Airport lounges will let anyone in, provided you can fake a QR code

When computer security expert and hardcore traveller Przemek Jaroszewski found that he couldn't enter an airline lounge in Warsaw because the automated reader mistakenly rejected his boarding card, he wrote a 600-line Javascript program that generated a QR code for "Batholemew Simpson," a business-class traveller on a flight departing that day.

It worked — and kept on working. In a presentation at Defcon, Jaroszewski showed how he was able to use the tactic to gain entry to lounges across Europe, exploiting the fact that the lounges' entry systems did not cross-check entrants with passenger manifests from the airplanes.

Ten years ago, computer science student Chris Soghoian won himself an FBI visit by creating a boarding-card generator that would get him through airport security. Soghoian is now chief technologist for the ACLU, and US aviation checkpoints now verify boarding cards by checking for a cryptographic signature from TSA — which means that Jaroszewski's hack will get ticketed, checked passengers into lounges, but won't let randos into airports.

Jaroszewski won't release his sourcecode, because he fears an FBI visit of his own, but he says it's easy enough to recreate. He also hasn't tried his attack against US airport lounges.

While traveling through airports, we usually don't give a second thought about why our boarding passes are scanned at various places. After all, it's all for the sake of passengers' security. Or is it? The fact that boarding pass security is broken has been proven many times by researchers who easily crafted their passes, effectively bypassing not just 'passenger only' screening, but also no-fly lists. Since then, not only security problems have not been solved, but boarding passes have become almost entirely bar-coded. And they are increasingly often checked by machines rather than humans. Effectively, we're dealing with simple unencrypted strings of characters containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more…

With a set of easily available tools, boarding pass hacking is easier than ever, and the checks are mostly a security theater. In my talk, I will discuss in depth how the boarding pass information is created, encoded and validated. I will demonstrate how easy it is to craft own boarding pass that works perfectly at most checkpoints (and explain why it doesn't work at other ones).

How to get good seats in the security theater? Hacking boarding passes for fun and profit.
[Przemek Jaroszewski/Defcon]

Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges [Andy Greenberg/Wired]

(Photo: Andy Greenberg)