] Sorry again... [ahem] [pause] This time with
audio... [pause] [beep noise] [pause] [audience noise] [pause]
[machine working] [click sound] [beep noise] [beep noise] [beep
noise] So, three beeps, not good to go. Red light. But all it
says is "invalid departure location..." [pause] [machine
working] So now you see, using my mobile phone, my, you know...
[beep noise] [beep noise] [beep noise] Okay! So now the, the
departure location was okay, date was okay but the signature
was invalid. [pause] And it says "Refer to superior". Wow...
[laughter] [machine working] [click noise] So... [beep noise]
[laughter] [applause] [sniff] [applause] So, I dunno if you
noticed but it actually said that, that, yea... That the sig
is not there so it should go for, for some manual checking.
The problem I see here is it still gives you a green light
and uh, you know, one beep. So depending, you know, on how, uh,
vigilant, you know, the, the TSA agent is and how much noise to
radio he has, he has, you know, a good chance missing this.
[machine working] [tick sound] [pause] So, yea let's try
modifying this select the indicator. [machine working]
[click noise] [beep noise] [beep noise] [beep noise] So, three
beeps, green light and you see the "LLL". So you're eligible
for precheck. [pause] Or, if you fancy you can actually...
[laughter] Go for secondary screening... [laughter] [machine
working] [click noise] [beep noise] [audience noise] Yea,
"SSS"... [pause] [sniff] Okay, so, uh, airport access is
confirmed, fast track is confirmed, free lunch and booze
is confirmed, duty-free shopping is confirmed, pre-check - I'm
not sure, right? Nice idea to play with if you have balls.
[laughter] Uhm... so, now for responsible disclosure, right?
Actually went out and I tried to talk about this problem to
several authorities and airports and airlines because it's their
problem eventually. And, this is what I,uh, what came back. So
first I contacted LOT Polish Airlines. [laughter] They say
like, "We just, we just issue boarding passes and it's the
airport the verifies it." So I went to, uh, the airports and in
these two cases I was lucky because I actually has, you
know, known people on the management board, at the
management board level and I was able to talk to them in person
and I... And uh, airport authorities said like "Yea, it's
a known issues but it's not really a problem", well, you
know, "You're following all the laws and guidelines, that's
fine." Then the Civil Aviation Authority, like, they, it took
them three or four months to reply. The said, all they had to
say was like, "Boarding pass forgery is a crime, don't do
it". [laughter] So, okay. According to my lawyer, not
exactly my lawyer, but a lawyer I know... [ahem] [laughter] Is
a, if you want to have a legitimate document you need to
have a way to verify it. It's not a document if you can not
verify it. It doesn't, you know, bear any signature at all. They
said like, it's it's not the exact wording that they used but
it was pretty much the message, right... [laughter] And, uhm...
this is also what I got from turkish airlines and SAS, so I,
you know, I... [laughter] Uh.... no comment here. And the
question you might have - will it actually get me flying?
[pause] And I, the short answer would be no... [audience noise]
There would be very rare circumstances where you would be
able to get on the plane but you'd be likely spotted before
it even departs. And it would get you into a lot of trouble.
[audience noise] So, I don't recommend doing that. [pause]
But, you can still, you can still have a nice souvenir, and
that's a, a kind of a bonus. So one of the airports in Europe,
and I will not name them because they actually have, the, they've
communicated very openly with me and they said like "Why... what
it is?" they confirmed this because privacy. Uh, they
decided to have like loyalty program for the passenger which
makes sense because the airport collects fees on every departing
passengers. So they want to encourage traffic. So they have
this, you know, a list of gadgets that you can get for a
certain number of points. And the points you get for every
departing flight and to register at departing flight you need to
scan your loyalty card and your boarding pass. [laughter]
[applause] Right? What can go wrong, right? [laughter] So...
here's a simple equation. [chuckles] [laughter] So, I
really liked the blanket in the middle it would cost me 600
points which is 6 flights and you see 5 QR codes because, uh,
you know, I had one, uh, legit flight. [laughter] I was like,
you know, it was, and the funny thing is that, it was, you know,
I, I even made it look legit... sort of legit cause I produced
the QR codes of the flights, like, over the next, over the
next two days. And, uh, it could really fit into a story like "I
was flying to Edinburgh and then going in three hours..." and you
know I could make it. [laughter] So to wrap it up - it's the
priva, privacy and complexity of the system which is preventing
this exchange of data, and, uh, you know. Most important part
was, while US did a reasonably good job preventing that, uhm,
other places actually lowered the bar for us. Especially
within introducing the , uh, uhm, the automatic gates. So
here are the sources and the, the, don't worry because, uh,
this is only for the slides. And most of that will also be on the
conference DVD, so thank you. I don't think we have time for
questions but, I hope you liked it. [applause]
