These days it’s relatively simple to plan out a whole trip through a number of travel booking websites and aggregators. While this has certainly helped make one part of traveling less stressful, a new research from Security Research Labs (SR Labs) is shedding light on just how poorly the systems that they rely on are protected. The problem is not with the travel booking websites themselves, but with the fact that the three major global distribution systems (GDS) used to manage the majority of travel reservations — Amadeus, Sabre, and Travelport — reportedly lack any kind of secure authentication.
Speaking at the 33rd annual Chaos Communication Congress, the largest European computer security conference, researchers Karsten Nohl and Nemanja Nikodijevic demonstrated that with nothing more than your six-digit passenger name record (PNR), which is used globally to store flight reservations, a hacker could steal your airline miles, gain access to your personal information, cancel flights, and more.
These credentials are assigned by airlines and can be easily found on people’s' luggage tags or boarding passes along with the traveler’s last name. These two data pieces are often enough to access and manage travel records on airline and mileage program websites. It doesn’t help that thousands of people actually post pictures of their boarding pass online as a ‘humble brag’ while waiting to board their plane.
Moreover, even if making an effort to conceal your PNR, the number and types of characters that can be used for this record must fall within a predetermined range, making it easier for hackers to target a specific last name and run through all the possibilities until they find a match. The researchers demonstrated this by reassigning a reporter to a seat next to a politician on a real flight.
“No matter where you book your flights, no matter what airline you fly, they all share similar issues. There’s no access control, no way to authenticate travelers, and no logging to track abuse,” the researchers claim.
They have notified the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, although others might require a deeper changes in how the system works.