The main problem, the researchers report, is that the Global Distribution System (GDS) used by the airlines is based on a restricted access code, a six-character Passenger Name Record (PNR), which customers are given when they purchase a ticket—it is also printed on all of their luggage. The restricted part of the code means that the number and types of characters that can be used must fall within a predetermined range—that makes it easier for hackers using computers to run through all the possibilities. Since the customer's last name is associated with the PNR, hackers can simply type in a common name, such as Smith, and then have the computer run through all the GDS character possibilities until a hit is found, allowing access to that person's flight record.
Access to a GDS, the researchers report, allows for changing information on a flight record, which they reportedly demonstrated by reassigning a reporter to a seat next to a politician on a real flight. It could also allow a hacker to tie their frequent flyer number to a host of other flights and giving themselves credit for thousands of miles. They note that a flight record holds information that could be used to create a very effective phishing campaign—and it could also conceivably be used for tracking purposes—a stalker could use such information to follow the itinerary of a celebrity, for example.
The researchers also reported that they have notified the makers of the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, while others may require a full rewrite, obviously taking a lot longer.
SOURCE:
TechXplore
No comments:
Post a Comment