Go Back  FlyerTalk Forums > Travel&Dining > Travel News
Reload this Page >

Wired: Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges

Wired: Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges

Old Aug 5, 2016, 1:02 pm
  #1  
Original Poster
Four Seasons Contributor BadgeAman 5+ Badge
 
Join Date: Mar 2004
Location: Baltimore MD
Posts: 3,457
Wired: Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges

It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he’s tested actually check those details against the airline’s ticketing database—only that the flight number included in the QR code exists
https://www.wired.com/2016/08/fake-b...rline-lounges/
FlyingDoctorwu is offline  
Old Aug 13, 2016, 2:52 pm
  #2  
FlyerTalk Evangelist
 
Join Date: Nov 2008
Programs: AA EXP/LTP, BA GGL/CCR/GfL, HH D/LTD, SPG/MR Plat/LTP
Posts: 10,074
The bottom line: the hacker goes public about it, thus exposing the "fake" security we've all been told, using smartphones for BPs, hotel rooms etc.

OT comment: The TK F lounge in IST is one of the three best airport lounges in Europe (IST is on the European side of Turkey)
onobond is offline  
Old Aug 14, 2016, 8:55 pm
  #3  
 
Join Date: Aug 2015
Location: London
Programs: BA: Silver, Etihad: Silver
Posts: 16
Certainly an interesting story, and good work from the guy for the work he's put into researching this - clearly for information purposes and not for gross gain.

At the end of the day if people do this they are fraudulently gaining access to something they shouldn't. In the grand scheme of things it may not seem like anyone loses, but if every economy customer did this then there would be chaos, and someone needs to pay for all of those buffets and drinks!

The easiest and cheapest of resolutions is for the staff to properly check eligibility, by insisting to see your boarding pass, whether it is paper or an app, and not just allowing a full screen photo of a QR code which could have come from anywhere. Correct me if I'm wrong, the QR code is only valid if it is shown within the airline's app, full digital boarding pass (e.g. Passport on iOS) or if the person can reasonably explain that it is genuine.

The long term solution I guess is for those airlines that have more generalised checking of boarding cards, is to update the reading technology and software they use to drill down and only validate genuine flight tickets for +/− 24 hours the time of attempted entry. I however no nothing about what process they use for validation, I am a tech geek but in a different field!
jackthewelshman is offline  
Old Aug 15, 2016, 7:45 am
  #4  
 
Join Date: Jun 2012
Posts: 3,344
Originally Posted by jackthewelshman
The easiest and cheapest of resolutions is for the staff to properly check eligibility, by insisting to see your boarding pass, whether it is paper or an app, and not just allowing a full screen photo of a QR code which could have come from anywhere. Correct me if I'm wrong, the QR code is only valid if it is shown within the airline's app, full digital boarding pass (e.g. Passport on iOS) or if the person can reasonably explain that it is genuine.
still won't work...

at least for android (and jailbroken iOS), it's very easy to mock/inject data into an app

The long term solution I guess is for those airlines that have more generalised checking of boarding cards, is to update the reading technology and software they use to drill down and only validate genuine flight tickets for +/− 24 hours the time of attempted entry. I however no nothing about what process they use for validation, I am a tech geek but in a different field!
in IT... you never trust client side data (on the phone), always verify it from your (trusted) server

unless you're delta and your server is down
paperwastage is offline  
Old Aug 15, 2016, 1:17 pm
  #5  
 
Join Date: Apr 2013
Location: YYZ
Programs: AC SE, *A Gold, IHG Plat, SPG Plat, Marriott Gold, Hertz President's Circle
Posts: 254
so in Europe they don't scan your boarding pass before letting you in? I don't get it.
Shanqx is offline  
Old Aug 15, 2016, 11:52 pm
  #6  
FlyerTalk Evangelist
 
Join Date: Nov 2005
Location: Phoenix, AZ
Programs: AA Gold AAdvantage Elite, Rapids Reward
Posts: 38,294
Originally Posted by Shanqx
so in Europe they don't scan your boarding pass before letting you in? I don't get it.
Actually, they do scan your boarding pass at security, lounge and boarding gate, as well. You have make sure if you have a valid ticket.
N830MH is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.