The e-ticketing systems of eight airlines, including Southwest Airlines and Dutch carrier KLM, have a vulnerability that can expose passengers’ personally identifiable information (PII), mobile security vendor Wandera reported Wednesday.
They use unencrypted links that hackers can intercept easily. The hackers then can view and, in some cases, even change the victim’s flight booking details, or print their boarding passes.
Air France, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa also have this problem, according to Wandera.
“Wandera investigated the e-ticketing systems in use by over 40 global airlines,” said Michael Covington, the company’s VP of product.
“Only those organizations that had adequate time to respond to our responsible disclosure are included in the list of affected airlines at this time,” he told TechNewsWorld.
Wandera gives vendors up to four weeks to provide a patch or relevant fix before publicly disclosing a vulnerability.
The company has been communicating with “some of the affected airlines” but has not been able to verify that any fixes have been implemented, Covington said.
Discovering the Flaw
Wandera identified the vulnerability in early December, after learning that a customer who accessed the e-ticketing system of one of the eight airlines had been sent travel-related passenger details without encryption.
It then looked at whether other airline e-ticketing systems were similarly vulnerable.
Wandera notified the airlines affected as it was documenting the vulnerability.
It also shared its findings with government agencies responsible for airport security.
Unencrypted check-in links from the named airlines direct passengers to a site where they automatically are logged in to the check-in feature for their flight. In some cases, they can make certain changes to their booking and print out their boarding pass.
Once a passenger accesses the vulnerable check-in link, a hacker on the same network can intercept the credentials that allow access to the e-ticketing system.
Using those credentials, a hacker can visit the e-ticketing system at any point, even multiple times, prior to the flight taking off and access all the personally identifiable information associated with the booking.
“This vulnerability does not require a man-in-the-middle attack or malware installation in order to be exploited,” Covington said. “Anyone using the same network as the passenger — wireless or wired — would be able to intercept the credentials for the e-ticketing site.”
Airlines “should never give out links in email which present PII data without authentication,” said Anthony James, chief strategy office at CipherCloud.
“This just doesn’t make sense to us,” he told TechNewsWorld.
Different airlines’ systems expose different types of data.
The exposed data could include the following:
- Email addresses
- First and last names
- Passport or ID information — including the document number, the issuing country and the expiration date
- Booking references
- Flight numbers and times
- Seat assignments
- Baggage selections
- Full boarding passes
- Partial credit card details
- Details of booking travel companies
After accessing a passenger’s check-in, the hacker not only gains access to the victim’s PII, but also can add or remove extra bags, change allocated seats, and change the mobile phone number or email associated with the booking.
The questionable quality of boarding pass screening at the gates of some airports raises the possibility that a hacker or criminal could print a victim’s boarding pass and try to board a scheduled flight with it, Wandera said.
On the other hand, hackers go for targets that offer a high return on investment, CipherCloud’s James pointed out. “Intercepting the email with the ticket link gets the PII of just one traveler.”
Further, “everything depends on a boarding and a picture ID to get past security,” James noted. “The picture ID remains the backstop of the security procedure.”
Clear and Present Network Dangers
Security experts for years have advised travelers to avoid using public WiFi networks and hotel networks for important communications.
“Network traffic is more easily intercepted on an unencrypted wireless network or on a typical wired hotel or office network,” Wandera’s Covington pointed out.
It is “more challenging for an attacker to observe connections taking place over a carrier network,” he noted, but airlines should “address some fundamental security issues” themselves.
Coming to America
KLM and AirFrance “are closely integrated as part of the same company,” noted Colin Bastable, CEO of Lucy Security.
They partner with Delta Airlines through SkyTeam, “introducing a potential third-party risk to the United States domestic market via Delta’s eight U.S. hubs,” he told TechNewsWorld.
Code-sharing with Air France and KLM “might have expensive consequences for Delta should a data breach occur as a result of this problem” said Bastable, because GDPR regulations “take a bite out of global earnings for data breaches.”
Further, new compliance regulations proposed in the U.S., such as the American Data Dissemination Act and the California Consumer Privacy Act of 2018 may make vendors liable for penalties and violations if they expose PII data without requiring authentication, CipherCloud’s James said.
How to Keep PII Safe
Following are some steps Wandera recommended that airlines should take:
- Encrypt the entire check-in process;
- Require user authentication for all steps where PII is accessible, especially when it can be edited; and
- Use one-time tokens for direct links within emails.
“If the link takes you directly to the passenger name record without login, it’s absolutely a potential problem,” CipherCloud’s James said. “You must always require login and authentication.”
Users should have an active mobile security service deployed to monitor and block data leaks and phishing attacks, Wandera advised.
Passengers on the eight airlines named “should print their boarding pass at home,” Lucy Security’s Bastable suggested, “and avoid using mobile check-in at the airport.”