 So many of us traveled to this Congress probably most of us and we all took trains or planes or yeah maybe somebody drove by car but most took trains and planes and have you guys ever wondered about the infrastructure of those travel booking systems? Even more interesting have you ever thought how secure those systems are? Carsten Nol and Nemanja Nikodjevic. Yeah, Carsten has a really nice record of security research. He had talks about GSM protocols and last year he had his talk about payment system abuse which was really interesting. Together with Nemanja he will show us his research on travel booking systems and probably we will find out how we can get home free. Please give a really really warm welcome to Carsten and Nemanja. Thank you very much. Always feels great to be back. I just today noticed that the first time I was speaking at this conference is 10 years ago. So 10 years of 10 years of looking at 10 different legacy systems and finding vulnerabilities in all of them so far. A lot of them were around RFIDs or mobile protocols. This time we're looking at something completely different. Travel booking systems and vulnerabilities in there. Relative to some of the other talks we have been giving, this will have less hacking in it. Not because we lost our interest in hacking but because much less hacking was actually needed to exploit vulnerabilities here. So sorry for that if you expected a lot of hacking. There'll be a little bit. That's why Nemanja is here but a little bit less than usual. So we're talking about travel systems and there are three main players or actors in the commercial travel world. There are those people who provide traveling, airlines and hotels. There's those people who help you book them. Expedia websites like that or traditional travel agencies and then there's brokers who make sure that whatever is available can be booked through those agents. So those are really the backbone of travel systems but you don't really think about the much or at least I didn't before looking into this research. The systems are very useful as global systems. In fact they're called global distribution systems and that tells you how old they are. This is before the internet was there. They go back to the 80s and 70s. So there was only one system that deserved the name of a global distribution system of in this case data and this was travel systems. So it makes sense to have these systems because of course one seat on an airplane shouldn't be sold multiple times so there needs to be a global inventory somewhere. Also all airlines should be using just a few systems so that they can do co-chair agreements for instance so that again the same seats on a flight aren't booked multiple times. Consequently these booking systems they maintain three types of information. The first one you're probably most most aware of are the prices. Airlines will put their price list into these systems for booking sites to fetch. They're called fares in the travel world. The next important data item in there is availability so not everything can be booked that has a price. There needs to be a seat available at a certain booking class and finally when somebody does find an available seat to a fair that they want to purchase that is then converted into reservation. So this is after the seat is taken. And you may have seen some of this information before on travel websites. Let me just show you the one that I like to use the most. The ITA Matrix has been bought by Google a few years ago so you can't actually book through here anymore but they maintain interface for whatever reason. And so let's say you search for flight to San Francisco from here at the end of the year. Just like any other website will give you plenty of options from the different airlines. Now what's different for this website is that they give you a lot more details if you know where to click. So the cheapest flight really cheap actually 325 bucks to go to San Francisco for New Year's a one-way trip. And what's what I like in this website is the rule. So this is real data that is kept in one of these GDS systems. And this already looks like the 70s right. This would usually be shown on on a terminal maybe green font on black background and somebody would read through here and they would say okay so you want to you want to book for certain dates okay the dates match. You want to go on turk on a tap with Portugal Airlines so okay that matches and you could also take a few other airlines and then you have to meet certain other restrictions. For instance you can you can stop over here. So this flight goes through Lisbon you can stay in Lisbon for up to 84 hours before flying on to the US that'd be nice right. And then it has all these these other rules in here for instance you cannot cancel this ticket right it's non-refundable but you can change it for fee right. And this goes on and on and on right. For just a single fare and there's of course tens of thousands of fares available. Now this you may be surprised to hear is the only form in which these fares are available. There isn't an XML there isn't a web service. This is how the airlines publish them. And then a website like Expedit have to write a parser for it to be able to present flight options to you right. So you may have noticed if you try to change or cancel flights they don't allow that through websites often Expedia for instance doesn't you have to call them and if you call them to say give me a moment I have to read through the fare rules right. So in that case they just didn't pass all this information right. So that's the first thing that's that that's kept in these or maintained in these these large GDS the booking systems the fares. The other thing is the availability. That's a little bit harder to access through public websites. Expert flyers probably you're the the best one to to use. And availability is important if you actually wanted to fly to San Francisco now for new years. We looked at the fare rules. So this is booking class all is always the first letter. And then if you look at availability for booking class all unfortunately it says see for closed right. So they don't accept any more bookings. So just because there's a price available doesn't mean that anybody can actually book this flight right. And again somebody like Expedia would have to now combine all of these different pieces of information to present a list of flight options for you. So let's assume they did that and you did book something. Then the third data item is created in one of these GDS. And that's the passenger name record P and R. And that looks something like this again. You know the same 70s 80s style with lots of private information at Hasbrook. He is he's a privacy advocate in the U.S. probably the loudest voice to ask for more privacy around travel booking. And he was kind enough to make this available on his website for all to see what what information is kept. So contact information of course things like email. This one shows you again how all these systems are so they don't have to add character right. This is this is using a character set from punch cards in the punch card you had six possible punches per character. So everything here needs to be encoded with a six bit character and there's no space for ad. So all ancient stuff but still a possible privacy hazard right. You wouldn't want anybody to access this kind of information about yourself. The three main players who run GDS is Amadeus mostly in Europe. Saber mostly in the U.S. and then there's Galileo that merged with a few other things into travel port and Galileo isn't really so much used by airlines but it's more used by travel agencies. And then often multiple of these systems they're involved in a booking. So let's say you go through XP. There any book in American Airlines flights. That has to be that the P and I has to be kept in Amadeus as well as Saber. So there's two copies here. Let's say you go through a travel agency that's connected to Galileo and you book a flight that has both Lufthansa and Aeroflot segments. It would be kept in all three of them right. So there's lots of redundancy depending on on where where your flight segments and booking agents come from right. But sufficient to say the three big companies apparently hold on to the private information of all travelers hundreds of millions of records for each of those systems. And we wanted to find out whether they can sufficiently protect this information. And there's of course reasons to believe that they can't. This is very old technology and it's unclear whether they ever did any major security upgrades. But at the same time there's reasons to believe that they are very well secured because this P and R data this very information about travelers that has been disputed between different governments for a long time in particular the US government and asking for more and more information since 9 11 in multiple ways. And the EU governments they say no you can't have more information than you absolutely need. So they agree politically that yes the US can get information on those travelers going to the US but only certain data fields and have to delete them after a few years. So this was years of negotiation. And you'd imagine that the systems at the at the forefront of this dispute that we secure enough that let's say we couldn't access those same information that that even the US government is supposed to not access. Right. So we set out to answer the simple questions do these GDS do they have normal basic security. Right. Do they constrain access. Do they authenticate users. Well do they protect the rate limiting from from web attacks. And do they lock to be able to detect any possible type of abuse. Right. And we'll go through through each of them to see where those systems stand. Let's start with access control. And this is just drawing from from public sources. So again at Hasbrook this privacy advocate in California has been the loudest voice here saying does does overreach by a lot of players already accessing PNI information. So for instance if you have a booking let's say a flight booking anybody who works at this airline can access your information. But then if you add let's say a car reservation to the same booking anybody who works at a car rental company can also access let's say the flight information. And any agent at the at the booking agency that you use can access all of this information. And if you keep adding information all of these people still have access to it. That's just how these systems grew over time. But that's the first indication to me that this was certainly wasn't built with modern security in mind. Most concerning lead the people working at or for the GDS companies. They have access to everything absolutely everything including the support staff as far as I understand. So these are external companies that help debug the system and they have access to hundreds of millions of people's private information. Right. So way too many people have access to way too much information. For instance if you did an online booking your IP address is stored there basically forever well until the flight is over. But any of these people can now access your IP address your email address phone number and all of this right. So definitely that doesn't seem to be fine grade access control. But as I said earlier this has been known for a long time and criticized a lot not acted on though yet. How about authentication. The picture is actually even worse for authentication. And I want to distinguish two different cases here. I want to distinguish professionals accessing records so people working at travel agencies and airlines and as a second case I want to distinguish travelers accessing their own records like when you check in online for instance you access your own record. Professionals the way they access it typically is that their agency is connected to one of these GDS is through basically one account. So an entire agency system or at least an entire location uses one account. So years ago somebody typed in some username and password and that is long been forgotten because locally they use a different access management. A few travel agencies were kind enough to help us in this research and the access credentials we saw them using they're just terrible. For instance for one of the big systems that I won't name in the agent ID so that you can get pretty easily. And then the password for the web service so the modern way of accessing this is WS for web service and the date on which the password was created. So even if you have to brute force 20 years right how many possible dates does a single year have times 20. This is ridiculously low entropy for an account that's supposed to protect information of millions of people if not more. Now this is the best authenticated that we found in the system. It gets worse with travelers accessing their own information because they're they just simply forgot to give you a password not even a terrible password like this that just isn't one. And what they use instead is the booking code PNR located sometimes call and I'll call it booking code. It's a six digit code right that when you check in online you need that code. And you only need that code and your last name. So you would imagine that if they treated as a password equivalent then that would keep it secret like a password right only they don't but rather printed on every piece that you get from from the airline. For instance on every piece of luggage you have your last name and a six digit code on your boarding pass. It used to be there and then it disappeared and then these barcodes showed up right so it's inside the barcode if you decode the barcode there's the PNR in there I I raised it here because this is still for valid booking. So you have this the six digit codes printed everywhere and you can you can just find them on pieces of scrap at the airport right certainly these these tags you find all over but also people throwing away their boarding passes when they're done and this is supposed to be the only way of authenticating users and we'll show you in a minute how what kind of abuse is possible through that. But let's first think about where else you could be able to to find this PNR codes. Could you get any worse than somebody printing your password on a piece of paper that you throw away at the end of your journey. Of course the internet can make it worse right. And what better technology than to worse than security problem than Instagram. So on Instagram. So you got all these bookings and in fact I said that was one guy here you see he actually erased the information but for one who knows what's up every there's a hundred who don't right. And this is really all the information you need. I saw a Lufthansa one just now. Where was that. Yeah. So here's a Lufthansa one. This is from today from posted by Maki at Frankfurt right. So this is really all you need to get somebody's. Let's see if this works. Yeah. Sure enough. So Maki M on Instagram is apparently marketer motor lover. And this is her booking reference. I was debating whether or not to show this but you guys are going to do it anyway when I'm done. So a flight today from Munich through Frankfurt and then on to Seattle. And let me point out one thing thing here. Where did I see the ticket number. Just use mine. It's Android APKN. Oops. And let me write down the password. All right. So what I wanted to point out is that this isn't even a Lufthansa ticket. So she she checked in with Lufthansa in Frankfurt. But if you look at the the ticket number zero one six that's a united ticket. And and it also includes flights on Alaska Airlines for instance. So any of these airlines have full access to this this PNR. And many of them will will just grant people access to it if they know the PNR and the last name. And as the money will show in a minute even if they don't know that yet. So to recap for the moment airlines give you a six digit password that they print on on all kinds of pieces of paper and that you will post on on Instagram right. And why shouldn't you everybody else does too apparently 75,000 people at least over the last couple of weeks. So the the authentication model here is is severely broken too. And what kind of abuse arises from this. Of course you can now use this PNR lock in on Lufthansa as I've just done or a more generic website like check my trip and look up people's contact information at the very least. So there's always an email address in there. There's usually a phone number in there. If in Lufthansa you click on I want to change my booking. Probably will ask you for your payment information and pre fill the postal address for that. So you get somebody's postal address that they used for the booking. Passport information visa information if you travel to the US as she does there's definitely passport information in the PNR. All of this information is now readily accessible. Right. Now so far there was zero hacking involved. Right. That's why we have no money here. We'll show you some some actual hacking to get even deeper into these systems. Can we switch the screen. When we started it's this research. We needed to find lots of these booking numbers to see if there is some relation between them. So luckily we didn't have to to make any bookings that we had to pay. So with because there are websites like this one where you can just make a booking and pay it later but you get the booking reference number at the time. So let's make some very normal German name looking for someone from Germany. Actually they have they check the the phone number so it has to follow the certain form. Let's find Germany. So yeah from Berlin. One, two, three, four, five, six, seven. Hands at San Diego.com something. As you can see I tried quite some these. So for this one we already got our booking reference number which is Y five six H O Y and this one in a minute. Okay, we have to wait a bit. Y five LCF four. So if you notice they are very close to each other. So they both start with Y five, which means that they were booked on the same day. Probably because the one is on Lufthansa. The other one is on air Berlin. There is slight difference but so they are not exactly sequential. But we can say that they are they are concentrated in certain range for a certain day. So what we can do now is that we can go to one of our servers. At first we have to check if check my trip works. Because I had some issues with the network. Let's Oh, okay. So this is a bit unexpected. So so we will have to skip this part where we actually look for for Carmen San Diego in one of our bookings. But yeah, well, this is a side effect of responsible disclosure, right? So you tell a company that on this day, you will do that and that thing to that website. And it just as a blocked IP ranges here, or just took down the website, which they have done a few few times before, right? But so what what you can do is say again, actually, actually, I think the whole website is turned off. What we can demonstrate, I think, is that if we go with this booking number to air Berlin website, and then type last name Miller, and actually, because it's six bit encoding, it has to be normal. So the part of the demo that you didn't show is just brute forcing these ranges, right? If you know which ranges are used in a day, you can try them all. Or at least we did many times. And so that would then in theory, give you give you access to all of this or not just in theory and practice, unless they take down their entire website, which then you were going to use for this demo. But yeah, but on this, for example, this example, if we caught that flight that we wanted to catch, Mrs. Well, we'll show it later. But at least the first win for for privacy, no information is leaked through this website. For the rest of this talk, at least we can switch back. So one thing that you would have noticed had this not just been a flight reservation, but an actual ticket to ticket, it would have given you options to rebook it to add a frequent fly number, all of that good stuff. So what's the abuse potential here? So far, we've only talked about privacy intrusion, right? And privacy intrusion is bad enough, imagine somebody snapping a picture of your luggage, that person has your email address and your phone number right there, right then, right? So, but the abuse potential goes much beyond that. For instance, you can fly for free. You can fly for free using different methods, you can find somebody else's booking and just change the date. The ticket. In fact, we can show it a little bit later that we had prepared for this demo that we're going to find through through a little bit of brute force. That's a flexible ticket. So you can just change the date, you can change the email address. You just take that flight yourself. Unless the airline checks compares to ticket and your passport. Oftentimes they do it visually, right? What they'll do is they'll send you PDF, you changed in there, you take it anyway. But at least in Chang'an in the EU, people don't even do that. But let's say you wanted to take it in your name. You can, depending on the airline, call them up or even use their website to cancel the ticket and then issue a refund to you inside the PNR and then use the money that's freed up there to book a new ticket. Some airlines also give you MCOs, miscellaneous charges orders. The Americans will notice very well every time you get bumped from a flight, they give you an MCO, sorry, we can fly you home today. You'll have to go tomorrow, but he has $1,000 towards a new ticket, right? It's real airline cash and those same MCOs you can issue based on flight cancellation. So you cancel somebody else's ticket and you get airline money to book your own ticket. And again, there are no passwords involved. The only authenticator is this six digit sequence that people post an Instagram print on their boarding passes and that pneumonia should be able to brute force on their websites. What else can you do once you have somebody's PNR? You can change or add a mile number, right? And some tickets are really, really attractive for for mile collection. Take a roundtrip to Australia in first class. That's 60,000 miles right there for one roundtrip for one PNR. And that will get you a sweet free flight to somewhere nice, or even even some vouchers for for online and offline shopping. One website that I wish we're still working is of course this one, right? But they shut down business apparently unrelated to this talk. So so you have access to somebody's PNR. You can not just stalk them but change their flights or which which matrix triggers some some curiosity, right? That flight can't be taken twice. But you can very stealthily add your mile number everywhere. Well, a new mile number, matching that name to collect those sweet miles, right? Now all airlines affected by that. So the demo that we didn't get to show brute force for one last name, San Diego, right? All the PNRs for a day. And it quickly found in fact, a bunch of records. There's not just one San Diego flying that day. But in some airlines, they're a little bit smarter. For instance, American Airlines, the largest airline in the world. They don't just want the last name but also the first name. And if if you if you're interested in one specific person, let's say Carmen San Diego, you would still find that person. But if you want to conduct fraud, this this becomes a little bit more tricky, right? A fraudster would just pick a random, very popular last name and brute force PNRs there. And that becomes more difficult if also you have to to guess a first name. However, even American Airlines, those records can be accessed through other websites. For instance, Viewtrip is another generic websites like this infamous check my trip that just went offline. And Viewtrip allows you to brute force by just last name and PNR again, right? So there's multiple ways to access the same information, some of which are more secured than others. And of course, only the weakest link matters. So in fact, Viewtrip, what they will say is they found a record and I can't give you access to the information. But then Tripcase will, which again takes only last name and reservation number. And they will tell you the first name also that then you can type into the American Airlines website again, right? To change the booking, let's say. So that there's all these these different ways to access a person's information here, and everybody is slightly different. So let's look at the entire universe of of travel website starting was to three big travel providers. Each of them uses six digit booking code, but they use these six digits rather differently. Saber, for instance, they don't use any numbers, which of course, severely impacts the entropy. But then others, for instance, Amadeus, they don't use one and zero, because that could be confused with I and O and then Galileo drops a few other characters. So at the end of the day, none of them really use the entropy of even a six digit passcode. So all of them are an entropy lower than randomly chosen five digit password. And we will never recommend anybody to use a five digit password, right? So this is strictly worse. And what makes it even worse, at least for privacy intruding attacks is the sequential nature of these bookings, right? You saw the two that that pneumonia just now generated. Both of them were were from the same very small subset. So if you just wanted to know all the bookings that a person did today, you can brute force this in 10 minutes was was a few computers running in parallel. It's not so easy on Saber because they seem to be chosen more randomly. However, Saber has a lowest entropy. So if you just randomly want to find bookings for popular last names, Saber is is your system of choice, right? So they're all weak. But they're the weaknesses differ in shades of gray for this privacy intruding and for the for the financial fraud type of attacks. As one example, though, of how easy it is to find these booking codes. If you look up 1000 just randomly chosen booking codes in Saber for the last name miss, five will come back with current bookings, right? So half a percent of the entire namespace is filled with current bookings for people called Smith. Now add in all the other last names, their namespace must be pretty damn full. And it's only 300 million records if you calculate entropy. So it looks like almost every record is used up. And they're running out of space. They'll have to fix this anywhere at some point. But that of course makes it all the easier to randomly find and abuse other people's bookings. So each of those providers runs a website that allows you to access all the PNRs in the system if you know the PNR until last name. And one German reporter writing about this, he calls, he calls him the website that you didn't know existed, that you have no use for, but that any way put your privacy at risk, right? So that doesn't seem to be any upside to these websites. I certainly don't need to use them, but they're there. And they're bad. Because when we did the research, none of them had any protection from brute forcing, meaning we could try 100,000, even millions of different combinations PNR last name. And those websites wouldn't complain even a bit. Now we did expose Amadeus to way more queries than than the others. And at some point, I did notice maybe also because some reporters just asked him for comments on the research. And they have tried to improve. So the classic.checkmytrip.com website, that was just killed a few days ago. Rest in peace. Thank you. It's gone 50% of the problem solved. But the other website that was still around up until literally half an hour ago. What they did over the last couple of days was they added a capture. But the capture gave you a cookie and the cookie you could again use for indefinite number of queries. This is a company that just hasn't done web security before. But then they also limited the number of requests per IP address, right? Now we do this from Amazon. So it's not so difficult to to spawn new IP addresses. But still, it's severely slows us down about 1000 IPs request per IP address. Now even if they now took down check my trip for good, of course, this is not the only pass to a reservation. As we've seen before, you can just use the provider's website directly. And the popular ones in Germany, they they differed in security quite a bit when we checked a few weeks ago. So Lufthansa itself differed under different properties. The standard website asked for a capture not the first time, but I think starting from three requests. So really good compromise. They make it comfortable to use for really anybody who just wants to look up their own records. But then they make it a little bit more painful for somebody who tries to to look up too many. But then the mobile version, for instance, didn't have that capture. Right. And again, weakest link principle applies. Eberlin, they had some rough IP filter. Again, 1000 requests per IP. That's a little bit too much. They introduced a capture today. Right. So again, in response to this, so this is already showing some effect. So thank you to check my trip and Eberlin for working on this over the holidays. Much appreciated. Maybe if you know anybody. Thank you. On the other GDSs, the situation is much worse still. So they're still as brute forcible as they ever wear as are the websites, right? Except for the little bit of first name extra complication on American Airlines. Really, every website we have tried is not protected from brute forcing. And this is surprising to me. I mean, I've in my consulting work, I've never seen a website where not the first pandas to ever are looking at it would say, oh, you didn't have rate limiting in it. Please edit. And then two days later, they had. So for most of this industry, that is yet to happen. So no cookie here either. Let's talk about one more abuse scenario. That's, I can say that very relevant, but that's maybe because in my consulting life, I've been dealing with human security for the last couple of years, appreciating that technology is mostly not the weakest link, but the gullibility of people working at the company. And the same probably goes for travelers. So imagine a scenario where you made a booking just a few minutes ago, and now that airline or at least it looks like that airline sends you an email saying, thank you for making this reservation. Here's all your booking stuff summarized for you. Please update your credit card information. Though the booking didn't go through, right? I would click on that. I expect them to email me. I know that sometimes credit cards are fuzzy. I would click on it and enter my credit card information again. And how is this possible? Of course, we can stay ahead of the current pointer in these sequences and find bookings that were made in the last, let's say, half an hour for popular last names again. And each of those bookings will point us to an email address and give us all the context we need to include in these very, very targeted phishing. So if nothing else, I think this should convince the airline industry to close these loopholes because the evilness of the internet will not ignore this forever. Right? Fishers are always looking for new targets and this would be a very juicy one. All right. So we looked at the three big GDS now. There's a few other players, for instance, CETA. It looks like on the way out, but these two very big airlines, they still use it. So they're certainly still relevant. So they are even worse. They use, instead of a six-digit booking code, they use five digits and one digit is fixed per airline. So if you know you're looking for air in here, you don't even have to brute force that, leaving just four digits to go through and to brute force. Now, we don't have a demo for this because we found three other more fun ones to demo. So the money I will all now show you. Reiner, Omanair and Pakistan International Airlines. Note that all of these are connected to big GDS system. So it's now the websites that make it even worse than we already discussed before. And can we switch over to the other computer again? Thanks. Yeah, I guess many people fly with Reiner here. So they use Naviter, which is now owned by Amadeus. So they don't share the same address space. But on Reiner website, you can either search for the reservation with the email address and the reservation number or the last four digits of the credit card that you used for booking. So again, great authenticator, right? 10,000 options. So as they don't have CAPTCHA, we can have a look for, it's a bit slow. Okay, so we know that the last four digits of Carmen San Diego's card are these. Well, and if not, we can just try all 10,000. We can just try, yeah, we can do the other way around. So, but this way we know that and that it starts with these characters and let's try to brute force it. In the meantime, let's have a look at the Oman Air. So they ask for the booking reference and for the departure airport. But departure airport doesn't have to be just the departure airport, but it can also be any airport that is within the reservation. So for Oman Air, we think that it's mascot, which is the capital. So usually most of these flights go through there. So let's see if we can find someone who is fine. And it's not just trying random random booking codes that are valid within that namespace, right? So again, they don't really use the full entropy. So that makes the search a little bit quicker. But other than that is just a pure brute force. Yeah. And as there is no CAPTCHA, as you can see, we can move on to the next one. So this one is the winner. So basically they trust you that it's you. And let's see. Okay. So we already have one for the Oman Air. Okay. So this is the one, this is where... That was Ryan Air, huh? Yeah. This is the Ryan Air. Yeah. Okay. So we didn't print these two characters. But because we wanted to hide it, if we accidentally hit some booking with that card number, we don't want to show the booking reference number of someone else. So it might be even... We saw the people here. Yeah. Okay. So we can try... Oh, okay. We even got one from the Pakistan. So Carmen Sandiego is flying from Shenafal to Timishara. And here we can just enter the... What was I think... If I'm right. Let's see if this will work. Huh? Yeah. Okay. So hello, Carmen Sandiego. So... So now we know where Carmen Sandiego is, finally. Yeah. So yeah, the point has been made. You can brute-force these websites rather easily. And you don't really trigger any alerts, apparently. Which, again, coming from an IT security background, I find pretty shocking, right? Can we switch back to this screen? So let's look at the last security feature that we would expect any IT system to have these days, especially knowing that it has been criticized for lack of IT security for a long time. And that, of course, is accountability, logging, right? At least track who's legitimately or illegitimately accessing these records. It turns out that it has been asked for a long time by different people. Again, most notably at Hasbrook, this privacy advocate. But also other reporters and other advocates have come across this for years saying there's rumors that, let's say, the Department of Homeland Security in the U.S., they have root access in these GDSs. Where are the records? Whether they are accessing it or not. Where the records for abuse by support staff in these GDS companies? Where are any records? And the GDS companies have always said, oh, we can't keep any records. It's not technologically possible, right? I call BS on that. They are logging, in the tiniest minutiae, any change to a reservation. There's a lock for that. But an access lock does not exist and is not technologically possible. I think there's a completely different reason behind here. If, in fact, these companies gave access, unlawful access, or at least in violation of privacy laws in, let's say, the EU or Canada. If, in fact, they gave that access to other governments, the last thing you want is a trail of evidence showing that people have access records, right? So this has nothing to do with technological restrictions. This is purely those companies don't want to be in the middle of a debate where probably some sealed order in the US makes them disclose all this information, but laws in Europe make them not disclose the information. They just don't want to have evidence either way, right? But that leaves us in a very peculiar position where now we know that these systems are insecure, use very bad authenticators, expose this over websites that can be brute-forced, and don't keep any record of if that actually happens, right? So it's completely unknown how much abuse may be happening here. I think we can be pretty certain that the flight changes for people to fly for free, that they are not happening very frequently, because that's the only one of these attack methods that would leave very clear evidence, somebody actually complaining saying I wanted to go take my flight, but apparently somebody else already took it before me or cancelled it and took off with the money, right? But the other cases we have no idea whether or not they're happening, they're technologically possible and nobody seems to be looking for these abuse patterns, right? So in summary, there's just three big global databases, two in the US, one in Europe, that keep all the information on all the travelers. This information includes your personal contact information, payment information, your IP address, so lots of stuff in a lot of other systems we consider sensitive, private even, and it should be protected with a good password. We would advise people to use an eight-character or longer password with special character. None of that exists here. The passwords here are six digits, they are less than five digits worth of entropy, they're printed on scraps of paper that you throw away, they're found on Instagram, and they're brute-forcible through numerous websites by the GDS companies and through the travel providers. So this is very, very far away from even weak internet security. This really predates the internet in stupidity and insecurity, right? And while there's multiple scenarios in which either privacy of users is at risk or even fraud could happen, none of this is being locked and nobody knows or has any way of knowing the magnitude to which these systems are already abused. So what do we need here? We clearly need more limitations on who can access what. This is not just my ask, this has been asked for 10, 20 years, but more on the technical level. In the long term we need passwords for every traveler. You should be able to post a picture of your boarding pass on Instagram without having to worry about somebody abusing it. This is a piece of paper that you will throw away. There should be nothing secret about it, right? If you want to share it, feel free to. Somebody else needs to add a password to make that safe again, right? But that's a very long-term goal. These travel companies are so interwoven as we saw today that all of them really have to move at the same time, right? The GDSs have to do their share, but then each of interconnected airlines has to do their share. We saw this one random ticket from Instagram, so this was a Lufthansa ticket with some Alaska Air components issued by United, right? At least those three companies have to work together. And how many more different airlines do they have co-chair agreements with? So we're talking about hundreds of companies who have to come together and decide we want to introduce passcodes, passwords, whatever you want to call them for each booking. So that is a long-term goal. In a short term though, at the very least we can expect is for all these websites that do give access to travelers' private information to do the bare minimum of web security at the very least some rate limiting. Don't allow us to throw millions of requests at your properties and give us back honest answers, right? That is unheard of anywhere else in the cloud, but for travel systems who claim for themselves to be the first cloud ever, this seems to be very standard, right? And then finally, until all of this can be guaranteed, until there's passwords, and until there's good rate limiting, I think we have a right to know who accesses our records and there must be some accountability, especially knowing how insecurity systems are today. But this is a long way and I can only hope that we are starting a journey by by annoying large companies like Amadeus have done their little bit of fixing over the weekend now. So hopefully some others will follow suit and we will have better system. Until then, of course, I can only encourage all of you to look at more of these travel systems, because there's plenty more to find. We're only scratching the surface here, and more generally to look at more legacy systems. I think we're spending way too much time making some already really good crypto, just a tiny bit better, of finding a really good mobile operating system. The next little jailbreak that will be fixed two days later anyhow, ignoring all these huge security issues that have been there for many, many years in systems that are a little bit less sexy and riddled with bug bounties than something else that we do spend a lot of time on. So I hope I could encourage you to do that. I want to just end out a few thank yous to members of our team. Without whom this research wouldn't have been possible and to a few industry experts who were kind enough to read over these slides and provide feedback and help us hopefully not have any major gaps on our information. And then to you for showing up in such great numbers. Thank you very much. Wow, great talk. Thank you very much. We have five minutes for Q&A. So please line up on the microphones and we'll take some questions. First one. Do you have any indication of how secure the systems are on the other end that the airlines supply their fears into the entire system? So is there any indication that those systems might be more secure than on the customer side or would it be easy to inject a cheap fare for example by impersonating the airline with weak passwords? Honestly we don't know. It was definitely on our list to research but we don't have time for everything so we focus more on the customer privacy. But one thing that I really would want to test if I had any way of doing it. Imagine the parses for these strings right? Imagine injecting some special characters in that right? So I don't know who creates these strings and I really maybe I don't want to know but if anybody does then you could play with some SQL commands. I think a lot of websites would wake up understanding that on that front they don't do enough security either. Okay question from the signal angel. A question from ISC. Recently US customs and border patrols started collecting social media identifiers for foreign citizens trying to trying to enter the US on a visitor visa. Could that information be accessible through PNRs? That's a good question. I don't think it would be. So I so yes they are from PNR. Okay so okay I would have imagined that it's that it's more a case like this journalist Cyrus Faviar. He requested through Freedom of Information Act disclosure all the records that the US government kept on his traveling and he found a lot more stuff than just in the PNR. They had notes in there like oh he's a journalist we had to search him extra for that stuff like that so they don't want to write that into the PNR but the government keeps separate records that may be indexed by PNR I don't know. Okay microphone here. Can you say something about how long information will be stored in those travel systems and whether users have a right to get them deleted? That's a good question. I think that differs by system so in Amadeus records are removed pretty quickly days or at most weeks after the last flight is finally done but in say by the impression that much older records were still in there which may explain why the data set is so dense if you keep accumulating all the information. By the end of the day this is all going back to mainframe technology so I don't think anybody understands these algorithms anymore they're just kind of work. The deletion? The deletion yeah I don't think you can request anything to be deleted I don't think they consider you a person that they want to talk to right there you are not the customer. Thanks. Okay the microphone there and there so it seems that the immediate way to abuse these systems like you said with the abusing money and the mileage and so on it seems that those paths are actually somehow monitored by airline so if I'm collecting miles on tickets not under my name that would raise some flags do you think that's not the case? Yes I should have been more explicit how this attack works the milder version so of course you have to have an account in the same name as the person flying so had this demo worked you would now have a PNR for a lady come in San Diego you can just go to miles and more and create an account under that name a lot of airlines though they also allow it to change your name right so you just change it whenever you found a roundtrip Australia ticket you change your name to whatever that target name is and I know for fact that people are doing that right now not you guys before even right based on Instagram photos right so people are diverting miles by creating new accounts or by keep changing the the names of the accounts and yes airlines do sometimes notice this but only when it becomes excessive right and yeah sure that's their money I just hope that it will become so excessive that it's such a big problem that it can't be ignored anymore and then the privacy issues get fixed in on the same token where privacy is never enough to convince a big company but if you throw in a little bit of fraud and maybe enough okay one last question microphone here Hi Carson when people use like GDSS they have this really archaic they're not even they're like actual terminals not even pseudo terminals and then they expose like these apis for so you could write your code in like job or whatever I'm wondering if there's research to be done at that level um or you did you just not look at that or that's just an area for the research we did quite a bit but we found no way of making that public in any way that wouldn't require a lock-in from a travel agency and all of that good stuff right so I think the most I want to say about that is the lock-ins that travel agencies have they are terribly secured but of course I can't encourage anybody to go out and hack them but if you did and you had access you would be logging into something that really looks like a terminal and you'd be typing some commands and the next thing you know it throws a java stack trace at you right so these just look like terminals they have moved well beyond that while still maintaining this look and feel of a mainframe and they're terribly insecure so these stack traces they just come left and right even if you try to do the right thing right thanks okay we have one question from the internet um somebody wants to know how do you avoid DDoSing those services when you just brute force the passengers the booking numbers yeah good question of course we don't want to hurt anybody so we try to to to keep the rates low and turns out if you throw 20 amazon instances at them they don't go down yet and okay thank you very much Carson and the tenure