Legacy flight booking systems are extremely easy to hack, exposing travellers to social engineering and other forms of cyber attack, security researchers have warned.
Download this free guide
Don’t become a victim!
Find out what are the most appropriate threat intelligence systems and services for your organisation
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Malicious actors could infiltrate these systems to alter passenger information and even cancel bookings, Karsten Nohl and Nemanja Nikodijevic of Berlin-based Security Research Labs (SRL) told the Chaos Communications Congress hacking conference in Hamburg.
All that is required to make such changes is the passenger’s last name and a six-digit alphanumeric booking code or Passenger Name Record (PNR), according to Digital Trends.
The researchers’ findings are detailed in a report published on the SRL website, which explains that travel bookings worldwide are maintained in just a handful of systems.
The three largest Global Distribution Systems (GDS) are Amadeus, Sabre and Travelport, which administer more than 90% of flight reservations as well as numerous hotel, car and other travel bookings.
But these systems were built around mainframe computers and leased lines in the 1970s and 80s, and although they have since been interwoven with web services, they still lack several web security best practices.
Most importantly, the three booking systems lack the means to authenticate travellers properly, relying only on the passenger name and booking code, both of which appear on boarding passes.
The researchers said attackers could brute force the booking codes more easily than a five-digit password because of the way they are generated.
Two of the three main booking systems assign booking codes sequentially, further shrinking the search space, and many of the systems and airline websites allow thousands of login attempts from a single IP address.
Given only passengers’ last names, their booking codes could be found on the internet with little effort, the researchers claimed.
Armed with just a name and a booking code, attackers can access booking details which often include contact information such as phone number, email and postal address, travel dates and preferences, and passport information.
By accessing bookings in this way, the researchers said attackers could also potentially take over bookings, steal flier miles and carry out social engineering attacks to trick travellers into revealing online banking and other credentials.
The researchers have called for better authentication and other security controls to be added to these bookings systems.
In the short term, they said security could be improved by introducing measures to prevent brute-force attacks on airlines’ websites and enabling travellers to set their own passwords to access bookings.