Cybercriminals can easily hack into an airline’s e-ticketing systems, it has been revealed. They can modify boarding passes and abuse customers’ data.
Airlines Vulnerable to Check-In Airline Hijacking
According to Wandera, a security company, multiple airlines’ customers are at risk of having their private data hacked and accessed by cybercriminals. Wandera’s research team have discovered that the e-ticketing systems used by big airlines send unencrypted check-in links to passengers. The cybersecurity firm discovered this vulnerability in December of last year. They then realized that unsecured travel-related details were being sent to one of their secured customers.
Researchers think that this might compromise customers’ data and put passengers’ data in jeopardy of modification by hackers. An attacker might even tamper with the details before printing out a boarding pass and attempting to board the plane using it. The company investigated further and found that many airlines experienced the same problem with their e-ticketing systems.
Ian Thornton-Trump, head of cybersecurity at AmTrust International said “Four weeks is laughable as a measure of time frame in a legacy house of cards technology stack and legacy code base. It’s one thing to discover the vulnerability but, especially in airline software, it’s quite a big endeavor to fix it. Four months seems more likely.”
CEO Wandera, Eldar Tuvey had this to say: “We are finding more every week. But, we are not able to disclose who they are publicly before they have had a chance to fully secure their e-ticketing systems. We tried to assist the airlines that have responded to us after we disclosed our findings to them over 4 weeks ago. However, he also warns that many of those airlines have yet to fix the vulnerability although we remain on hand to offer them as much assistance as they need to investigate and fix the issue.” Note that a total of 40 major airlines were later investigated and nearly a quarter appeared to be vulnerable.
Check-In Airline Hijack Attack
Air Europa, Air France, Jetstar, KLM, Southwest, Thomas Cook, Transavia, and Vueling are some of the airlines whose e-ticketing systems were allegedly vulnerable too. Once the attacker gets his/her hands on the link address, the link redirects them to a site where they’ve logged in automatically to the check-in session for that flight.
According to researchers, these attackers can then make modifications to the booking and print off boarding passes. Plus, data such as names, email addresses, and passport numbers could be revealed. This is because they vary from airline to airline. Passengers, as a result, could discover seat changes and removal or addition of luggage. The exact nature of the data at risk depends upon which e-ticketing system the airline is using.
Airline travelers need to handle these check-in links, in the same manner, they handle passwords. Also, passengers should be aware of the security of the networks they are on when they using these e-ticketing systems. Airlines need to adopt a fully encrypted check-in model soon. They should also start asking for user authentication when booking data is accessible and editable. All in all, the cybersecurity measures implemented by major airlines is leaving a lot to be desired.