Gone are the times of arriving at the airport several hours ahead of time to stand in line for as long as it may take in hopes of being able to request the seat of your choice to be printed onto your boarding pass. It’s the time of E-tickets and E-lanes, where everything is online, everything is done in advance, and everything is quick and smooth on the day of your travel. Security firm, Wandera, reports though that there is a crippling security flaw in the way many popular airlines carry out their online ticketing and check-in, and this vulnerability could put you and your information at risk.
Concerns rose when a man travelling from the UK was recently transported to Malta instead of his desired destination of Poland. Along the way of ticketing, check in, and boarding the plane, this man managed to get on a wrong plane and end up in an unintended location, which sparks the question of how this was possible and what this means for air safety if the check on who’s going where is this minimal.
Southwest. Air France. KLM. Vueling. Jetstar. Thomas Cook. Transavia. Air Europa. How many of these airlines have you traveled by? It seems that one thing that all of these airlines are doing wrong is putting their customers at risk. All of the aforementioned airlines are sending out check-in links to travelling passengers without proper (well… any) encryption. Any mal-intented internet middle man can intercept these emails, thereby having the power to change the details of your travel or worse yet getting clear and unfiltered access to your private information: everything from your name and date of birth to passport, photographs, record locator, and identification information.
Wandera’s Vice President of Product, Michael Covington, spoke with eWEEK, saying that their “… researchers observed unencrypted network traffic going to airline servers that was consistent with sensitive content. Upon further investigation, we found that this data—suspicious parameters on a URL string—was actually being used to transparently authenticate the user into the e-ticketing website.”
Let’s just take a thought stroll of how bad this could really get. You can decide what’s worse: your long awaited vacation plans getting cancelled (and potentially refunded into another person’s account), or someone with dangerous intent is able to board the plane with limited or forged checks through ticketing and check in. This person may be able to cause a state of emergency mid air in the flight that you’re on. With access to your information, someone can also impersonate you via the digital check ins and rely on your identity to commit a felony or act of terrorism. We don’t know yet if any such benchmarks have been bypassed or misused with malintent in the past. It may have in fact already happened or perhaps crossed someone’s mind in the past, but that being said, there’s a first time for everything, and we’re better safe than sorry. (That’s a lot of clichés in just one sentence but don’t let that distract you from the gravity of this situation)
As any responsible security firm does, Wandera informed the respective airlines of this flaw in the December of Last year and the January of this one. They’ve all taken notice and are expected to be working on rolling out security solutions for this vulnerability but unfortunately there isn’t any way for researchers to keep tabs on this process and ensure that the correct protocol is put into action to resolve the security concern. Perhaps it would have been beneficial for the companies to take test researchers on board to validate their implementations, but it seems that they all chose to keep the discussion quieted down as they worked on it within themselves.
Suggested solutions to this are, well firstly, encryption. These links should have always been encrypted and it’s beyond me why such carelessness occurs in the first place. Secondly, single use passwords or two step authentication measures are an added step to ensuring that the intended recipient is operating the links by means of verifying through his or her phone number or email. On the customer end of things, we should always be wary of where we access such links. They should be avoided on public networks and devices and should be logged out wherever they are logged in after use.
Covington believes that this vulnerability does not wholly stem from the unencrypted check in traffic but is also heavily dependent upon the general trend of using online check ins as opposed to on the ground checks which may prioritize ease over concrete security. Also note that many airlines use the same basic infrastructure or service to operate their online commands. This invites malicious minds to exploit the newfound vulnerability so the first measures at protection start with ourselves until we wait for the airlines to ensure that protocol at their end is kept strict.