1 00:00:00,000 --> 00:00:16,602 *33C3 preroll music* 2 00:00:16,602 --> 00:00:21,660 Herald: So many of us traveled to this Congress. 3 00:00:21,660 --> 00:00:24,870 Probably most of us. And we all took 4 00:00:24,870 --> 00:00:29,650 trains, or planes, or… maybe somebody 5 00:00:29,650 --> 00:00:33,250 drove by car. But most took trains and planes. 6 00:00:33,250 --> 00:00:36,870 And have you guys ever wondered about the infrastructure 7 00:00:36,870 --> 00:00:40,970 of those travel booking systems? 8 00:00:40,970 --> 00:00:45,249 Even more interesting, have you ever 9 00:00:45,249 --> 00:00:49,359 thought how secure those systems are? 10 00:00:49,359 --> 00:00:56,730 Karsten Nohl and Nemanja Nikodijevic… 11 00:00:56,730 --> 00:01:02,030 Karsten has a really nice record of security researches. 12 00:01:02,030 --> 00:01:06,974 He had talks about GSM protocols 13 00:01:06,974 --> 00:01:11,240 and last year he had his talk about payment system abuse 14 00:01:11,240 --> 00:01:13,340 which was really interesting. 15 00:01:13,340 --> 00:01:21,079 Together with Nemanja, he will show us his research on travel booking systems. 16 00:01:21,079 --> 00:01:25,380 And probably we will find out how we can get home free. 17 00:01:25,380 --> 00:01:31,841 Please give a really, really warm welcome to Karsten and Nemanja! 18 00:01:31,841 --> 00:01:41,422 *applause* 19 00:01:41,422 --> 00:01:45,330 Karsten Nohl: Thank you very much! Always feels great to be back! 20 00:01:45,330 --> 00:01:49,970 I just today noticed that the first time I was speaking at this conference 21 00:01:49,970 --> 00:01:54,482 is 10 years ago. So 10 years of… 22 00:01:54,482 --> 00:01:59,536 *applause* .. thanks you. 23 00:01:59,536 --> 00:02:04,549 10 years of looking at 10 different legacy systems and finding vulnerabilities 24 00:02:04,549 --> 00:02:10,788 in all of them, so far. A lot of them were around RFIDs, or mobile protocols. 25 00:02:10,788 --> 00:02:14,613 This time we’re looking at something completely different, travel booking 26 00:02:14,613 --> 00:02:18,929 systems. And vulnerabilities in there. 27 00:02:18,929 --> 00:02:23,154 Relative to some of the other talks we’ve been giving, this will have less ‘hacking’ 28 00:02:23,154 --> 00:02:28,803 in it. Not because we lost our interest in hacking but because much less hacking 29 00:02:28,803 --> 00:02:32,317 was actually needed to exploit vulnerabilities here. *laughter* 30 00:02:32,317 --> 00:02:36,758 So, sorry for that if you expected a lot of hacking. There’ll be a little bit, 31 00:02:36,758 --> 00:02:41,934 that’s why Nemanja is here, but a little bit less than usual. So we’re 32 00:02:41,934 --> 00:02:48,136 talking about travel systems. And there are 3 main players, or actors 33 00:02:48,136 --> 00:02:53,334 in the commercial travel world. There are those people who provide travelling, 34 00:02:53,334 --> 00:02:59,103 airlines and hotels. There’s those people who help you book them, Expedia, 35 00:02:59,103 --> 00:03:04,187 websites like that or traditional travel agencies. And then there’s brokers 36 00:03:04,187 --> 00:03:10,084 who make sure that whatever is available can be booked through those agents. 37 00:03:10,084 --> 00:03:15,450 So those are really the backbone of travel systems but you don’t really think 38 00:03:15,450 --> 00:03:19,376 about them much, or at least I didn’t before looking into this research. 39 00:03:19,376 --> 00:03:25,970 The systems are very useful, as global systems. In fact, they’re called “global 40 00:03:25,970 --> 00:03:30,254 distribution systems”. And that tells you how old they are. This is before 41 00:03:30,254 --> 00:03:34,204 the internet was there. They go back to the 80ies and 70ies. So there was only 42 00:03:34,204 --> 00:03:38,304 one system that deserved the name of a global distribution system of, 43 00:03:38,304 --> 00:03:43,032 in this case, data. And this was travel system. So it makes sense 44 00:03:43,032 --> 00:03:48,090 to have these systems because, of cause, one seat on an airplane shouldn’t be sold 45 00:03:48,090 --> 00:03:51,282 multiple times, so there needs to be a global inventory somewhere. 46 00:03:51,282 --> 00:03:55,799 Also all airlines should be using just a few systems so that they can do 47 00:03:55,799 --> 00:04:00,158 'codeshare agreements', e.g. so that, again, the same seats on a flight 48 00:04:00,158 --> 00:04:05,458 aren’t booked multiple times. And, consequently, these booking systems, 49 00:04:05,458 --> 00:04:13,110 they maintain three types of information. The first one, you are probably most 50 00:04:13,110 --> 00:04:19,380 aware of, are the prices. Airlines will put their price lists into these systems 51 00:04:19,380 --> 00:04:23,960 for booking sites to fetch. They’re called ‘fares’ in the travel world. 52 00:04:23,960 --> 00:04:28,639 The next important data item in there is ‘availability’. So not everything can be 53 00:04:28,639 --> 00:04:33,290 booked that has a price. There needs to be a seat available at a certain booking class. 54 00:04:33,290 --> 00:04:37,805 And, finally, when somebody does find an available seat to a fare that they want 55 00:04:37,805 --> 00:04:42,050 to purchase that is then converted into a ‘reservation’. So this is after the seat 56 00:04:42,050 --> 00:04:48,770 is taken. You may have seen some of this information before on travel web sites. 57 00:04:48,770 --> 00:04:54,663 Let me just show you the one that I like to use the most. The ‘ita matrix’, has 58 00:04:54,663 --> 00:04:57,933 been bought by Google a few years ago. So you can’t actually book through 59 00:04:57,933 --> 00:05:03,340 here any more. But they maintain the interface for whatever reason. And so, 60 00:05:03,340 --> 00:05:07,170 let’s say you search for a flight to San Francisco from here, at the end 61 00:05:07,170 --> 00:05:13,650 of the year. This, like any other web site will give you plenty of options 62 00:05:13,650 --> 00:05:19,500 from the different airlines. What’s different for this web site is that 63 00:05:19,500 --> 00:05:25,309 they give you a lot more details, if you know where to click. 64 00:05:25,309 --> 00:05:31,042 So the cheapest flight, really cheap actually, 325 bucks to go to San Francisco 65 00:05:31,042 --> 00:05:37,240 for New Year’s, a one-way trip, and what I like on this web site is the rules. 66 00:05:37,240 --> 00:05:42,983 So this is real data, that is kept in one of these GDS systems. And this already 67 00:05:42,983 --> 00:05:50,019 looks like the 70ies, right? *laughter* This would usually be shown on a terminal, 68 00:05:50,019 --> 00:05:54,520 maybe green font on black background, and somebody would read through here, 69 00:05:54,520 --> 00:05:59,373 and I would say, okay, so you wanna book for a certain day, it’s okay, the dates 70 00:05:59,373 --> 00:06:05,550 match, you wanna go on TAP (TP) – Portugal Airlines – so okay, that matches, 71 00:06:05,550 --> 00:06:10,490 and you could also take a few other airlines, and then you have to meet 72 00:06:10,490 --> 00:06:16,982 certain other restrictions, e.g. you can stop over here. So this flight goes 73 00:06:16,982 --> 00:06:20,310 through Lisbon, you can stay in Lisbon for up to 84 hours before flying on 74 00:06:20,310 --> 00:06:26,399 to the U.S. That’d be nice. And then it has all these other rules in here, 75 00:06:26,399 --> 00:06:30,500 e.g. you can not cancel this ticket, right? It’s non-refundable. But you 76 00:06:30,500 --> 00:06:36,340 can change it for a fee. And this goes on and on and on. For just a single fare, 77 00:06:36,340 --> 00:06:41,638 and there’s, of course, tens of thousands of fares available. Now this, you may be 78 00:06:41,638 --> 00:06:45,274 surprised to hear, is the only form in which these fares are available. There 79 00:06:45,274 --> 00:06:49,477 isn’t an XML, there isn’t a web service, this is how the airlines publish them. 80 00:06:49,477 --> 00:06:52,980 And then a web site like Expedia, they have to write a parser for it to be able 81 00:06:52,980 --> 00:06:59,240 to present flight options to you. You may have noticed if you tried to change 82 00:06:59,240 --> 00:07:03,570 or cancel flights they don’t allow that to web sites often. Expedia e.g. doesn’t, 83 00:07:03,570 --> 00:07:06,459 you have to call them. And if you call them they say: “Give me a moment, 84 00:07:06,459 --> 00:07:10,890 I have to read through the fare rules.” So in that case that just didn’t parse 85 00:07:10,890 --> 00:07:19,330 all this information. That’s the first thing that’s kept in these… or maintained 86 00:07:19,330 --> 00:07:25,460 in these large GDS, the booking systems: the fares. The other thing is 87 00:07:25,460 --> 00:07:29,337 the availability. That’s a little bit harder to access through public web sites. 88 00:07:29,337 --> 00:07:36,651 Expert Flyer is probably the best one to use. And availability is important. 89 00:07:36,651 --> 00:07:40,772 If you actually wanted to fly to San Francisco now for New Year’s 90 00:07:40,772 --> 00:07:45,571 we looked at the fare, well, this is Booking Class 'O', this is 91 00:07:45,571 --> 00:07:49,569 always the first letter. And then, if you look at the availability for Booking Class 92 00:07:49,569 --> 00:07:54,599 'O', unfortunately it says ‘C’ for ‘closed’. So they don’t accept any more bookings. 93 00:07:54,599 --> 00:07:58,069 So just because there’s a price available doesn’t mean that anybody can actually 94 00:07:58,069 --> 00:08:03,430 book this flight. And, again, somebody like Expedia would have to now combine all 95 00:08:03,430 --> 00:08:07,800 of these different pieces of information to present a list of flight options for you. 96 00:08:07,800 --> 00:08:12,669 So let’s assume they did that and you did book something. Then, the third data item 97 00:08:12,669 --> 00:08:18,195 is created in one of these GDS. And that’s the 'passenger name record', PNR. 98 00:08:18,195 --> 00:08:24,890 And that looks something like this. Again, you’ll notice the same 70..80ies style. 99 00:08:24,890 --> 00:08:30,638 With lots of private information. Ed Hasbrouck - he is a 100 00:08:30,638 --> 00:08:36,368 privacy advocate in the U.S., probably the loudest voice to ask for more 101 00:08:36,368 --> 00:08:39,180 privacy around travel booking and he was kind enough to make 102 00:08:39,180 --> 00:08:44,214 this available on his web site, for all to see what information is kept. So, 103 00:08:44,214 --> 00:08:47,940 contact information, of course, things like e-mail. This one shows you again 104 00:08:47,940 --> 00:08:53,462 how old these systems are. So they don’t have the ‘@’ character! This is 105 00:08:53,462 --> 00:08:58,112 using a character set from punch cards! And in punch card you had 6 possible 106 00:08:58,112 --> 00:09:02,301 punches per character. So everything here needs to be encoded with a 6-bit character 107 00:09:02,301 --> 00:09:07,950 And there’s no space for ‘@’. So all ancient stuff. But still, a possible 108 00:09:07,950 --> 00:09:12,710 privacy hazard, right? You wouldn’t want anybody to access this kind of information 109 00:09:12,710 --> 00:09:20,780 about yourself. The three main players who run GDS’s – Amadeus, mostly in Europe, 110 00:09:20,780 --> 00:09:25,197 Sabre, mostly in the US, and then there’s Galileo that merged with a few other 111 00:09:25,197 --> 00:09:29,760 things into ‘Travelport’. And Galileo isn’t really so much used by airlines 112 00:09:29,760 --> 00:09:36,259 but it’s more used by travel agencies. And then, often, multiple of these systems 113 00:09:36,259 --> 00:09:40,160 they’re involved in the booking. So let’s say you go through Expedia and you book 114 00:09:40,160 --> 00:09:47,260 an American Airlines flight, the PNR has to be kept in Amadeus as well as Sabre. 115 00:09:47,260 --> 00:09:51,470 So there’s two copies here. Or let’s say you go through a travel agency that’s 116 00:09:51,470 --> 00:09:55,450 connected to Galileo, and you book a flight that has both Lufthansa and 117 00:09:55,450 --> 00:09:59,420 Aeroflot segments it would be kept in all three of them. So this is lots of 118 00:09:59,420 --> 00:10:06,375 redundancy depending on where your flight segments and booking agents come from. 119 00:10:06,375 --> 00:10:11,150 But sufficient to say there are three big companies, who apparently hold on to the 120 00:10:11,150 --> 00:10:15,340 private information of all travelers. Hundreds of millions of records 121 00:10:15,340 --> 00:10:21,250 for each of those systems. And we wanted to find out whether they can sufficiently 122 00:10:21,250 --> 00:10:25,730 protect this information. And there’s, of course, reasons to believe that they can’t. 123 00:10:25,730 --> 00:10:31,330 This is very old technology and it’s unclear whether they ever did any major 124 00:10:31,330 --> 00:10:35,890 security upgrades. But at the same time there’s reasons to believe that they 125 00:10:35,890 --> 00:10:42,985 are very well secured because this PNR data, this very information about travelers 126 00:10:42,985 --> 00:10:47,412 that has been disputed between different governments for a long time, in particular 127 00:10:47,412 --> 00:10:51,630 the U.S. Government, and asking for more and more information since 9/11 in 128 00:10:51,630 --> 00:10:56,350 multiple waves, and the E.U. governments that say: “No, you can’t have more 129 00:10:56,350 --> 00:11:01,569 information than you absolutely need. So they agree politically that, yes, the U.S. 130 00:11:01,569 --> 00:11:05,634 can get information on those travelers going to the U.S. but only certain data 131 00:11:05,634 --> 00:11:08,990 fields, and have to delete them after a few years. So this was years 132 00:11:08,990 --> 00:11:14,730 of negotiation. And you’d imagine that the systems at the forefront of this dispute 133 00:11:14,730 --> 00:11:21,212 they’d be secure enough that, let’s say, we couldn’t access those same information 134 00:11:21,212 --> 00:11:26,440 that even the U.S. Government is supposed to not access. So we set out to answer 135 00:11:26,440 --> 00:11:33,970 this simple question: do these GDS’s, do they have normal, basic security. 136 00:11:33,970 --> 00:11:39,990 Do they constrain access, do they authenticate users well, do they protect 137 00:11:39,990 --> 00:11:46,419 through rate limiting from web attacks, and do they log to be able to detect any 138 00:11:46,419 --> 00:11:51,841 possible type of abuse. We’ll go through each of them to see where those systems 139 00:11:51,841 --> 00:11:57,193 stand. Let’s start with access control. And this is just drawing 140 00:11:57,193 --> 00:12:02,000 from public sources, so, again, Ed Hasbrouck, this privacy advocate 141 00:12:02,000 --> 00:12:09,489 in California, he has been the loudest voice here, saying, there’s overreach by a 142 00:12:09,489 --> 00:12:15,720 lot of players already accessing PNR information. So e.g. if you have a booking, 143 00:12:15,720 --> 00:12:20,604 let’s say a flight booking, anybody who works at this airline can access 144 00:12:20,604 --> 00:12:24,641 your information. But then, if you add, let’s say, a car reservation to the same 145 00:12:24,641 --> 00:12:28,860 booking, anybody who works at the car rental company can also access 146 00:12:28,860 --> 00:12:35,630 let’s say the flight information. And any agent at the booking agency 147 00:12:35,630 --> 00:12:39,903 that you use can access all of this information. And if you keep adding 148 00:12:39,903 --> 00:12:43,630 information all of these people still have access to it. That’s just how these 149 00:12:43,630 --> 00:12:49,360 systems grew over time, but that’s a first indication to me that this certainly 150 00:12:49,361 --> 00:12:54,711 wasn’t built with modern security in mind. Most concerningly 151 00:12:54,711 --> 00:13:01,110 the people working at or for the GDS companies, they have access to everything, 152 00:13:01,110 --> 00:13:05,140 absolutely everything. Including their support stuff, as far as I understand. 153 00:13:05,140 --> 00:13:09,030 So these are external companies that help debug the system, and they 154 00:13:09,030 --> 00:13:15,253 have access to hundreds of millions of people’s private information. 155 00:13:15,253 --> 00:13:20,034 So way too many people have access to way too much information, e.g. if you 156 00:13:20,034 --> 00:13:24,200 did an online booking your IP address is stored there, basically forever, 157 00:13:24,200 --> 00:13:28,570 well, until the flight is over. But any of these people can now access your 158 00:13:28,570 --> 00:13:33,252 IP address, your e-mail address, phone number and all of this. 159 00:13:33,252 --> 00:13:37,896 So definitely that doesn’t seem to be fine-grained access control. But, 160 00:13:37,896 --> 00:13:42,886 as I said earlier, this has been known for a long time and criticized a lot. 161 00:13:42,886 --> 00:13:49,366 Not acted on, though, yet! How about authentication? The picture is actually 162 00:13:49,366 --> 00:13:53,820 even worse for authentication. And I want to distinguish two different cases here. 163 00:13:53,820 --> 00:13:57,690 I wanna distinguish professionals accessing records, so people working 164 00:13:57,690 --> 00:14:02,230 at travel agencies and airlines. And, as a second case I wanna distinguish 165 00:14:02,230 --> 00:14:06,110 travelers accessing their own records, like when you check-in online e.g., 166 00:14:06,110 --> 00:14:11,750 you access your own record. Professionals, the way they access it, typically, is that 167 00:14:11,750 --> 00:14:16,530 their agency is connected to one of these GDS’s through basically one account. 168 00:14:16,530 --> 00:14:20,980 So an entire agency system, or at least an entire location uses one account. 169 00:14:20,980 --> 00:14:25,350 So years ago somebody typed in some user name and password, and then it’s long been 170 00:14:25,350 --> 00:14:30,250 forgotten because locally they use a different access management. 171 00:14:30,250 --> 00:14:34,890 A few travel agencies were kind enough to help us in this research, and their access 172 00:14:34,890 --> 00:14:39,470 credentials, we saw them using, they’re just terrible. E.g. for one of the big 173 00:14:39,470 --> 00:14:44,365 systems that I won’t name you need the agent ID, so that you can get pretty 174 00:14:44,365 --> 00:14:48,870 easily. And then a password for the web service, so of the modern way of accessing, 175 00:14:48,870 --> 00:14:54,791 this is WS for web service and the date on which the password was created. 176 00:14:54,791 --> 00:14:58,960 So even if you have to brute-force 20 years, how many possible dates 177 00:14:58,960 --> 00:15:05,440 does a single year have? Times 20. This is ridiculously low entropy for an account 178 00:15:05,440 --> 00:15:12,535 that is supposed to protect information of millions of people, if not more. 179 00:15:12,535 --> 00:15:16,414 This is the best authenticator that we found in these systems! 180 00:15:16,414 --> 00:15:19,210 *laughter* 181 00:15:19,210 --> 00:15:24,486 It gets worse with travelers accessing their own information. Because there 182 00:15:24,486 --> 00:15:27,600 they just simply forgot to give you a password, not even a terrible password 183 00:15:27,600 --> 00:15:33,090 like this; there just isn’t one. And what they use instead is the booking code, 184 00:15:33,090 --> 00:15:37,120 ‘PNR locator’ it is sometimes called. I call it booking code. 185 00:15:37,120 --> 00:15:42,237 It’s a six-digit code. When you check-in online you need that code. 186 00:15:42,237 --> 00:15:46,640 And you only need that code and your last name. So you’d imagine that, 187 00:15:46,640 --> 00:15:51,810 if they treat it as a password equivalent then they would keep it secret 188 00:15:51,810 --> 00:15:56,630 like a password. Only – they don’t, but rather print it on every piece 189 00:15:56,630 --> 00:16:00,940 that you get from the airline, e.g. on every piece of luggage you have 190 00:16:00,940 --> 00:16:07,390 your last name and a six-digit code. On your boarding pass – 191 00:16:07,390 --> 00:16:11,433 it used to be there, and then it disappeared and then these barcodes 192 00:16:11,433 --> 00:16:15,198 showed up. So it’s inside the barcode. If you decode the barcode there is 193 00:16:15,198 --> 00:16:20,320 your PNR in there. I erased it here, this is still for a valid booking. 194 00:16:20,320 --> 00:16:23,968 *laughter* 195 00:16:23,968 --> 00:16:30,910 So, you have this six-digit codes printed everywhere and you can just find them 196 00:16:30,910 --> 00:16:36,491 on pieces of scrap at the airport. Certainly these tags you find all over, 197 00:16:36,491 --> 00:16:39,700 but also people throwing away their boarding passes when they’re done. 198 00:16:39,700 --> 00:16:44,555 And this is supposed to be the only way of authenticating users. And we’ll 199 00:16:44,555 --> 00:16:51,240 show you in a minute what kind of abuse is possible through that. 200 00:16:51,240 --> 00:16:56,190 But let’s first think about where else you could be able to find these PNR codes. 201 00:16:56,190 --> 00:17:00,930 Could it get any worse than somebody printing your password on a piece of paper 202 00:17:00,930 --> 00:17:04,650 that you throw away at the end of your journey. Of course the internet can make 203 00:17:04,650 --> 00:17:11,050 it worse! And what better technology to worsen the security problem than 204 00:17:11,050 --> 00:17:28,390 Instagram? So on Instagram… *laughter and applause* 205 00:17:28,390 --> 00:17:33,550 So you got all these bookings. And, in fact, there was one guy here, you see, he 206 00:17:33,550 --> 00:17:38,580 actually erased the information. But for one who knows what’s up, everywhere, 207 00:17:38,580 --> 00:17:43,240 there’s a hundred who don’t. And this is really all information you need. 208 00:17:43,240 --> 00:17:47,860 I saw a Lufthansa one just now, where was that? – Here. 209 00:17:47,860 --> 00:17:59,190 So here is a Lufthansa one. This is from today, posted by markycz at Frankfurt. 210 00:17:59,190 --> 00:18:04,370 This is really all you need to get somebody’s… 211 00:18:04,370 --> 00:18:15,114 *laughter and applause* 212 00:18:15,114 --> 00:18:17,410 Let’s see if this works. Yeah, sure enough. So. 213 00:18:17,410 --> 00:18:18,590 *laughter* 214 00:18:18,590 --> 00:18:24,550 'Marky M.' on Instagram is apparently Marketa Mottlova 215 00:18:24,550 --> 00:18:28,160 and this is her booking reference. 216 00:18:28,160 --> 00:18:33,280 *laughter* 217 00:18:33,280 --> 00:18:37,050 I was debating whether or not to show this but you guys are gonna do it anyway 218 00:18:37,050 --> 00:18:40,900 when I’m done with this talk. *laughter* 219 00:18:49,242 --> 00:19:01,600 *cheers and applause* 220 00:19:01,600 --> 00:19:06,960 So a flight today from Munich to Frankfurt and then, on to Seattle. 221 00:19:06,960 --> 00:19:11,670 Let me point out one thing here. 222 00:19:11,670 --> 00:19:15,260 Where did I see the ticket number? 223 00:19:15,260 --> 00:19:23,040 *off camera mumbling on stage* 224 00:19:23,040 --> 00:19:32,555 Just use mine! 225 00:19:32,555 --> 00:19:38,740 It’s AndroidAPKN Oops. 226 00:19:38,740 --> 00:19:50,080 And then let me write down the password. 227 00:19:50,080 --> 00:19:57,060 Okay. Alright. 228 00:19:57,060 --> 00:20:02,000 So what I wanted to point out is that this isn’t even a Lufthansa ticket. 229 00:20:02,000 --> 00:20:08,830 So she checked in with Lufthansa in Frankfurt. But if you look at the 230 00:20:08,830 --> 00:20:14,950 ticket number, 016, that’s a United [Airlines] ticket. And it also includes 231 00:20:14,950 --> 00:20:19,950 flights on Alaska Airlines e.g. So any of these airlines have 232 00:20:19,950 --> 00:20:27,230 full access to this PNR. And many of them will just grant people access to it 233 00:20:27,230 --> 00:20:32,860 if they know the PNR and the last name. As Nemanja will show in a minute, 234 00:20:32,860 --> 00:20:38,570 even if they don’t know that yet. So... 235 00:20:38,570 --> 00:20:43,200 To recap for the moment: airlines give you a six-digit password that they print 236 00:20:43,200 --> 00:20:50,470 on all kinds of pieces of paper and that you will post on Instagram. 237 00:20:50,470 --> 00:20:54,690 Why shouldn’t you, everybody else does, too, apparently. 75,000 people at least 238 00:20:54,690 --> 00:20:59,650 over the last couple of weeks. So the authentication model here is 239 00:20:59,650 --> 00:21:05,420 severely broken, too. And what kind of abuse arises from this? 240 00:21:05,420 --> 00:21:10,180 Of course, you can now use this PNR, log in on Lufthansa as I have just done 241 00:21:10,180 --> 00:21:15,950 or a more generic web site, like Checkmytrip and look up peoples’ 242 00:21:15,950 --> 00:21:19,040 contact information at the very least. So there’s always an email address 243 00:21:19,040 --> 00:21:23,620 in there. There’s usually a phone number in there. If in Lufthansa you click on 244 00:21:23,620 --> 00:21:29,200 “I wanna change my booking” probably they’ll ask you for your payment information 245 00:21:29,200 --> 00:21:32,910 and pre-fill the postal address for that. So you get somebody’s postal address 246 00:21:32,910 --> 00:21:38,320 that they used for the booking, passport information, visa information. If you 247 00:21:38,320 --> 00:21:41,520 travel to the U.S. as she does there’s definitely passport information 248 00:21:41,520 --> 00:21:48,610 in the PNR. All of this information is now readily accessible. Now so far 249 00:21:48,610 --> 00:21:53,120 there was zero hacking involved. That’s why we have Nemanja here who will 250 00:21:53,120 --> 00:22:00,190 show you some actual hacking to get even deeper into these systems. 251 00:22:00,190 --> 00:22:03,230 Can we switch the screen? 252 00:22:03,230 --> 00:22:09,560 Nemanja Nikodijevic: So when… *laughter* 253 00:22:09,560 --> 00:22:18,590 When we started this research we needed to find lots of these boking numbers 254 00:22:18,590 --> 00:22:24,600 to see if there is some relation between them. So luckily we didn’t have to 255 00:22:24,600 --> 00:22:28,960 make any bookings that we had to pay because there are web sites like this one 256 00:22:28,960 --> 00:22:33,270 where you can just make a booking and pay it later but you get 257 00:22:33,270 --> 00:22:39,490 the booking reference number at the time. So let’s make some very normal 258 00:22:39,490 --> 00:22:45,786 German name… *laughter* ..looking for someone from Germany. 259 00:22:45,786 --> 00:22:52,550 Actually they check the phone number, so it has to follow the certain form. 260 00:22:52,550 --> 00:22:59,968 Let’s find Germany… from Berlin, 261 00:22:59,968 --> 00:23:04,435 1234567. *laughter* 262 00:23:04,435 --> 00:23:09,390 And then ‘hans@sandiego.com’. 263 00:23:09,390 --> 00:23:14,940 As you can see I tried quite some… *laughter* 264 00:23:14,940 --> 00:23:19,950 So for this one we already got our booking reference number 265 00:23:19,950 --> 00:23:28,584 which is Y56HOY. And this one, in a minute. 266 00:23:28,584 --> 00:23:33,340 Okay, we have to wait a bit. Y5LCF4. So if you notice 267 00:23:33,340 --> 00:23:39,110 they are very close to each other, so they both start with Y5 which means 268 00:23:39,110 --> 00:23:44,160 that they were booked on the same day. Probably because one is on Lufthansa, 269 00:23:44,160 --> 00:23:49,560 the other one is on Air Berlin, there is slight difference. They are not exactly 270 00:23:49,560 --> 00:23:53,160 sequential. But we can say that they are concentrated in a certain range 271 00:23:53,160 --> 00:23:58,410 for a certain day. What we can do now is 272 00:23:58,410 --> 00:24:03,910 we can go to one of our servers. At first 273 00:24:03,910 --> 00:24:08,380 we have to check if checkmytrip works 274 00:24:08,380 --> 00:24:12,840 because I had some issues with the network. 275 00:24:12,840 --> 00:24:17,510 That’s… ooh! *laughter* 276 00:24:17,510 --> 00:24:22,260 This is a bit unexpected. We will have to skip this part 277 00:24:22,260 --> 00:24:28,210 where we actually look for Carmen Sandiego in one of our bookings. 278 00:24:28,210 --> 00:24:29,210 But… 279 00:24:29,210 --> 00:24:32,990 Karsten: Well, this is a side effect of responsible disclosure. So you tell 280 00:24:32,990 --> 00:24:37,881 a company that on this day you’ll do that thing to that web site, and they just 281 00:24:37,881 --> 00:24:41,580 either block the IP ranges here or just took down the web site which they 282 00:24:41,580 --> 00:24:48,430 have done a few times before. What you can do is… – say it again!! 283 00:24:48,430 --> 00:24:52,590 From audience: Can you test the hot spot? 284 00:24:52,590 --> 00:24:56,880 Karsten: Actually, I think the whole web site is turned off. 285 00:24:56,880 --> 00:25:03,710 Nemanja: What we can demonstrate, I think, is that if we go with this booking number, 286 00:25:03,710 --> 00:25:10,309 to Air Berlin web site, and then type last name, “Mueller”. 287 00:25:10,309 --> 00:25:16,850 And actually, because it’s six-bit encoding it has to be “UE”, no Umlauts 288 00:25:16,850 --> 00:25:27,263 allowed. So, “Select all the food!” *laughter and applause* 289 00:25:27,263 --> 00:25:29,353 Let’s see if we can find this flight. 290 00:25:29,353 --> 00:25:32,420 Karsten: The part of the demo that you didn’t show is just brute-forcing 291 00:25:32,420 --> 00:25:37,440 these ranges. If you know which ranges are used in a day you can try them all. 292 00:25:37,440 --> 00:25:44,590 Or at least we did many times. That would then, in theory, give you access 293 00:25:44,590 --> 00:25:48,360 to all of this. And not just in theory, in practice, unless they take down their 294 00:25:48,360 --> 00:25:52,592 entire web site which they knew we were gonna use for this demo. 295 00:25:52,592 --> 00:25:58,270 Nemanja: But on this, for example, if we caught that flight that we wanted to catch… 296 00:25:58,270 --> 00:26:05,670 Karsten: We’ll show it later. But at least the first win for privacy: no information 297 00:26:05,670 --> 00:26:09,690 is leaked through this web site for the rest of this talk, at least! 298 00:26:09,690 --> 00:26:12,300 *laughter and applause* 299 00:26:12,300 --> 00:26:21,010 Can we switch back to the other screen? *ongoing applause* 300 00:26:21,010 --> 00:26:24,870 One thing that you would have noticed had this not just been a flight reservation 301 00:26:24,870 --> 00:26:29,390 but an actual ticket: it would have given you options to rebook it, 302 00:26:29,390 --> 00:26:34,250 to add a frequent flyer number, all of that good stuff. So what’s the abuse potential 303 00:26:34,250 --> 00:26:38,850 here? So far we’ve only talked about privacy intrusion. And privacy intrusion 304 00:26:38,850 --> 00:26:43,130 is bad enough. Imagine somebody is snapping a picture of your luggage, 305 00:26:43,130 --> 00:26:48,320 that person has your email address and your phone number, right there, right then. 306 00:26:48,320 --> 00:26:55,559 But the abuse potential goes much beyond that. For instance, you can fly for free! 307 00:26:55,559 --> 00:26:59,540 You can fly for free using different methods. You can find somebody else’s 308 00:26:59,540 --> 00:27:04,120 booking and just change the date. The ticket… in fact, we can show it 309 00:27:04,120 --> 00:27:09,740 a little bit later. We had prepared for this demo that we are going to find 310 00:27:09,740 --> 00:27:13,200 through a little bit of brute-force that’s a flexible ticket. So you can just change 311 00:27:13,200 --> 00:27:16,890 the date, and change the email address. You just take that flight yourself. 312 00:27:16,890 --> 00:27:22,770 And as the airline checks… compares the ticket and your passport – oftentimes 313 00:27:22,770 --> 00:27:26,110 they do it visually. What they’ll do is they’ll send you a PDF, you change 314 00:27:26,110 --> 00:27:31,760 the name, you take it anyway. But at least in Schengen, in the EU, people don’t even 315 00:27:31,760 --> 00:27:38,450 do that. Let’s say you wanted to take it in your name. You can, 316 00:27:38,450 --> 00:27:43,100 depending on the airline, call them up or even use their web sites to cancel 317 00:27:43,100 --> 00:27:48,900 the ticket, and the issue a refund to you inside the PNR, and then use the money 318 00:27:48,900 --> 00:27:54,600 that’s freed up there to book a new ticket. Some airlines also give you 319 00:27:54,600 --> 00:28:01,370 MCOs – miscellaneous charges orders. Americans will know this very well, 320 00:28:01,370 --> 00:28:05,760 every time you get bumped from a flight they give you an MCO, “sorry, we can’t 321 00:28:05,760 --> 00:28:09,420 fly you home today, you’ll have to go tomorrow, but here is $1,000 towards 322 00:28:09,420 --> 00:28:17,309 a new ticket”. It’s real airline cash. And those same MCOs you can issue 323 00:28:17,309 --> 00:28:21,059 based on flight cancellation. So you cancel somebody else’s ticket and you get 324 00:28:21,059 --> 00:28:26,090 airline money to book your own ticket. And, again, there are no passwords 325 00:28:26,090 --> 00:28:30,960 involved. The only authenticator is this six-digit sequence that people post 326 00:28:30,960 --> 00:28:36,480 on Instagram, print on their boarding passes and that Nemanja should be able 327 00:28:36,480 --> 00:28:42,270 to brute-force on their web sites. What else can you do, once you have somebody’s 328 00:28:42,270 --> 00:28:47,820 PNR? You can change or add a mile number. And some tickets are really attractive 329 00:28:47,820 --> 00:28:54,880 for mile collection. Take a round trip to Australia in 1st class, get 60,000 miles 330 00:28:54,880 --> 00:29:01,870 right there, for one round trip, for one PNR. And that will get you a sweet, free 331 00:29:01,870 --> 00:29:11,280 flight to somewhere nice, or even some voucher for online and offline shopping. 332 00:29:11,280 --> 00:29:17,779 One website that I wish was still working is, of course, this one. 333 00:29:17,779 --> 00:29:20,439 *laughter* 334 00:29:20,439 --> 00:29:26,602 But they shut down business, apparently. Unrelated to this talk. 335 00:29:26,602 --> 00:29:30,070 *laughter and single claps* 336 00:29:30,070 --> 00:29:36,740 So you have access to somebody’s PNR, you can not just stalk them but change 337 00:29:36,740 --> 00:29:44,260 their flights or – which may trigger some curiosity – that flight can be taken twice. 338 00:29:44,260 --> 00:29:48,840 But you can very stealthily add your mile number everywhere, well, a new mile number 339 00:29:48,840 --> 00:29:57,400 matching that name to collect those sweet miles. Now, are all airlines affected 340 00:29:57,400 --> 00:30:03,267 by that? The demo that we didn’t get to show brute-forced for one last name, 341 00:30:03,267 --> 00:30:10,250 Sandiego, all the PNRs for a day. And it quickly found, in fact, a bunch of records. 342 00:30:10,250 --> 00:30:15,080 There’s not just one Sandiego flying that day. But in some airlines they’re 343 00:30:15,080 --> 00:30:19,050 a little bit smarter. For instance American Airlines, the largest airline in the world, 344 00:30:19,050 --> 00:30:24,790 they don’t just want the last name but also the first name. And if you’re 345 00:30:24,790 --> 00:30:28,150 interested in one specific person, let’s say ‘Carmen Sandiego’, you would still 346 00:30:28,150 --> 00:30:32,920 find that person. But if you want to conduct fraud that becomes a little bit 347 00:30:32,920 --> 00:30:39,580 more tricky. A fraudster would just pick a random, very popular last name and 348 00:30:39,580 --> 00:30:45,610 brute-force PNRs there. And that becomes more difficult if also you have to guess 349 00:30:45,610 --> 00:30:51,990 a first name. However, even American Airlines, those records can be accessed 350 00:30:51,990 --> 00:30:57,200 through other web sites. For istance Viewtrip, this is another generic web site like this 351 00:30:57,200 --> 00:31:02,050 infamous Checkmytrip that just went offline. And Viewtrip allows you 352 00:31:02,050 --> 00:31:08,880 to brute-force by just last name and PNR, again. So there’s multiple ways to access 353 00:31:08,880 --> 00:31:13,570 the same information. Some of which are more secured than others. And, of course, 354 00:31:13,570 --> 00:31:18,831 only the weakest link mattered. So Viewtrip, what they would say is 355 00:31:18,831 --> 00:31:24,549 they found the record and they can’t give you access to the information but then 356 00:31:24,549 --> 00:31:29,090 TripCase will which, again, takes only last name and reservation number. 357 00:31:29,090 --> 00:31:32,980 And they will tell you the first name also that then you can type in to 358 00:31:32,980 --> 00:31:34,960 the American Airlines web site again *laughter* 359 00:31:34,960 --> 00:31:42,559 to change the booking, let’s say. So there’s all these different ways to access 360 00:31:42,559 --> 00:31:47,920 a person’s information here. And everybody is slightly different. So let’s look at the 361 00:31:47,920 --> 00:31:55,830 entire universe of travel web sites, starting with just three big travel providers. 362 00:31:55,830 --> 00:32:02,950 Each of them uses six-digit booking codes. But they use these six-digits rather 363 00:32:02,950 --> 00:32:08,250 differently. Sabre e.g. they don’t use any numbers which of course severely impacts 364 00:32:08,250 --> 00:32:16,530 the entropy. But then others, e.g. Amadeus, they don’t use 1 and 0, because that could 365 00:32:16,530 --> 00:32:23,860 be confused with i and o, and then Galileo drops a few other characters. So 366 00:32:23,860 --> 00:32:27,950 at the end of the day none of them really used the entropy of even a six-digit 367 00:32:27,950 --> 00:32:34,490 pass code. All of them are in entropy lower than a randomly chosen 5-digit 368 00:32:34,490 --> 00:32:38,410 password. And we will never recommend anybody to use a 5-digit password, right? 369 00:32:38,410 --> 00:32:44,030 So this is strictly worse. And what makes it even worse, at least for 370 00:32:44,030 --> 00:32:47,910 privacy-intruding attacks, is the sequential nature of these bookings. 371 00:32:47,910 --> 00:32:53,181 You saw the two that Nemanja just now generated. Both of them were from 372 00:32:53,181 --> 00:32:57,930 the same, very small sub set. So if you just wanted to know all the bookings 373 00:32:57,930 --> 00:33:01,820 that a person did today, you can brute-force this in 10 minutes 374 00:33:01,820 --> 00:33:06,900 with a few computers running in parallel. It’s not so easy on Sabre because 375 00:33:06,900 --> 00:33:12,160 they seem to be chosen more randomly. However, Sabre has the lowest entropy, 376 00:33:12,160 --> 00:33:18,460 so if you just randomly want to find bookings for popular last names Sabre is 377 00:33:18,460 --> 00:33:27,410 your system of choice. They’re all weak, but the weaknesses differ in shades of grey 378 00:33:27,410 --> 00:33:31,610 for this privacy intruding and for the financial fraud-type attacks. 379 00:33:31,610 --> 00:33:37,390 As one example, though, of how easy it is to find these booking codes, if you 380 00:33:37,390 --> 00:33:45,030 look up 1,000 just randomly chosen booking codes in Sabre for the last name ‘Smith’ 381 00:33:45,030 --> 00:33:50,970 five will come back with current bookings. So half a percent of the entire name space 382 00:33:50,970 --> 00:33:55,900 is filled with current bookings for people called ‘Smith’! Now, add in all the other 383 00:33:55,900 --> 00:34:01,670 last names, their name space must be pretty damn full. And it’s only 300 mio. 384 00:34:01,670 --> 00:34:05,549 records if you calculate the entropy. So it looks like almost every record 385 00:34:05,549 --> 00:34:09,650 is used up and they’re running out of space. So they’ll have to fix this anyway 386 00:34:09,650 --> 00:34:14,580 at some point. But that, of course, makes it all the easier to randomly find and 387 00:34:14,580 --> 00:34:22,409 abuse other people’s bookings. Each of those providers runs a website 388 00:34:22,409 --> 00:34:26,239 that allows you to access all the PNRs in their system if you know the PNR and 389 00:34:26,239 --> 00:34:31,540 the last name. And one German reporter writing about this, he calls the 390 00:34:31,540 --> 00:34:38,280 websites that you didn’t know existed, that you have no use for but that, anyway, 391 00:34:38,280 --> 00:34:43,510 put your privacy at risk. So there doesn’t seem to be any up side to these web sites. 392 00:34:43,510 --> 00:34:47,590 I certainly don’t need to use them but they’re there, and they’re bad. 393 00:34:47,590 --> 00:34:52,469 Because when we did the research none of them had any protection from brute-forcing 394 00:34:52,469 --> 00:34:56,599 meaning we could try 100,000, even millions of different combinations 395 00:34:56,599 --> 00:35:01,869 – PNR and last name – and those websites wouldn’t complain even a bit. 396 00:35:01,869 --> 00:35:09,390 We did expose Amadeus to way more queries that the others and at some point 397 00:35:09,390 --> 00:35:13,040 they did notice, maybe also because some reporters just asked them for comments 398 00:35:13,040 --> 00:35:19,480 on the research. They have tried to improve. So the classic checkmytrip.com 399 00:35:19,480 --> 00:35:24,090 website that was just killed a few days ago – R.I.P., thank you, it’s gone, 400 00:35:24,090 --> 00:35:29,780 50% of the problem solved. But the other website, that was still around up until 401 00:35:29,780 --> 00:35:35,710 literally half an hour ago. What they did over the last couple of days was, 402 00:35:35,710 --> 00:35:41,390 they added a captcha. But the captcha gave you a cookie. And the cookie you could 403 00:35:41,390 --> 00:35:45,890 again use for indefinite number of queries. *laughter* 404 00:35:45,890 --> 00:35:51,840 It’s a company that just hasn’t done web security before. But then they also 405 00:35:51,840 --> 00:35:56,820 limited the number of requests per IP address. Now, we do this from Amazon, 406 00:35:56,820 --> 00:36:01,920 so it’s not so difficult to spawn new IP addresses, but still… it severely 407 00:36:01,920 --> 00:36:10,720 slows us down. About 1.000 requests per IP address. Even if they now took down 408 00:36:10,720 --> 00:36:15,500 checkmytrip for good, of course, this is not the only pass to a reservation. 409 00:36:15,500 --> 00:36:21,242 As we’ve seen before you can just use the provider’s web site directly. And the 410 00:36:21,242 --> 00:36:26,350 popular ones in Germany, they differed in security quite a bit when we checked 411 00:36:26,350 --> 00:36:30,080 a few weeks ago. So Lufthansa itself differed on their different properties. 412 00:36:30,080 --> 00:36:35,190 The standard website asked for a captcha, not the first time, but I think starting 413 00:36:35,190 --> 00:36:39,740 from three requests, so a really good compromise. They make it comfortable 414 00:36:39,740 --> 00:36:44,540 to use for really anybody who just wants to look up their own records. But then 415 00:36:44,540 --> 00:36:48,250 they make it a little bit more painful for somebody who tries to look up 416 00:36:48,250 --> 00:36:52,958 too many. But then the mobile version e.g. didn’t have that captcha. And again, 417 00:36:52,958 --> 00:36:58,690 weakest link principle applies. Air Berlin, they had some rough IP filter, 418 00:36:58,690 --> 00:37:02,359 again, 1.000 requests per IP, that’s a little bit too much, they introduced 419 00:37:02,359 --> 00:37:08,590 a captcha today! So, again, in response to this. This is already showing 420 00:37:08,590 --> 00:37:13,940 some effect. Thank you to checkmytrip and Air Berlin for working on this 421 00:37:13,940 --> 00:37:19,649 over the holidays, much appreciated. Maybe, if you know anybody, thank you! 422 00:37:19,649 --> 00:37:28,340 *applause* 423 00:37:28,340 --> 00:37:35,020 On the other GDS’s the situation is much worse still. They’re still as bruteforceable 424 00:37:35,020 --> 00:37:41,970 as they ever were, as are the web sites. Except for the little bit of first-name 425 00:37:41,970 --> 00:37:48,810 extra complication on American Airlines, every web site we have tried is not protected 426 00:37:48,810 --> 00:37:55,540 from brute-forcing. And this is surprising to me. In my consulting work I have 427 00:37:55,540 --> 00:38:00,480 never seen a web site where not the first pentester ever looking at it would say: 428 00:38:00,480 --> 00:38:04,190 “Oh, you didn’t have rate limiting in it, please add it!” and then, two days later 429 00:38:04,190 --> 00:38:10,310 they had. So for most of this industry that is yet to happen. So no cookie here, 430 00:38:10,310 --> 00:38:18,950 either. Let’s talk about one more abuse scenario that’s… I can say they’re very 431 00:38:18,950 --> 00:38:22,400 relevant but that’s maybe because in my consulting life I’ve been dealing with 432 00:38:22,400 --> 00:38:28,109 human security for the last couple of years, appreciating that technology 433 00:38:28,109 --> 00:38:32,609 is mostly not the weakest link but the the gullibility of people working 434 00:38:32,609 --> 00:38:38,220 in the company. And the same probably goes for travelers. Imagine the scenario where 435 00:38:38,220 --> 00:38:42,400 you made a booking, just a few minutes ago. And now that airline, or at least 436 00:38:42,400 --> 00:38:46,859 it looks like that airline, sends you an e-mail saying “Thank you for making 437 00:38:46,859 --> 00:38:53,160 this reservation, here is all your booking stuff, summarized for you, please update 438 00:38:53,160 --> 00:38:57,480 your credit card information, though. The booking didn’t go through. 439 00:38:57,480 --> 00:39:03,310 I would click on that. I expect them to e-mail me, I know that sometimes 440 00:39:03,310 --> 00:39:08,170 credit cards are fuzzy, I would click on it and enter my credit card information 441 00:39:08,170 --> 00:39:13,830 again. And how is this possible? Of course we can stay ahead of the current pointer 442 00:39:13,830 --> 00:39:18,410 in this sequences and find bookings that were made in the last, let’s say, 443 00:39:18,410 --> 00:39:23,950 half an hour, for popular last names again. And each of those bookings will 444 00:39:23,950 --> 00:39:28,369 point us to an e-mail address, and give us all the context we need to include in this 445 00:39:28,369 --> 00:39:33,740 very, very targeted phishing. If nothing else, I think this should convince 446 00:39:33,740 --> 00:39:38,480 the airline industry to close these loop holes because the evilness of the internet 447 00:39:38,480 --> 00:39:43,190 will not ignore this forever. Phishers are always looking for new targets, and 448 00:39:43,190 --> 00:39:52,369 this will be a very juicy one. So we looked at the three big GDS’s now. 449 00:39:52,369 --> 00:39:59,330 There’s a few other players, e.g. SITA. It looks like on the way out but these two 450 00:39:59,330 --> 00:40:03,830 very big airlines, they still use it. So they’re certainly still relevant. They are 451 00:40:03,830 --> 00:40:08,430 even worse. They use, instead of a six-digit booking code they use five digits. 452 00:40:08,430 --> 00:40:12,540 And one digit is fixed per airline. So if you know you’re looking for Air India 453 00:40:12,540 --> 00:40:18,770 you don’t even have to brute-force that leaving just four digits to go through, 454 00:40:18,770 --> 00:40:23,560 and to brute-force. Now we don’t have a demo for this because we found three 455 00:40:23,560 --> 00:40:28,670 other more fun ones to demo. So… *laughter* 456 00:40:28,670 --> 00:40:35,910 Nemanja will now show you RyanAir, Oman Air and Pakistan International Airlines. 457 00:40:35,910 --> 00:40:42,710 Note that all of these are connected to big GDS systems. So it’s now the web sites 458 00:40:42,710 --> 00:40:48,359 that make it even worse than we already discussed before. And can we switch over 459 00:40:48,359 --> 00:40:51,850 to the other computer again? Thanks. 460 00:40:51,850 --> 00:40:57,900 Nemanja: Yeah, I guess, many people fly with Ryan Air here. 461 00:40:57,900 --> 00:41:02,359 They use Navitaire which is now owned by Amadeus. 462 00:41:02,359 --> 00:41:06,780 So they don’t share the same address space. But on the Ryanair web site you can 463 00:41:06,780 --> 00:41:10,510 either search for the reservation with the e-mail address and the reservation number 464 00:41:10,510 --> 00:41:15,020 or the last four digits of the credit card that you used for booking. 465 00:41:15,020 --> 00:41:16,020 *laughter* 466 00:41:16,020 --> 00:41:20,770 Karsten: Again, great authenticator, right? Ten thousand options. 467 00:41:20,770 --> 00:41:29,820 Nemanja: As they don’t have captcha we can have a look for… 468 00:41:29,820 --> 00:41:34,430 So we know that the last four digits of 469 00:41:34,430 --> 00:41:36,300 Carmen Sandiego’s card are these. 470 00:41:36,300 --> 00:41:38,551 Karsten: And if not we can just try all ten thousand. 471 00:41:38,551 --> 00:41:42,130 Nemanja: We can just try, yeah. We can do the other way around. So this way 472 00:41:42,130 --> 00:41:48,270 we know that… and that it starts with these characters. And let’s try 473 00:41:48,270 --> 00:41:54,130 to brute-force it. In the meantime let’s have a look at the Oman Air. 474 00:41:54,130 --> 00:41:57,890 They ask for the booking reference and for the departure airport. But 475 00:41:57,890 --> 00:42:01,900 departure airport doesn’t have to be just the departure airport but it can also be 476 00:42:01,900 --> 00:42:07,082 any airport that is within the reservation. So for Oman Air we think that it’s 477 00:42:07,082 --> 00:42:13,090 Muscat which is the capital. So usually… most of these slides 478 00:42:13,090 --> 00:42:18,420 go through there. Let’s see if we can find someone who is… 479 00:42:18,420 --> 00:42:24,430 Karsten: And he’s now just trying random booking codes that are valid within 480 00:42:24,430 --> 00:42:28,820 that name space. So, again, they don’t really use the full entropy. So that makes 481 00:42:28,820 --> 00:42:32,830 the search a little bit quicker but other than that it’s just a pure brute-force. 482 00:42:32,830 --> 00:42:37,830 Nemanja: And as there is no captcha as you can see we can go on to the next one. 483 00:42:37,830 --> 00:42:39,869 So this one is the winner! 484 00:42:39,869 --> 00:42:44,180 *laughter* 485 00:42:44,180 --> 00:42:53,609 They trust you that it’s yours! *strong applause* 486 00:42:53,609 --> 00:43:00,780 And let’s see … so we already have one for the Oman Air. Okay. This is the one… 487 00:43:00,780 --> 00:43:01,780 this is where… 488 00:43:01,780 --> 00:43:04,910 Karsten: That was RyanAir, huh? 489 00:43:04,910 --> 00:43:07,180 Nemanja: This is the RyanAir, yeah. 490 00:43:07,180 --> 00:43:10,670 So we didn’t bring these two characters. 491 00:43:10,670 --> 00:43:15,110 But… because we wanted to hide it. If we accidentally hit some booking with that 492 00:43:15,110 --> 00:43:18,840 card number we don’t want to show the booking reference number of someone else. 493 00:43:18,840 --> 00:43:27,820 So it might be even some of the people here. We can try… 494 00:43:27,820 --> 00:43:33,950 Even got one from the Pakistan. Carmen Sandiego is flying from SXF to TSR. 495 00:43:33,950 --> 00:43:45,750 And here we can just enter the… what was the, I think… if I’m right… 496 00:43:45,750 --> 00:43:54,140 Let’s see if this will work. Yeah, okay. 497 00:43:54,140 --> 00:43:55,400 Hello Carmen Sandiego. 498 00:43:55,400 --> 00:44:01,099 Karsten: So now we know where Carmen Sandiego is, finally. The point is, 499 00:44:01,099 --> 00:44:05,450 we made, you can brute-force these web sites rather easily and you don’t really 500 00:44:05,450 --> 00:44:10,410 trigger any alerts there, apparently. Which, again, coming from 501 00:44:10,410 --> 00:44:15,180 an IT security background I find pretty shocking. Can we switch back to 502 00:44:15,180 --> 00:44:25,140 the other screen? Let’s look at the last security feature that we would expect 503 00:44:25,140 --> 00:44:30,090 any IT system to have, these days. Especially knowing that it has been 504 00:44:30,090 --> 00:44:33,880 criticized for lack of IT security for a long time. And that, of course, 505 00:44:33,880 --> 00:44:40,260 is accountability, logging. At least track who’s legitimately or illegitimately 506 00:44:40,260 --> 00:44:45,010 accessing these records. It turns out that it has been asked for a long time 507 00:44:45,010 --> 00:44:50,410 by different people, again most notably Ed Hasbrouck, this privacy advocate, 508 00:44:50,410 --> 00:44:55,400 but also other reporters and other advocates have come across this 509 00:44:55,400 --> 00:44:59,950 for years, saying “there’s rumors that, let’s say, the Department of Homeland 510 00:44:59,950 --> 00:45:05,040 Security in the U.S., they have root access in these GDS’s. Where are the records, 511 00:45:05,040 --> 00:45:10,310 whether they are accessing it or not. Where are the records for abuse by 512 00:45:10,310 --> 00:45:15,390 support stuff in these GDS companies. Where are any records? 513 00:45:15,390 --> 00:45:19,250 The GDS companies have always said, “oh, we can’t keep any records, it’s 514 00:45:19,250 --> 00:45:26,240 not technologically possible.” I call BS on that. They are logging… in the tiniest 515 00:45:26,240 --> 00:45:30,520 minutia, any change to a reservation there’s a log for. And then access log 516 00:45:30,520 --> 00:45:34,910 does not exist? And it’s not technologically possible? I think there’s 517 00:45:34,910 --> 00:45:40,119 a completely different reason behind here. If, in fact, these companies gave access, 518 00:45:40,119 --> 00:45:45,130 unlawful access, or at least in violation of privacy laws in, let’s say, 519 00:45:45,130 --> 00:45:49,580 the E.U. or Canada, if, in fact, they gave that access to other governments 520 00:45:49,580 --> 00:45:54,530 the last thing you want is a trail of evidence showing that people have 521 00:45:54,530 --> 00:46:01,070 access to records. So this has nothing to do with technological restrictions, this is 522 00:46:01,070 --> 00:46:05,570 purely – those companies don’t wanna be in the middle of a debate where probably 523 00:46:05,570 --> 00:46:10,810 some sealed order in the U.S. makes them disclose all this information but laws 524 00:46:10,810 --> 00:46:14,820 in Europe make them not disclose the information. They just don’t wanna have 525 00:46:14,820 --> 00:46:20,920 evidence either way. But that leaves us in a very peculiar position where now 526 00:46:20,920 --> 00:46:26,020 we know that these systems are insecure, use very bad authenticators, expose this 527 00:46:26,020 --> 00:46:31,160 over web sites that can be brute-forced and don’t keep any record of if that 528 00:46:31,160 --> 00:46:36,780 actually happens. So it’s completely unknown how much abuse may be 529 00:46:36,780 --> 00:46:41,810 happening here. I think we can be pretty certain that the flight changes for people 530 00:46:41,810 --> 00:46:45,470 to fly for free, that they are not happening very frequently because that’s 531 00:46:45,470 --> 00:46:50,580 the only one of these attack methods that would leave very clear evidence, somebody 532 00:46:50,580 --> 00:46:55,400 actually complaining, saying “I wanted to take my flight but apparently somebody 533 00:46:55,400 --> 00:47:01,180 else already took it before me, or canceled it and took off with the money. 534 00:47:01,180 --> 00:47:04,630 But the other cases we have no idea whether or not they’re happening. 535 00:47:04,630 --> 00:47:08,480 They’re technologically possible, and nobody seems to be looking for these 536 00:47:08,480 --> 00:47:17,040 abuse patterns. In summary, there’s just three big global databases, two in the U.S., 537 00:47:17,040 --> 00:47:24,240 one in Europe. They keep all the information on all the travelers. 538 00:47:24,240 --> 00:47:29,230 This information includes your personal contact information, payment information, 539 00:47:29,230 --> 00:47:34,250 your IP address. So lots of stuff that in a lot of other systems we consider 540 00:47:34,250 --> 00:47:39,700 sensitive, private even. And it should be protected with a good password. We would 541 00:47:39,700 --> 00:47:44,490 advise people to use an 8-character or longer password, with special character. 542 00:47:44,490 --> 00:47:48,839 None of that exists here. The passwords here are six-digits. They are less than 543 00:47:48,839 --> 00:47:53,770 five digits at worth of entropy. They’re printed on scraps of paper that you 544 00:47:53,770 --> 00:47:58,720 throw away. They are found on Instagram an they’re brute-forcable through numerous 545 00:47:58,720 --> 00:48:04,290 web sites by the GDS companies and through the travel providers. So this is very, 546 00:48:04,290 --> 00:48:10,920 very far away from even weak internet security. This really predates the internet 547 00:48:10,920 --> 00:48:17,970 in stupidity and insecurity. And while there’s multiple scenarios in which 548 00:48:17,970 --> 00:48:23,980 either privacy of users is at risk or even fraud could happen none of this is even 549 00:48:23,980 --> 00:48:28,570 logged, and nobody knows or has any way of knowing the magnitude to which 550 00:48:28,570 --> 00:48:33,130 these systems are already abused. So what do we need here? 551 00:48:33,130 --> 00:48:38,260 We clearly need more limitations on who can access what. This is not just my ask. 552 00:48:38,260 --> 00:48:43,020 This has been asked for 10 .. 20 years. But more on the technical level, 553 00:48:43,020 --> 00:48:48,730 in a long term, we need passwords for every traveler. You should be able 554 00:48:48,730 --> 00:48:53,380 to post a picture of your boarding pass on Instagram without having to worry 555 00:48:53,380 --> 00:48:57,140 about somebody abusing it. This is a piece of paper that you will throw away. 556 00:48:57,140 --> 00:49:02,870 There should be nothing secret about it. If you wanna share it – feel free to. 557 00:49:02,870 --> 00:49:08,010 Somebody else needs to add a password to make that safe again. 558 00:49:08,010 --> 00:49:12,760 But that’s a very long-term goal. These travel companies, they’re so interwoven, 559 00:49:12,760 --> 00:49:18,080 as we saw today, that all of them really have to move at the same time. 560 00:49:18,080 --> 00:49:24,860 The GDS’s have to do their share. But then each of interconnected airlines has to do 561 00:49:24,860 --> 00:49:29,119 their share. We saw this one random ticket from Instagram, so this was a Lufthansa 562 00:49:29,119 --> 00:49:35,810 ticket with some Alaska Air components issued by United. So at least those three 563 00:49:35,810 --> 00:49:40,020 companies have to work together. And how many more different airlines today have 564 00:49:40,020 --> 00:49:44,670 code-share agreements. So we’re talking about hundreds of companies who have 565 00:49:44,670 --> 00:49:50,260 to come together and decide “we wanna introduce pass codes, passwords”, 566 00:49:50,260 --> 00:49:54,730 whatever you wanna call them, “for each booking”. So that is a long-term goal. 567 00:49:54,730 --> 00:49:59,100 In the short term, though, at the very least we can expect, is for all these 568 00:49:59,100 --> 00:50:04,720 web sites that do give access to travelers’ private information to do the bare minimum 569 00:50:04,720 --> 00:50:09,460 of web security. At the very least some rate limiting. Don’t allow us 570 00:50:09,460 --> 00:50:16,000 to throw millions of requests at your properties, and give us back honest 571 00:50:16,000 --> 00:50:22,230 answers. That is unheard of anywhere else in the “cloud”. But for travel systems 572 00:50:22,230 --> 00:50:27,800 who claim for themselves to be the first cloud ever this seems to be very standard. 573 00:50:27,800 --> 00:50:32,240 And then, finally, until all of this can be guaranteed, until there’s passwords 574 00:50:32,240 --> 00:50:36,349 and until there is good rate limiting I think we have a right to know 575 00:50:36,349 --> 00:50:40,849 who accesses our records, and there must be some accountability. Especially, 576 00:50:40,849 --> 00:50:46,300 knowing how insecure these systems are today. This is a long way, and I can only 577 00:50:46,300 --> 00:50:52,540 hope that we are starting a journey by annoying large companies like Amadeus. 578 00:50:52,540 --> 00:50:58,260 They have done their little bit of fixing over the weekend now, so hopefully 579 00:50:58,260 --> 00:51:02,410 some others will follow suit and we will have better systems. Until then, 580 00:51:02,410 --> 00:51:07,050 of course, I can only encourage all of you to look at more of these travel systems 581 00:51:07,050 --> 00:51:10,950 because there’s plenty more to find. We’re only scratching the surface here. 582 00:51:10,950 --> 00:51:14,650 And, more generally, to look at more legacy systems. I think we’re spending 583 00:51:14,650 --> 00:51:20,119 way too much time making some already really good crypto just a tiny bit better 584 00:51:20,119 --> 00:51:25,060 or finding a really good mobile operating system the next little jailbreak 585 00:51:25,060 --> 00:51:31,780 that will be fixed two days later anyhow ignoring all these huge security issues 586 00:51:31,780 --> 00:51:36,250 that have been there for many, many years in systems that are a little bit less sexy 587 00:51:36,250 --> 00:51:40,290 and riddled with bug bounties than something else that we do spend a lot 588 00:51:40,290 --> 00:51:46,970 of time on. So I hope I could encourage you to do that. I wanna just hand out 589 00:51:46,970 --> 00:51:52,690 a few thankyous to members of our team without whom this research wouldn’t 590 00:51:52,690 --> 00:51:58,310 have been possible, and to a few industry experts who were kind enough to 591 00:51:58,310 --> 00:52:02,630 read over these slides and provide feedback, and help us hopefully 592 00:52:02,630 --> 00:52:07,880 not have any major gaps on our information. And then, to you for 593 00:52:07,880 --> 00:52:11,500 showing up in such great numbers, thank you very much! 594 00:52:11,500 --> 00:52:29,920 *applause* 595 00:52:29,920 --> 00:52:33,560 Herald: Wow, great talk. Thank you very much! We have five minutes 596 00:52:33,560 --> 00:52:38,550 for Q&A. So please line up on the microphones, and we’ll take 597 00:52:38,550 --> 00:52:40,560 some questions. First one! 598 00:52:40,560 --> 00:52:44,300 Question: Do you have any indication of how secure the systems are on the other 599 00:52:44,300 --> 00:52:48,674 end, that the airlines supply their fares into the entire systems? 600 00:52:48,674 --> 00:52:53,869 Is there any indication that those systems might be more secure than 601 00:52:53,869 --> 00:52:59,180 on the customer side? Or would it be easy to inject a cheap fare, e.g. 602 00:52:59,180 --> 00:53:02,859 by impersonating the airline with weak passwords? 603 00:53:02,859 --> 00:53:08,450 Karsten: Honestly, we don’t know. It was definitely on our list to research 604 00:53:08,450 --> 00:53:14,160 but we don’t have time for everything so we focus more on the customer privacy. 605 00:53:14,160 --> 00:53:18,660 But one thing that I really would want to test if I had any way of doing it: 606 00:53:18,660 --> 00:53:24,280 imagine the parsers for these strings. Imagine injecting some special characters 607 00:53:24,280 --> 00:53:32,190 in that. I don’t know who creates these strings and maybe I don’t wanna know. 608 00:53:32,190 --> 00:53:37,990 But if anybody does and you could play with some SQL commands I think a lot of 609 00:53:37,990 --> 00:53:42,880 web sites would wake up understanding that on that front they don’t do enough 610 00:53:42,880 --> 00:53:44,970 security either. 611 00:53:44,970 --> 00:53:48,300 Herald: Okay, question from the Signal Angel? 612 00:53:48,300 --> 00:53:52,040 Signal Angel: A question from IRC. Recently, U.S. Customs And Border Patrols 613 00:53:52,040 --> 00:53:56,430 started collecting social media identifiers for foreign citizens trying to enter 614 00:53:56,430 --> 00:54:00,470 the U.S. on a Visitor Visa. Could that information be accessible through PNR’s? 615 00:54:00,470 --> 00:54:04,830 Karsten: That’s a good question. I don’t think you would be. 616 00:54:04,830 --> 00:54:07,030 From Audience: They are! 617 00:54:07,030 --> 00:54:08,680 Karsten: So, I… 618 00:54:08,680 --> 00:54:11,430 From Audience: Yes, they are! 619 00:54:11,430 --> 00:54:13,580 Karsten: They are in the PNR? 620 00:54:13,580 --> 00:54:15,140 From Audience: Yes! 621 00:54:15,140 --> 00:54:16,390 Karsten: Okay. 622 00:54:16,390 --> 00:54:18,650 *laughter* 623 00:54:18,650 --> 00:54:25,590 I would have imagined that it’s more a case like this journalist, 624 00:54:25,590 --> 00:54:32,589 Cyrus Favia. He requested through FOIA disclosure all the records that 625 00:54:32,589 --> 00:54:36,600 the U.S. Government kept on his travelling. And he found a lot more stuff 626 00:54:36,600 --> 00:54:41,899 than just in the PNR. They had notes in there like “he’s a journalist”, “we had 627 00:54:41,899 --> 00:54:45,560 to search him extra for that”, stuff like that. So they don’t wanna write that 628 00:54:45,560 --> 00:54:49,930 into the PNR. But the Government keeps separate records that may be indexed 629 00:54:49,930 --> 00:54:51,880 by PNR, I don’t know. 630 00:54:51,880 --> 00:54:54,780 Herald: Okay, microphone here! 631 00:54:54,780 --> 00:54:58,690 Question: Can you say something about how long information will be stored 632 00:54:58,690 --> 00:55:04,700 in those travel systems, and whether users have a right to get them deleted? 633 00:55:04,700 --> 00:55:11,500 Karsten: That’s a good question. I think that differs by system. So in Amadeus 634 00:55:11,500 --> 00:55:17,180 records are removed pretty quickly. Days, or at most, weeks after the last flight is 635 00:55:17,180 --> 00:55:21,349 finally done. But in Sabre I had the impression that much older records was 636 00:55:21,349 --> 00:55:25,960 still in there. Which may explain why their data set is so dense. If you keep 637 00:55:25,960 --> 00:55:29,500 accumulating all the information. By the end of the day this is all going back 638 00:55:29,500 --> 00:55:33,859 to mainframe technology. So I don’t think anybody understands these algorithms 639 00:55:33,859 --> 00:55:36,210 any more. They just kind of work. 640 00:55:36,210 --> 00:55:38,170 Question: The deletion? 641 00:55:38,170 --> 00:55:41,750 Karsten: The deletion, yeah. I don’t think you can request anything to be deleted. 642 00:55:41,750 --> 00:55:45,890 I don’t think they consider you a person that they wanna talk to. 643 00:55:45,890 --> 00:55:47,560 You’re not the customer! 644 00:55:47,560 --> 00:55:49,680 Question: Thanks! 645 00:55:49,680 --> 00:55:52,150 Herald: Okay, the microphone there, in the… 646 00:55:52,150 --> 00:55:56,430 Question: It seems that the immediate way to abuse these systems is, like you said, 647 00:55:56,430 --> 00:56:01,710 with abusing money, and the mileage etc. It seems that those paths are actually 648 00:56:01,710 --> 00:56:05,800 somehow monitored by airlines, so if I’m collecting miles and take it not under 649 00:56:05,800 --> 00:56:09,460 my name that would raise some flags. You think that’s not the case? 650 00:56:09,460 --> 00:56:15,700 Karsten: Yes, I should have been more explicit how this attack works, 651 00:56:15,700 --> 00:56:19,950 the mile diversion. So, of course, you have to have an account in the same name 652 00:56:19,950 --> 00:56:24,570 as the person flying. So had his demo worked, he would have a PNR for 653 00:56:24,570 --> 00:56:28,650 a lady Carmen Sandiego. You can just go to miles&more and create an account 654 00:56:28,650 --> 00:56:33,589 under that name. A lot of airlines, though, they also allow you to change your name. 655 00:56:33,589 --> 00:56:38,470 So you just change it whenever you found a round trip Australia ticket, 656 00:56:38,470 --> 00:56:42,510 you change the name to whatever that target name is. And I know for a fact 657 00:56:42,510 --> 00:56:49,040 that people are doing that right now, not you guys, before even. Based on Instagram 658 00:56:49,040 --> 00:56:53,720 photos. So people are diverting miles by creating new accounts or by keeping 659 00:56:53,720 --> 00:56:58,109 changing the names of the accounts. And yes, airlines do sometimes notice this 660 00:56:58,109 --> 00:57:04,790 but only when it becomes excessive. And sure, that’s their money. I just hope 661 00:57:04,790 --> 00:57:08,790 that it will become so excessive that it’s such a big problem that it can’t be 662 00:57:08,790 --> 00:57:13,760 ignored any more. And then the privacy issues get fixed on the same token 663 00:57:13,760 --> 00:57:18,470 where privacy is never enough to convince a big company. But if you throw in 664 00:57:18,470 --> 00:57:20,800 a little bit of fraud it may be enough. 665 00:57:20,800 --> 00:57:29,080 *applause* 666 00:57:29,080 --> 00:57:31,624 Herald: Okay, one last question. Microphone here! 667 00:57:31,624 --> 00:57:36,600 Question: Hi Karsten! When people use like GDS’s they have these really archaic… 668 00:57:36,600 --> 00:57:41,180 there are not even… there are like actual terminals, not even pseudo-terminals. 669 00:57:41,180 --> 00:57:45,190 And then they expose like these EPI’s for the sake of writing your code in like Java 670 00:57:45,190 --> 00:57:49,260 or whatever. I’m wondering if there’s research to be done at that level? 671 00:57:49,260 --> 00:57:53,880 Or did you just not look at that, or that’s just an area of further research? 672 00:57:53,880 --> 00:57:59,329 Karsten: We did, quite a bit. But we found no way of making that public in any way 673 00:57:59,329 --> 00:58:05,720 that wouldn’t require a login from a travel agency and all of that good stuff. 674 00:58:05,720 --> 00:58:11,550 So I think the most I wanna say about that is the logins that travel agencies have, 675 00:58:11,550 --> 00:58:15,630 they’re terribly secured. But, of course, I can’t encourage anybody to go out 676 00:58:15,630 --> 00:58:20,630 and hack them. But if you did and you had access you’d be logging in to something 677 00:58:20,630 --> 00:58:24,760 that looks like a terminal. And you’d be typing some commands. And the next thing 678 00:58:24,760 --> 00:58:29,940 you know it throws a Java stack trace at you. So these just look like terminals. 679 00:58:29,940 --> 00:58:33,579 They have moved well beyond that while still maintaining this look and feel 680 00:58:33,579 --> 00:58:38,110 of a mainframe. And they’re terribly insecure. So these stack traces, they just 681 00:58:38,110 --> 00:58:41,510 come left and right even if you try to do the right thing! 682 00:58:41,510 --> 00:58:43,200 *laughter* 683 00:58:43,200 --> 00:58:45,290 Question: Thanks! Herald: Okay we have one question 684 00:58:45,290 --> 00:58:47,099 from the internet! 685 00:58:47,099 --> 00:58:52,970 Signal Angel: Somebody wants to know, how do you avoid DDoS’ing those services 686 00:58:52,970 --> 00:58:56,730 when you just brute-force the booking numbers? 687 00:58:56,730 --> 00:59:01,813 Karsten: A good question. Of course we don’t wanna hurt anybody, so we tried to 688 00:59:01,813 --> 00:59:07,490 keep the rates low. And it turns out if you throw 20 Amazon instances at them 689 00:59:07,490 --> 00:59:09,711 they don’t go down yet. And… 690 00:59:09,711 --> 00:59:11,460 *laughter* 691 00:59:11,460 --> 00:59:14,260 Herald: Okay. Thank you very much, Karsten and Nemanja! 692 00:59:14,260 --> 00:59:20,559 *applause* 693 00:59:20,559 --> 00:59:23,900 *postroll music* 694 00:59:23,900 --> 00:59:45,000 subtitles created by c3subtitles.de in the year 2020. Join and help us!