The not-so-secret life of boarding passes

Recently I was asked to speak at an event in Copenhagen. Sadly, my return journey, a fabulous 26 hour experience, was impacted by a prolonged storm.  This meant that my heavily delayed flight landed at London Heathrow Airport and then spent almost 3 hours waiting for a parking space for the plane.  Having exhausted the scintillating in-flight reading and having my iPad die I was looking for some way to entertain myself.

After attempting to make a paper aeroplane out of my boarding pass I noticed that it had a barcode on it.  So I scanned it with my phone’s barcode reader.  I was shocked that the data that popped up included my full name, date of birth, flight number, source and destination airport, seat number and something called a PNR record locator code.

What is the PNR?

PNR stands for “passenger name record”.  It is a data rich record that’s generated every time you book a flight.  It is stored in the database of an airline’s computer reservation system and accessed by a record locator code.  This record locator code is a 6-character alpha-numeric code eg: RMT33W (this is what was contained in my boarding pass barcode).  You will have used this code before anytime you have checked-in online or managed your booking through the airline’s website.  It can also be called a booking reference number.

So what does this PNR contain?

Typically it will contain the following information on you and anyone else you are travelling with:

• Full name and date of birth;
• Passport number and details;
• Details of any car hire or hotel bookings made through the airline;
• Email address and telephone number;
• Last 4 digits of the payment card used and details of who paid for the ticket;
• SSR (Special Service Requests) This could be things such as special meal requirements and the reason (religious, lactose intolerant etc). The SSR will also detail any disabilities or medical issues you declare too; and
• OSI (Optional Services Instruction) Upgrade options, languages, luggage etc.

-so yes, a lot of information!

The majority of this information is accessible through the “manage my booking” tab on the airline’s website and will probably be in the “passenger information” section.

Instagram: 100,000 boardings cards

To login and manage your booking on the airline’s site you need a surname and this 6 digit code.  Whilst still obeying the fasten seatbelt sign I realised that it would therefore be possible for me to login to any airline’s site under the “check-in” or “manage my booking” tab, all I would need is your surname and this 6-digit record locator code.  So where might I find this? Instagram looked like a good starting point. I searched for #boardingpass and found  just over 100,000 results!  Most people had tried to be “clever” and cover the name on the boarding pass with their hand or their passport.  This was an almost pointless exercise though as they had left the barcode clearly visible.  A quick scan of the barcode and it revealed the all-important surname and 6-digit code.  So now I would have had all the information that I needed to login to the airline website as you and access all that juicy information on you in the passenger information section.

Some airlines do try to mitigate this risk by making the login details redundant after you land from your last flight, Though that mitigates the risk in the long term, If you book a 2 week holiday -and post your boarding pass on Instagram, the bad guys have 2 weeks to login and grab all that information.

Spear-phishing made easy

Now, once logged in as you all I can really “do” is move an unsuspecting traveller’s seat right next to the toilets  or just in front of the bulkhead.  I can’t pay for anything or even cancel the booking.  That doesn’t matter to me as an attacker though because what is FAR more interesting is all the personal and possibly sensitive information contained in that passenger information section.  I could get your full name, date of birth, email address and telephone number. I can also see that your employer booked your ticket, you were travelling with your assistant and your SSR stated that you carry an epi pen and you can’t eat an inflight meal containing pork for religious reasons.  So quite a broad and interesting range of information all of which could be used maliciously.

Imagine you are an attacker.  You know I have just flown from London Heathrow to Bangkok with British Airways for example.  You know my return flight is in 2 weeks, I flew economy and on the outbound flight I requested a vegetarian meal.  You start to craft a malicious phishing email to me pretending to be British Airways:

“If you require a vegetarian meal for your return flight too please click this link to order it now” or “your return flight to London Heathrow has been over booked.  As an important customer we would like to upgrade you to business class please click the below link to accept the offer”.

With the amount of accurate information that you now have it would be highly likely I would believe it was in fact British Airways contacting me.  Who honestly wouldn’t click that link?

Checked Luggage

Still waiting on the plane, I started reflecting on my own travel experience.  I fly a lot and have done for the past 10 years.  I’ve sometimes thrown my boarding pass in the bin at home or in the hotel and sometimes I’ve just left it on the plane.  Up until now, I confess, I never shredded it.

Finally they let us off the plane. As I walk through the luggage reclaim area I notice that all the airline issued luggage tags also have barcodes on them.  I hadn’t noticed this before.  So once settled in Costa I went back onto Instagram this time searching for #luggagetags and variants thereof.  These barcodes ALSO have the same information as the boarding pass barcodes contained therein.  I KNOW that I’ve never disposed of these luggage tags securely!

“Guessing” the code

When I finally got home I thought that we, as passengers, clearly need to treat our boarding passes and luggage tags with as much caution as we would our passports but there is also a further problem.  The codes themselves are not very secure.  Would I even need to find your 6-digit code on Instagram?  Could it be “guessed”?

One big problem with trying to “guess” a password or code is a lockout on the website.  You will have seen this before no doubt, you enter the wrong password too many times and you are forced to wait 15 minutes before re-trying.  A 6-digit alpha-numeric code (none of the letters are case sensitive either) would be a pretty weak password and isn’t hugely demanding time wise to “guess” by a process of elimination using a decent computer.  So I went onto 12 airline websites and found the following results:

• No apparent lockout. My computer could “guess” code after code and not one of the airline websites told me to come back in 15 mins!
• Some airlines actually went further and had a helpful link next to the field where you would enter the code. When clicked the airline provided helpful advice as to what the code would look like such as “all letters are capitals” or “we don’t use the numbers 1 and 0 in our 6 digit code” or in one case- “the code is letter, number, number, then 3 letters”.  Beautiful.

What all this means is that it is very easy indeed to “guess” a 6 digit code.  All someone would need is your surname and the name of the airline that you are flying with.  Ever posted that information on social media?

To be fair some of the airlines were better than others.  One even encouraged passengers to set up two-factor- authentication so you had to input a code sent by sms to your smartphone, this makes breaking in somewhat more complicated.

There have been a few articles highlighting concerns over how all this PNR information is stored and archived.  The EU requires that archived PNR records are anonymised however researchers have cast doubt on the effectiveness of this.

I contacted all 12 airlines whose sites I looked at when researching this article.  I informed them of the flaw in the system and highlighted that perhaps a warning should be given to passengers informing them that it is potential security risk to post their boarding pass information online.  Only 3 replied and only 1 said they would look to fix this flaw.  The other two said it wasn’t a security issue because “you would need to find the passenger’s surname too so that safeguards it”.  Perhaps they have forgotten just how easy it is to get that information on someone from social media these days!

The aviation sector, like so many other industries, has a lot of work to do when it comes to cyber security but we as passengers have a responsibility for our data too.  So let’s not make it too easy for the bad guys.

Lisa Forte,

Partner, Red Goat Cyber Security

Learn about GCHQ certified Social Engineering Awareness Training.

Links

Read what happened when former Australian Prime Minister decided to post a picture of his boarding pass on instagram:  https://www.bbc.co.uk/news/world-australia-54193764

Disclaimer: The researcher used their own personal data and didn’t access, store or use the personal details of any non-consenting individual.  All airlines were contacted and alerted of the flaws discovered and allowed time to rectify these flaws before this article was published.  No unauthorised access was gained at any time.