|
Wired: Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges
It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he’s tested actually check those details against the airline’s ticketing database—only that the flight number included in the QR code exists |
The bottom line: the hacker goes public about it, thus exposing the "fake" security we've all been told, using smartphones for BPs, hotel rooms etc.
OT comment: The TK F lounge in IST is one of the three best airport lounges in Europe (IST is on the European side of Turkey) |
Certainly an interesting story, and good work from the guy for the work he's put into researching this - clearly for information purposes and not for gross gain.
At the end of the day if people do this they are fraudulently gaining access to something they shouldn't. In the grand scheme of things it may not seem like anyone loses, but if every economy customer did this then there would be chaos, and someone needs to pay for all of those buffets and drinks! The easiest and cheapest of resolutions is for the staff to properly check eligibility, by insisting to see your boarding pass, whether it is paper or an app, and not just allowing a full screen photo of a QR code which could have come from anywhere. Correct me if I'm wrong, the QR code is only valid if it is shown within the airline's app, full digital boarding pass (e.g. Passport on iOS) or if the person can reasonably explain that it is genuine. The long term solution I guess is for those airlines that have more generalised checking of boarding cards, is to update the reading technology and software they use to drill down and only validate genuine flight tickets for +/− 24 hours the time of attempted entry. I however no nothing about what process they use for validation, I am a tech geek but in a different field! |
Originally Posted by jackthewelshman
(Post 27065265)
The easiest and cheapest of resolutions is for the staff to properly check eligibility, by insisting to see your boarding pass, whether it is paper or an app, and not just allowing a full screen photo of a QR code which could have come from anywhere. Correct me if I'm wrong, the QR code is only valid if it is shown within the airline's app, full digital boarding pass (e.g. Passport on iOS) or if the person can reasonably explain that it is genuine.
at least for android (and jailbroken iOS), it's very easy to mock/inject data into an app The long term solution I guess is for those airlines that have more generalised checking of boarding cards, is to update the reading technology and software they use to drill down and only validate genuine flight tickets for +/− 24 hours the time of attempted entry. I however no nothing about what process they use for validation, I am a tech geek but in a different field! unless you're delta and your server is down :( |
so in Europe they don't scan your boarding pass before letting you in? I don't get it.
|
Originally Posted by Shanqx
(Post 27068519)
so in Europe they don't scan your boarding pass before letting you in? I don't get it.
|
| All times are GMT -6. The time now is 4:35 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.