Download subtitle and video from Youtube

Quicky way to download subtitle and video from Youtube: go to https://thetv.info/[youtube-id]
E.g. Change https://youtu.be/6I2BnX32qNQ to https://thetv.info/6I2BnX32qNQ

Video DEF CON 24 - Hacking boarding passes for fun and profit

TheTV.info
45:21   |   42K+ views   |   today at 02:21

Transcription

  • so good morning everyone hope you're
  • enjoying DEFCON so far and happy to see
  • so many people in early in the morning
  • on the last day so hope I won't get you
  • asleep let's start with it okay so a bit
  • of introduction I'm the head of the
  • National Polish t-shirt
  • so that's computer security incident
  • response team that's my job but this
  • research is not related to the jobs in
  • any way so just a disclaimer that's my
  • research and not necessarily all
  • opinions are shared by my employer my
  • background is a programmer but I was a
  • long time ago I eventually got a degree
  • in social psychology that's not social
  • engineering that's related but I don't
  • think they get degreasing give degrees
  • in social engineering yet and I had 15
  • years of experience in IT security I
  • also love everything about you know
  • flying in aviation I almost became air
  • traffic controller trainee at some
  • moment and I love to learn how system
  • works how systems works you know how
  • everything is going on in the background
  • so also because I tend to fly a lot both
  • privately and because of my employer I
  • enjoy some benefits for frequent fliers
  • and I have some kind of disregard for
  • frequent fire admirers they don't have
  • any real value to me anymore but I still
  • enjoy the privileges like lounge access
  • or fast track so they really save you
  • time and give you some comfort at the
  • airports except when somebody tries to
  • fix the problem when the problem doesn't
  • really exist so about a year ago my home
  • airport will also introduce to this
  • automatic self-service gate which was
  • supposed to speed things up because
  • instead of you know waving your boarding
  • pass in front of a person have them
  • scanning it just
  • user scanner and against that you in the
  • only problem was with the fast track it
  • didn't read my status properly so it
  • would let in all the business class
  • passengers but I tend to travel on
  • economy and I only get the fast track
  • access because I have this gold status
  • so it wouldn't read the status properly
  • so I would have to go to the guy anyway
  • chosen my boarding pass make him come to
  • the gate scan my boarding pass like two
  • or three times like you know it's kind
  • of counterproductive like it you know
  • it's waste about 30 seconds of white
  • pushes time and the guy probably has
  • better things to do it's like let's see
  • if I can fix things so let's rewind a
  • little bit what are we talking about as
  • you probably noticed for the past ten
  • years or so you get this little bar code
  • on your boarding pass whether it's
  • mobile it's on paper you still get it
  • nice to the body nice to the barcode on
  • your boarding pass and that was
  • introduced in 2005 by IATA which is
  • international air traffic association if
  • I get it properly resolution number 79 -
  • it introduces something called bought a
  • barcode and boarding pass standard which
  • is adapted by all airlines airports
  • everybody who deals with boarding passes
  • they have to obey to that standard and
  • so you get four different kinds of
  • barcodes which can be used when you have
  • a paper boarding pass it will it must
  • always be pdf417 which is the nice
  • rectangle one the white one
  • if it's on mobile it should be one of
  • the square one so it's QR code which you
  • probably know about and the aspect and
  • data matrix which we have examples of
  • down here so you know I got on on Google
  • Play started looking for barcode
  • scanners to make my life easier
  • and fair enough you get like dozens of
  • them so the two in the middle barcode
  • scanner and by geek step and the manatee
  • would become my two favorite but you get
  • a white choice
  • so a freely available tools you can see
  • what's inside and this is pretty much
  • what the boarding pass boarding pass
  • looks like when it's encoded in be CBP
  • so it's just a bunch of characters and
  • sort of by trial and error I started
  • figuring out like okay if it doesn't
  • read the my frequent flyer status
  • properly so probably I need to adjust
  • that a book in class right I need to say
  • I mean any business and if that's what
  • it reads and let's see if it will let me
  • so the other tool I would need would be
  • a boarding pass generator and fairly
  • enough there's also a bunch of them on
  • Google Play Store and I'm pretty sure on
  • Apple Store as well so like I said first
  • by trial and error I figured out like
  • this would be the travel class character
  • if you fly a little bit you kind of get
  • used to this letters like M would be for
  • economy or Y would be for economy C
  • would be for business things I get
  • things like that and you also can pretty
  • clearly see something standing out like
  • first name last name original for
  • departure Airport for departure Airport
  • destination Airport flight number so
  • topics you can make up just by looking
  • at the at the clear text characters so
  • let's see if I switch this little
  • character to see and I mysteriously it
  • works it would let me so fine
  • I saved you know 30 seconds about of my
  • time every time I travel through the
  • fast track so it's precise like for all
  • travelers need but you know what else
  • can we get now if this is not verified
  • what else is not verified
  • what does can i play with
  • and you know I started changing
  • different things like no first name last
  • name yeah sorry enough lets you in so
  • neither like okay so if there's one
  • thing that can be verified easily
  • it's the booking code right because that
  • can be looked up in the reservation
  • system and I think that could be matched
  • to your boarding pass and well they
  • could at least know whether you're
  • traveling or not whether the reservation
  • is there or not but or it was somebody
  • to know just making up things so let's
  • go ahead and change this and it would
  • also let me in so now I got getting real
  • confused so what we are getting here is
  • now airport access for all pretty much
  • all right and just a bit of explanation
  • that was in Warsaw I tested in in a
  • number of different airports in the US
  • it will work a bit differently which I
  • will come back to in a minute but this
  • works in a lot of airports not it's not
  • something specific to Warsaw or you know
  • just one or two airports and we will
  • come back to why studies so it's not
  • just faster access it's you know Airport
  • access for all and yeah it's like notice
  • like million travelers per day like how
  • come nobody noticed it that somebody had
  • to fill this out already
  • and yeah this is not entirely news so
  • back in 2003 Bruce I already noticed
  • when when the concept of print your own
  • boarding pass was introduced even before
  • the bar-coded boarding pass was there
  • that you can spoof a boarding pass and
  • with this you could also circumvent the
  • no-fly list checks in the u.s. that was
  • 2003 until 2007 this was not fixed in
  • any way and November 2006 Chris Soghoian
  • put up a web page where anybody could
  • produce a fake I think it was Southwest
  • boarding pass and he got into a lot of
  • trouble for that so he got a pretty much
  • FBI raided his home and you know he got
  • a get a nice letter from TSA saying like
  • you are violating these and these laws
  • don't do it please um there's also two
  • articles from 2008 and 2011 which were
  • done jointly with Bruce Schneier they
  • also touch a bit on physical security I
  • totally recommend going and reading them
  • it's very entertaining and in 2012 a
  • John Butler also wrote an article on how
  • you could possibly figure out whether
  • you are pre check eligible or actually
  • make yourself be eligible most of most
  • of the technical stuff she got wrong in
  • the article but anyway the idea was kind
  • of cool and keep you know and make make
  • some things right at least so how did
  • the no file is bypass work back in 2003
  • so you'll have to buy tickets under a
  • false name because when you are buying
  • the tickets your name gets you know
  • matched against the no filing and then
  • you print your boarding pass at home so
  • this is one point where things get
  • checked so your name against the no-fly
  • list then you create a copy of the
  • boarding pass and put your real name on
  • it which is on the no-fly list but we'll
  • come to that then you present the fake
  • boarding pass to the TSA officer along
  • with your ID and the problem here is the
  • TSA officers did not have access to the
  • reservation system so they only
  • validated the boarding pass against your
  • ID so now it's a fake boarding pass but
  • the name matches with your ID you're
  • good to go and then when you actually
  • bought the plane you'll discard the fake
  • boarding pass you produce your original
  • boarding pass again which matches the
  • reservation system and you can fly
  • so that was in 2003 em like I said it
  • was the same thing described in 2006 and
  • 2007 and it got a bit improved since
  • then and we'll come to that so this is
  • the letter I don't know if you can see
  • it but it's easy to Google it up it's
  • the letter that mr. Takayama got for
  • revealing this later in making up this
  • fake boarding pass creator so how does
  • bypassing no-fly list work in 2016 euros
  • so basically buy tickets under a false
  • name and you go to the airport inside so
  • not exactly an improvement and why is
  • that first of all and it is just like -
  • impacting factors one is that some
  • airlines are more business conscious
  • than the other so they actually will
  • check your ID when you are boarding but
  • again this is not airport think it's the
  • airline thing and why the eyes do it is
  • because of protecting their business so
  • we just don't buy cheap tickets and then
  • we sell them to somebody else it's only
  • for that reason and it's mostly low-cost
  • airlines which will check your IDs
  • regular and isalmost never check your
  • IDs in Europe and ID checks by the at
  • the security checkpoints have been
  • abandoned like two or three years ago
  • when you are traveling domestically but
  • not only domestically because of
  • Schengen area which I don't know how
  • many of you are know what it is but it's
  • like 26 countries in Europe it's not the
  • same as European Union it's 26 countries
  • in Europe which agreed to like abandon
  • border checks so you only have increased
  • boarding border checks around the
  • Schengen area and a lot of information
  • exchanged between the countries on on
  • immigration but as no checks within the
  • area so we can freely roam you know we
  • don't need to follow the border
  • checkpoints you can just hide
  • in the mountains or whatever and when
  • traveling within the Schengen zone and
  • it was officially asked to the you know
  • governments etc why there's no ID
  • controls at the open fact there's no
  • reason to do it like security is
  • provided by physical security screening
  • fair enough
  • okay so let's go back a bit
  • turns out I didn't need to be reverse
  • engineering this boarding pass format
  • it's you know it's all public this iota
  • resolution is all public you can just go
  • and download it and this is the part
  • which is mandatory for the voting path
  • so it's sixty characters and you get
  • things like first name last name you get
  • the compartment code which is the the
  • travel class can anybody spot a problem
  • here this is all that is mandatory
  • nothing else is mandatory so I'm going
  • to help you here absolutely no integrity
  • checks and no authentication provided
  • it's just as sixty characters and
  • they're as good as you provide them and
  • just to be first this is the full
  • specification and there's a bunch of
  • optional items and one of them in the
  • bottom is the security part where you
  • can provide something called they call a
  • certificate which is basically a digital
  • signature for the boarding pass so it
  • can be included but it's optional and we
  • will come back to that so the other way
  • to verify it like I said would be to
  • look up the booking number in the
  • reservation system
  • so let's see where is this passenger
  • data stored where could it be looped up
  • and so when it is stored in something
  • called computer reservation systems
  • which store your data in the format of
  • passenger Name records which includes
  • lots of data including lots of private
  • private data which is not only your
  • first name and last name address email
  • address but also things like special
  • requests which means whether you need
  • special assistance like a wheelchair or
  • something whether you have special
  • dietary requirements which could tell
  • you like whether you should Massimo
  • Jewish or things like that and the
  • loyalty programs data etc and also if
  • you provided contacts for your precious
  • ones in case of emergencies would also
  • end up there and so this is one of the
  • problems there's a lot of private
  • information which is not now allowed to
  • be shared between different parties the
  • other problem is there's a lot of
  • computer reservation systems out there
  • it's not like there's a single
  • reservation system for all so it's not
  • you just go and look up the data by the
  • PNR code and you will pull out whatever
  • you need you need to know where to look
  • for it and there are a number of global
  • distribution systems which are like huge
  • theorizes used by multiple Airlines most
  • famous ones are like Sabre and a module
  • and Cairo and wordsman
  • what is also a lot of proprietary ones
  • which are used by small airlines they
  • don't pay the fees to big systems they
  • just run their own and as long as it
  • works for them it's fine you know
  • basically the only place where you need
  • to look up this information is where you
  • check when you buy your tickets when you
  • check in and when you're boarding the
  • plane so how many airports don't have
  • access to this data also to make things
  • more confusing and complicated when you
  • make single reservation it may end up
  • with bits of information scattered of
  • different reservation systems so when I
  • make when I made the reservation for my
  • flight here
  • I had a couple of slides cold shirts
  • with Polish airlines you know that the
  • reservation was United which is using a
  • different reservation system than a lot
  • polish airlines so at least two
  • reservations systems would be involved
  • and if I was making that reservation
  • through a travel agency which is using a
  • third reservation system that will be at
  • least three PLL's in three reservation
  • systems and you know that's kind of
  • confusing and data access is not only
  • limited across you know different
  • reservation systems but that's everybody
  • like I said because of privacy reasons
  • has access to to the same pieces of
  • information in the in the system and
  • yeah notice of the device the barcode
  • will usually have more information that
  • is just in clear print and if you use
  • that information you can access the
  • reservation you can access a lot of this
  • private data online and you can even
  • make some changes like canceling tickets
  • or modifying your itinerary so just
  • don't post anything without making sure
  • it's anonymized or blurred or something
  • and if this is one of the examples which
  • is kind of ridiculous because like I
  • said everybody can go if you know which
  • which csr system is used by the airline
  • everybody can go to the website if you
  • have this key another look locator which
  • is also known as booking code or
  • reference where on reservation numbers
  • you put it in and then you put the
  • passengers name in and you get most of
  • this data this you can see whether the
  • reservation is there or not but airports
  • are not allowed to do so
  • and from the reservation system the data
  • is then moved into a couple of other
  • systems one of them would be departure
  • control system which is basically the
  • system which is used after you check in
  • to make sure that only the checked in
  • passengers get on board it also stores
  • your seat assignments baggage
  • information etc there's also thing
  • called API advanced passenger
  • information not advanced advanced
  • passenger information which is sent to
  • border agencies of several dozens of
  • countries which require that
  • so it will let them know who is coming
  • to their country and they can do some
  • pre-screening and tell the airlines like
  • this guy needs some additional security
  • before he bought the plane and there's
  • also key on our gob which is not exactly
  • another system is just a message
  • exchange format to exchange key and our
  • information for the passenger record
  • information with the government agencies
  • it's not widely used adult apart from
  • sending advanced essential information
  • which again it has nothing to do with
  • looking at the information in the
  • airports just for the border agencies
  • and there is secure flight program which
  • was I will describe more in detail in a
  • moment it's okay and to make to make
  • things easier for me I put up a simple
  • web page and I hope I will be ya able to
  • show it now it's all JavaScript so it
  • works offline and I found a nice
  • JavaScript libraries for producing
  • aspects codes so piano doesn't matter as
  • I show you whatever
  • there you go and then wherever my pocket
  • eternity the only thing that actually
  • needs to work is the flight number and
  • the date so the flight number actually
  • gets matched against the list of flight
  • the depart from the airport yeah also
  • the departure Airport leads to much the
  • departure Airport configured with the
  • gate and the date needs too much it can
  • be also the next day because you know
  • sometimes you enter the airport on your
  • flight is early in the morning so it can
  • be the other two okay with paper with
  • just a bit less fun so like I said this
  • automatic gates helps things enormously
  • because you don't even have to deal with
  • humans right you don't have to produce
  • anything which is even remotely
  • legitimately looking it's just a barcode
  • but when you need a paper it's no big
  • deal you just need to have this paper so
  • you need to edit the PDF probably and I
  • already have you know a couple of
  • templates for for the airlines I use and
  • I by the way Microsoft Word is a great
  • PDF editing tool really you can you can
  • just open the PDF and it will you know
  • convert it to Word document and you can
  • do all the editing you need and just
  • remember that anyway although people
  • look at the 10th to look at the paper
  • they will have to scan the building the
  • barcode anyway so it should match the
  • information that you have on the paper
  • so now let's get some fun action you
  • know just getting to the airport is not
  • much so how about accessing lounges so
  • with contract lounges just basically
  • it's almost too easy right because they
  • have no way to access this private
  • information so they have no way to look
  • up the passenger records so you know
  • they will gladly buy whatever you
  • present just a bit of advice it needs to
  • be based on the travel class because if
  • you present the golf cart you will be
  • asked for the physical
  • gold card also your data will be written
  • down and actually even if you have the
  • the card but for example the status
  • expired or something they actually have
  • a way to hook it up online so there is
  • apparently a system when you can look up
  • the the status card status and if you
  • divided and so on so a bit trickier it
  • should be with for the airline operated
  • lounges right because they can't they
  • are the airlines they have access to
  • passenger data so they should be able to
  • verify the status and there is at least
  • one airline which attempts to do it it's
  • Scandinavian Airlines they also have
  • these lounges which are they will let
  • you in with automatic gates so I thought
  • this is easy and I travels to Copenhagen
  • very often so it gives you a lot of
  • opportunities for trial and error and
  • then yeah they actually do and at least
  • seem to do the checks on the reservation
  • system so whenever I try to fiddle with
  • like booking class it would or my status
  • it would just bounce me whether it would
  • always bounce with the same message like
  • deeper departure Airport is not not
  • right or something like that so now a
  • bit vague but you know after it did so
  • five times I figured like it must have
  • it must be just one message for you know
  • all kinds of errors so anyway they do
  • some checking
  • except you notice another there's a lot
  • of other allies which the passengers of
  • which are also eligible to use the
  • lounge like SAS is in Star Alliance and
  • it's about you know 15 or 20 other a
  • light switch our own Star Alliance and
  • when you are traveling on another
  • carrier was within the same Alliance and
  • you are traveling on business you can
  • still get into the lounge and guess what
  • not all airlines use the same
  • reservation system so all you need is to
  • find that flight which is departing you
  • know in a reasonable timeframe operated
  • by another carrier hopefully that one
  • that uses another reservation system but
  • it shouldn't be necessary and produce a
  • bait a fake boarding pass for that
  • carrier and guess what it works alright
  • so I just used Brussels Airlines which
  • is a totally different reservation
  • system I put up information in the
  • boarding pass from that for that slide
  • and it would mean also the summer lights
  • which don't do it properly specifically
  • this one it's a the best airline in the
  • world according to many people one in
  • Istanbul and it's operated by Turkish
  • Airlines and I thought like this is
  • going to be hard because it's really 99
  • percent flights are operated by Turkish
  • from that Airport on Star Alliance there
  • are very few flights which are
  • sterilized but not Turkish so what am I
  • going to do well let's first try if they
  • will let me in with you know just a
  • random Turkish flight data so
  • [Music]
  • I just looked up you know on the
  • departure board I looked up a random
  • flight from Istanbul to London Gatwick I
  • like to use the name of Bartholomew
  • Simpson she was a good prank a prankster
  • yet the data needs to match
  • and I need to worry I had the camera
  • hidden in plain sight so it was hanging
  • from my shoulder bag so this is the
  • automatic gate no need to talk to the
  • dragon lady
  • by the way this is a full-sized cinema
  • inside the lounge and uh yeah you don't
  • need to be traveling like I said you can
  • do the same to enter the airport you
  • will still go through security screening
  • so they will take all your liquids but
  • no need to worry - and you know after
  • wired did an article on this and they
  • actually publish this video I got you
  • know lots of requests by the way this
  • one is from Israeli lawyer like what's
  • wrong with ie lawyers really are they
  • paid so bad that they can't afford large
  • offices one other nice thing is you have
  • duty-free shops at the airport's right
  • and again you don't need to be traveling
  • and in many countries it's not like in
  • the US so you don't get your field back
  • in the passenger seat you just get it to
  • go and the eligibility for taxable
  • prices is depend is its data lines on
  • whether you are traveling inside the EU
  • or outside the EU so if it's inside yo
  • its domestic prices so including tags
  • and if you are traveling outside you you
  • get this tax-free price and here's the
  • difference so to convert it to you it's
  • one liter I have no idea what it is in
  • US but it's about 25 shots and 20
  • and then 2500 this is about $7 so I
  • think it's a good deal so what do we get
  • is airport access so we can meet and
  • greet your loved ones do some
  • sightseeing
  • FastTrack free lunch and booth duty-free
  • shopping okay let's get to some serious
  • stuff like how can it be prevented and
  • what is actually done to prevent it so i
  • oughtta has a nice section in I think
  • it's 80 pages or so document they have
  • this half a page section on fraud
  • prevention which nicely identifies the
  • risks associated with boarding by a be
  • CBP right so it can be modified it can
  • be forged it can be duplicated and
  • pretty much all the mitigation they came
  • up with is check that the passenger is
  • on the passenger nameless and add a
  • certificate like I said by certificated
  • reading in the digital signature so
  • let's see how the digital signature is
  • doing so it was introduced in 2009 by
  • version 3 of the standard and it's based
  • on PKI
  • and a one thing about PK is it needs to
  • be deployed properly right so we need to
  • distribute the the public keys so it
  • would have to be there you know at every
  • checkpoint you will have to maintain the
  • CRL etc etc and also many airlines would
  • still use version 1 which does not
  • support digital signatures so all the
  • readers also need to support these old
  • versions and again this field is
  • optional and this is quotation from the
  • data madhabs optional and to be used
  • only when required by the local security
  • of the administration so it's not even
  • encouraged like it it's only to be used
  • when it's required the specific
  • algorithm is that are mine by the
  • authority and this was informed by TSA
  • to US carriers but
  • not entirely for example when I was
  • travelling here I had my boarding card
  • produced in Amsterdam and it was printed
  • neatly on United paper but it had no
  • digital signature and you counted it and
  • there's another thing which could be
  • used which is the standard called be CBP
  • XML this is for transporting data
  • between checkpoints and the airline
  • systems so it's justa again it's just
  • the data format which is standardized by
  • IATA and it could be used to check the
  • PNR data against the reservation systems
  • with no privacy privacy information
  • getting transferred so you just you just
  • send that whatever you scanned from PNR
  • and the airline would cut up and come up
  • with the 0 or 1 so good to go or not
  • good to go
  • possibly with an explanation if it's not
  • good to go with a reason the problem
  • again is the complexity many airports
  • are serving like more than 200 Airlines
  • and they would have to connect to each
  • of their reservation systems right and
  • if they don't connect to 10 out of 200
  • you still have a way to produce a fake
  • boarding pass pretty much if you don't
  • cover 100% just to get a loophole right
  • so just the complexity of this solution
  • probably is the reason why it doesn't
  • really work and I haven't seen it
  • deployed anywhere and there's also one
  • thing that TSA seems to be doing right
  • at least starting from 2013 so secure
  • flight is the program that they've
  • implemented in in 2009 and the reason
  • for for the program was to take over the
  • monitoring of watchlist
  • so the no-fly lists and secondary
  • screening lists from the airlines to the
  • TSA authorities
  • so instead of relying on Airlines they
  • said like no no we need this information
  • and we will do the verification right
  • also part of the secure flight is the
  • TSA PreCheck program introduced in 2011
  • so you get this live be CBP field
  • specifically for this reason which is
  • called select the indicator which tells
  • you whether you are like hand selected
  • for the secondary screening or whether
  • you are eligible for pre check or
  • whether you're just traveling as usual
  • and in 2013 TSA started networking their
  • devices the scanning devices to pull
  • passenger data from this secure flight
  • and includes passengers full name gender
  • date of we're screening status
  • reservation on the flight itinerary so
  • it can be verified if it's deployed at
  • all the airport's I'm not sure about
  • that it can be verified at the screening
  • checkpoint and if it doesn't match
  • exactly you know they have like a nice
  • list of suggestions like this this
  • passengers name is close enough you know
  • maybe this is one of these so
  • technically they have a way to do it now
  • again whether it's deployed properly and
  • how many airports support it I am Not
  • sure it just started in 2013 and
  • generally sir it's a correct way to do
  • it probably and okay
  • why is Def Con awesome I thought I had
  • my presentation you know all fixed and
  • done and then on I think it was Tuesday
  • or Wednesday I get contacted by Karl
  • Koecher saying like hey I saw your talk
  • on the agenda and then here's something
  • that I got from eBay and maybe you want
  • to play with that and that something was
  • [Music]
  • this beauty so it's a device that you're
  • normally not allowed to buy I think so
  • this information is from the public
  • website so you get you know this level
  • of specification but it would only be
  • solved to like a limited number of
  • bodies and this this offer is no longer
  • on eBay are unfortunately was I think
  • one hundred and fifty dollars so not a
  • big deal
  • so I had like two days to play with that
  • and I exchanged a couple of messages
  • with cow and then here's how it works
  • so we see the booting you see Airport is
  • - - - and we go departure Airport is not
  • configured so it's you know we have some
  • constraints so let's try scanning any
  • random boarding pass so now when you go
  • with the any random all the boarding
  • pass likely the departure Airport is not
  • - - - it's something else and the date
  • is probably not the same as on the
  • boarding pass on the scanner sorry but
  • it will have a valid signature let's see
  • what it does
  • so it says invalid departure locations
  • refer to counter so it did not complain
  • about the signature but it did complain
  • about the departure Airport so okay so
  • let's take the departure Airport ah damn
  • it whole again
  • the time with audio
  • three beeps not good to go red light but
  • all it says is invite departure
  • locations my listing at using my mobile
  • phone okay so now the departure location
  • was okay date was okay but the signature
  • is invalid and it says referred to
  • superior
  • so
  • so I don't know if you notice but it
  • actually said that the yeah the stick is
  • not there so it should go from some
  • money while checking the problem I see
  • here is it still gives you a green light
  • and the you know one beep so depending
  • you know how vigilant you know the the
  • TSA agent is and how much noise to radio
  • he has he has you know a good chance
  • missing this
  • so yeah let's try modifying the
  • selecting indicator
  • so three beeps greenlight and your CDL
  • ll so you are eligible for pre check or
  • if you fancy you can actually go for
  • secondary yeah SSS
  • okay so airport access is confirmed five
  • circuits on fancy lunches both is
  • confirmed you think you're shopping in
  • sometimes pre-check are not sure right
  • nice idea to play with if you have balls
  • so know about responsible disclosure I
  • actually went out and I tried to talk
  • about this problem to several
  • authorities and airports and Airlines
  • because their problem eventually and
  • this is what I what came back so first I
  • contacted slots publishing light they
  • see like now it's we just issue boarding
  • passes and they the airport that
  • verifies it so I went to the airport and
  • in these two cases I was lucky because I
  • actually had you know known people on
  • the management board at the management
  • boat level so I was able to talk to them
  • in person and Ike and the Airport
  • Authority said like yeah it's a known
  • issue but it's not really a problem
  • we you know you following any other
  • guidelines and laws that's fine
  • then the Civil Aviation Authority like
  • that it took them three or four months
  • to reply they said although they had to
  • say was like boarding pass forgery is a
  • crime don't do it like okay according to
  • my lawyer
  • I'm not exactly my lawyer by the lawyer
  • I know and as a if you if you want to
  • have a legitimate document you need to
  • have a way to verify it it's not a
  • document if you cannot verify it if it
  • doesn't bear any you know signature at
  • all later like oh it's not the exact
  • wording they use but it was pretty much
  • the message right and this is also what
  • what I got from Turkish Airlines and SAS
  • fine no I
  • and now come on here and the question
  • you might have is like what it actually
  • get me flying and that the short answer
  • would be no like that there would be
  • very rare circumstances when you would
  • be able to get on the plane but would be
  • likely spotted before it even departs
  • and it would get you into a lot of
  • trouble so I don't recommend doing that
  • but you can here still have a nice
  • souvenir and that's a kind of a bonus so
  • one of the airports in Europe and I will
  • not name them because they actually had
  • a you know they communicated very openly
  • with me and they said like why why it is
  • they confirm this because privacy they
  • decided to have like loyalty program for
  • the passenger which makes sense because
  • the airport collects fees on every
  • departing passengers so they want to
  • encourage traffic so they have this you
  • know list of gadgets that you can get
  • for a certain number of points and the
  • points you get for every departing
  • flights and to register a departing
  • flight you need to scan your loyalty
  • card and your boarding pass like what
  • can go wrong right so here's a simple
  • equation so I really like the blanket in
  • the middle it would cost me 600 points
  • which is sixth flight and you see five
  • QR codes before because I had we know
  • one legit flight I said you know it was
  • and the funny thing is that it was you
  • know I even made it look sort of legit
  • because I produce the QR codes for the
  • flights like over the next over the next
  • two days and it could really fit into a
  • story like I was flying to Edinboro and
  • then going back in three hours and I
  • could make it
  • so to wrap it up
  • it's the privacy privacy and complexity
  • of the system which is preventing this
  • exchange of data and you know most
  • important board while us did a
  • reasonably good job preventing that
  • other place to sexually lower the bar
  • for us especially with introducing the
  • the automatic gates so here are the
  • sources and don't worry because this is
  • the link for this slide and most of that
  • will also be on the conference DVD so
  • thank you I don't think we have time for
  • questions but I hope you like
  • you

Download subtitle

Description

How to get good seats in the security theater?

Przemek Jaroszewski CERT Polska/NASK

While traveling through airports, we usually don't give a second thought about why our boarding passes are scanned at various places. After all, it's all for the sake of passengers' security. Or is it? The fact that boarding pass security is broken has been proven many times by researchers who easily crafted their passes, effectively bypassing not just ‘passenger only’ screening, but also no-fly lists. Since then, not only security problems have not been solved, but boarding passes have become almost entirely bar-coded. And they are increasingly often checked by machines rather than humans. Effectively, we're dealing with simple unencrypted strings of characters containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more...

With a set of easily available tools, boarding pass hacking is easier than ever, and the checks are mostly a security theater. In my talk, I will discuss in depth how the boarding pass information is created, encoded and validated. I will demonstrate how easy it is to craft own boarding pass that works perfectly at most checkpoints (and explain why it doesn't work at other ones).

I will also discuss IATA recommendations, security measures implemented in boarding passes (such as digital signatures) and their (in)effectiveness, as well as responses I got from different institutions involved in handling boarding passes. There will be some fun, as well as some serious questions that I don't necessarily have good answers to.

Przemek Jaroszewski is a member of CERT Polska (part of Research and Academic Computer Network in Poland) since 2001, where his current position is the head of incident response. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. A frequent flyer in both professional and private lives, and a big aviation enthusiast - using every opportunity to learn about everything from inner workings of airports, airlines, ATC etc. to life-hacking of loyalty programs.

Keywords

france DEF CON 24 australia conference live learn DefconConference hacking science dutchland usa tutorial computer hacker china defcon conference

Popular this week

Related videos

TheTV in 90 countries


16 main categories