Airline booking systems lack basic security measures to prevent attackers changing flight details or stealing rewards
Legacy airline booking systems lack a number of “web security best practices” according to cyber experts at Security Research Labs.
The researchers identified a number of security issues with the travel bookings systems maintained by the three largest Global Distributed Systems (GDS) namely Amadeus, Sabre, and Travelport.
These three firms apparently administer more than 90 percent of flight reservations as well as numerous hotel, car, and other travel bookings.
The researchers said that these systems date back to the 1970s and lack modern security measures. This means that the privacy of airline travellers is potentially at risk, as booking information typically contains sensitive contact information such as phone number, email, and postal address, travel dates and preferences, and often passport information.
According to the researchers, attackers could also steal or change flight details, because some cancellations result in a voucher being issued, potentially allowing a fraudster to travel for free.
Another risk is flight rewards (such as airmiles) being stolen, and attackers carrying out phishing attacks by using the details of a booking that has just been made.
Security Research Labs identified weak authentication as the most important security feature missing from all three GDSs.
This means that there is no proper way to authenticate travellers, as GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travellers’ information, it warned.
“The authenticator is printed on boarding passes and luggage tags,” it said. “Any person able to find or take a photo of the pass or tag can access the traveller’s information – including email address and phone number – through the GDS’s or airline’s web site.”
Another weaknesses stems from the fact that authenticators are at risk of hacking as they are ‘brute-forceable’. The researchers said that the way 6-digit booking codes are chosen makes them weaker than a 5-digit password (<28.5 bits), “which would be considered insecure for most applications.”
The researchers said that two of the three main GDSs (Amadeus and Travelport) assign booking codes sequentially, further shrinking the search space.
“Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address,” it warned. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.”
“Global booking systems have pioneered many technologies including Cloud computing,” said the researchers. “Now is the time to add security best practices that other Cloud users have long taken for granted.”
It said that in the short-term, all web sites that allow access to traveller records should require proper brute-force protection in the form of Captchas and retry limits per IP address. In the mid term it advises that bookings need to be secured with proper authentication, at the very least with a changeable password.
Security surrounding aviation system has been coming under closer scrutiny of late.
Earlier this month for example researchers at IO Active claimed to have found a security flaw in the Panasonic Avionics in-flight entertainment system that allegedly could enable hackers to take control of a plane whilst it is in the air.
Panasonic dismissed the findings of IOActive and accessed it of making “misleading and inflammatory statements” and “unfounded, unproven conclusions.”
Last year in 2015 United Airlines was the target of a data breach linked to a group of China-backed hackers.
That same airline was also at the centre of security row, when one of the world’s foremost experts on counter-threat intelligence within the cybersecurity industry was hauled off one of its flights by the FBI.
Are you a security pro? Try our quiz!