Si Cyber Intel: Major Security Breach Discovered Affecting Airline Travellers Worldwide
Within the commercial aviation industry there are only a handful of reservation systems that serve customers travelling on popular airlines such as British Airways, Air France, Qantas and more. Amadeus is the largest of these booking reservation systems and many of us will have used the system every year without realising.
Due to the complexity and volume of bookings worldwide for each airline, Amadeus’s reservations system technology has to be able to connect and communicate with each other through the global distribution backchannel.
Without these integrated and complex systems, governments have no idea who is entering and leaving the country - making Amadeus a crucial cog in the industry.
With technical advancements taking place within airports with the likes of facial recognition at departure gates, the reservation booking system is far behind with the only thing between you and someone rebooking a flight being the passenger’s surname and booking reference found on the ticket. A system that needs to have the capacity to share passengers’ data internationally, has not considered updating the security measures required for the likes of today’s cyber security threats and has sadly failed to keep customer records safe.
A security researcher from safety detective research labs, Noam Rotem discovered a bug in the system resulting in a massive security issue for Amadeus. Rotem discovered the bug when attempting to book a flight with EL AL Airline, Israel’s national airline carrier. Once booked, the system sent the researcher a link to check his PNR (Passenger Name Record):
Passenger Name Record (PNR)
The PNR is a record on a central database of the Computer Reservation System (CRS), it consists of the passenger’s personal details as well as the passenger’s itinerary. The components of the PNR have changed over the years, however the main components remain the same as follows:
- The name of the passenger
- Contact details for the travel agent or airline office
- Ticketing details, either a ticket number or a ticketing time limit
- Itinerary of at least one segment, which must be the same for all passengers listed
- Name of the person providing the information or making the booking
With many governments requesting further details to be included such as:
- Passenger’s gender
- Passport details - nationality, number and date of expiry
- Date and place of birth
- All available payment/billing information
With such granular information held about passengers, CRS systems and the central databases they are interacting with really need to take a deeper look into the posture of their systems in respect to how much it can handle the rapid advances in the way systems are breached. Because all it takes is a single vulnerability in the front-end, back-end or the interconnecting layers in between to cause a serious breach that can lead to substantial financial or reputational damage.
What is interesting to note is that many if not all airlines also send these PNR codes via unencrypted connections, which was the case for EL AL Airline?
Having no encryption layer means that these codes can easily be intercepted, or brute forced by hackers and used in man-in-the-middle attacks.
Rotem demonstrated this risk when it recognised that anyone was able to change the RULE_SOURCE_1_ID code, which allows them to view Passengers’ Name Records (PNR), giving them access to passenger names as well as all other flight information - past and present.
With this information to hand, researchers were then able to login to the airline customer portal, allowing them to “make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change a flight reservation via customer service.”
A script was then created by Rotem, which brute forced PNR codes for random passengers.
Rotem have notified EL AL Airline as well as Amadeus. Amadeus reacted quickly by releasing a statement that their technical teams were aware and working to patch the security issue in their Central Reservation System, and were stopping the script.
It’s unclear at this time as to whether the vulnerability had been exploited in the wild before being discovered by security researchers at Rotem.
Concerned customers and companies have been advised to monitor their email accounts for any unusual spam or phishing campaigns.
Back in 2017 at the 33rd annual Chaos Communication Congress, the largest European computer security conference, researchers Karsten Nohl and Nemanja Nikodijevic demonstrated how an attacker armed with only this code and a surname can steal airline miles, gain access to personal information, cancel flights, and more.