Flight Risk: How Amateur Hackers are Accessing Your Booking Information

Media Division | January 4, 2017

Even in our heavily technology reliant society, cyber security is unfortunately still lacking in many different industries.  A large factor in this is that many of these industries are still using very outdated systems that can be extremely easy to exploit.  Since cyber attackers learn to adapt with new technologies and stronger security, older systems tend to be quite simple to breach.

This exploitation of older technology has been shown to exist within the realm of airlines, namely in the booking of flights.  The flight booking technology is such an archaic system that, according to cyber experts in Germany, the hacking of these systems can be done by anyone with basic computer skills.  Online flight booking security relies prominently upon a six digit code consisting of capital letters and numbers.  This very basic code makes it an easy target to crack.

German researcher Karsten Nohl, who is the founder and head of SR Labs in Berlin, demonstrated to broadcaster WDR and the Sueddeutsche Zeitung newspaper that through the use of a computer program, this code can be cracked within minutes.  According to data from SR Labs, travel bookings from all across the world are maintained and managed in only a few systems called Global Distributed Systems (GDS).  The three largest of these being Amadeus, Travelport, and Sabre, and these three alone administer more than 90% of flight bookings.  They also administer hotel, car, and other types of travel bookings also.  A large part of the issue is that these most prominent GDS’s are employing archaic technology.  SR Labs states, “Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.”

SR Labs writes on their website, “Traveler information is also at risk to online hacking because authenticators are brute-forcible. The way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), which would be considered insecure for most applications. Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.”

Consequences of Breached Booking Information

There can be several different ways that booking information can be used once it is breached.  Obtainment of personal information is the first obvious danger of this, as booking information can contain a name, phone number, address, and even passport information.  The hacker can change the date and email listed for the flight, which allows them to steal your flight.  And the actual purchaser of the flight may actually never find out about the change in flight due to the email being changed.  They could also change the frequent flyer number, allowing them to steal the miles accumulated from the flight by directing them to their account.

A barrier to handling this potential security hole is the massive changes that would need take place.  While implementing something such as a simple password could resolve the issue, the factor of the GDS’s come into play.  With so many different travel booking websites sharing these common hubs, it means that all of these companies would have to agree upon how the implementation should take place.  This would take quite some time to be fully ironed out, and even with that being true, it is a step which should be moved toward.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.