Via PC Magazine:
Booking a flight has become a simple process thanks to the Internet, and once you have flights secured you can relax, right? Well, for the most part that’s true. Your seats are yours, as long as a hacker doesn’t decide to stop you flying, which turns out to be very easy to do.
Karstein Nohl and Nemanja Nikodejevic from German security company Security Research Labs have revealed how poorly the travel booking systems we all rely on are protected. In fact, the three largest Global Distributed Systems (GDS) handling flight reservations for travel worldwide are open to abuse in several ways.
Amadeus, Sabre, and Travelport are the three systems that handle over 90 percent of flight reservations. According to the researchers, these systems date back to the 70s and 80s and have only been integrated with the more modern web infrastructure rather than replaced completely. What this means is, authentication on the system is very weak due to it being decades old.
Each traveler on a GDS is identified by a six digit code which is also the booking code (known as a PNR Locator). That ID is printed on boarding passes and luggage tags, meaning anyone near your luggage or who views your pass can see it and easily snap a shot of it with their smartphone. With that one code, all traveler information can be accessed, including home and email addresses, phone numbers, credit card number, frequent flyer number, and the IP address used to make a booking online (see the image right).
It gets worse, though, as you don’t even need a specific ID to find valid traveler information. Both GDS and airline websites don’t typically limit the amount of times you can check codes, meaning a brute-force approach to finding valid ones can be used. Even finding a specific passenger is relatively easy because the IDs are given out sequentially, which drastically shrinks the amount of IDs a hacker needs to search through given a specific timeframe.