peshkov - Fotolia

Flight booking systems easy to hack, researchers warn

Malicious actors could infiltrate systems to alter passenger information and even cancel bookings, Chaos Communications Congress told

Legacy flight booking systems are extremely easy to hack, exposing travellers to social engineering and other forms of cyber attack, security researchers have warned.

Malicious actors could infiltrate these systems to alter passenger information and even cancel bookings, Karsten Nohl and Nemanja Nikodijevic of Berlin-based Security Research Labs (SRL) told the Chaos Communications Congress hacking conference in Hamburg.

All that is required to make such changes is the passenger’s last name and a six-digit alphanumeric booking code or Passenger Name Record (PNR), according to Digital Trends.

The researchers’ findings are detailed in a report published on the SRL website, which explains that travel bookings worldwide are maintained in just a handful of systems.

The three largest Global Distribution Systems (GDS) are Amadeus, Sabre and Travelport, which administer more than 90% of flight reservations as well as numerous hotel, car and other travel bookings.

But these systems were built around mainframe computers and leased lines in the 1970s and 80s, and although they have since been interwoven with web services, they still lack several web security best practices.  

Most importantly, the three booking systems lack the means to authenticate travellers properly, relying only on the passenger name and booking code,  both of which appear on boarding passes.

The researchers said attackers could brute force the booking codes more easily than a five-digit password because of the way they are generated.

Read more about authentication

Two of the three main booking systems assign booking codes sequentially, further shrinking the search space, and many of the systems and airline websites allow thousands of login attempts from a single IP address.

Given only passengers’ last names, their booking codes could be found on the internet with little effort, the researchers claimed.

Armed with just a name and a booking code, attackers can access booking details which often include contact information such as phone number, email and postal address, travel dates and preferences, and passport information.

By accessing bookings in this way, the researchers said attackers could also potentially take over bookings, steal flier miles and carry out social engineering attacks to trick travellers into revealing online banking and other credentials.

The researchers have called for better authentication and other security controls to be added to these bookings systems.

In the short term, they said security could be improved by introducing measures to prevent brute-force attacks on airlines’ websites and enabling travellers to set their own passwords to access bookings.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

FOR BEST HACKING JOB CONTACT (techcrownhacker@gmail.com)..
Be warned, most of these hackers called here are imposters, I know how real hackers

work, they never advertise in such a gullible way and they are always discreet. I was

tricked so many times out of desperation trying to find urgent help to change my grades

from school, finally my friend introduced me to a group of trusted hackers who work

with discretion and delivery promptly, they do all sorts of hacking that vary;

+Database Hacking,
+Spying and monitoring of any device
+School grade hack,
+Company records and systems,
+Bank Account Hacks,
+Clearing of Criminal records of diverse types,
+VPN Software,
+Monitoring of GPS locations,
+Bank transfer, Western Union, Money Gram, Credit Card transfer,
+Bank Account Hacks,
+Credit score increase
+University Grades Hack,
+Any social media platform hack,
+Retrieval of lost documents
+Facebook Hacking Tricks,
+Email hack: Gmail, AOL, Yahoomail, Proton-mail etc,
+Mobile phone (call and text message Hacking are available also)
+ATM hack,
+Retrieval of lost documents, etc..
*CONTACT US ON WHATSAPP:+1(774)549-8610
*CONTACT US ON EMAIL:( techcrownhacker@gmail.com )
Cancel

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close