Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

July 26, 2017

Fancy Airline Lounges W/O Fancy Airline Ticket

Filed under: Cybersecurity,QR Codes,Security — Patrick Durusau @ 2:26 pm

Andy Greenberg posted a hot travel tip last August (2016) in Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges:

As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year, and so has become something of a connoisseur of airlines’ premium status lounges. (He’s a particular fan of the Turkish Airlines lounge in Istanbul, complete with a cinema, putting green, Turkish bakery and free massages.) So when his gold status was mistakenly rejected last year by an automated boarding pass reader at a lounge in his home airport in Warsaw, he applied his hacker skills to make sure he’d never be locked out of an airline lounge again.

The result, which Jaroszewski plans to present Sunday at the Defcon security conference in Las Vegas, is a simple program that he’s now used dozens of times to enter airline lounges all over Europe. It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he’s tested actually check those details against the airline’s ticketing database—only that the flight number included in the QR code exists. And that security flaw, he says, allows him or anyone else capable of generating a simple QR code to both access exclusive airport lounges and buy things at duty free shops that require proof of international travel, all without even buying a ticket.

See Greenberg’s post for details on prior work with boarding passes.

Caveat: This has not been tested outside of Europe.

Airlines could challenge your right to use a lounge, based on your appearance, but an incident or two with legitimate customers being booted, should cure them of that pettiness.

Greenberg posted this in August of 2016 and I haven’t seen any updates.

You?

Happy travels!

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress