Post on 01-Feb-2018
SRLabsTemplatev12
Corporate Design
2016
WhereintheWorldIsCarmenSandiego?
KarstenNohl<nohl@srlabs.de>NemanjaNikodijević<nemanja@srlabs.de>
Das Logo Horizontal
— Pos / Neg
3
Globalbookingsystemsstoredatafromairlinesandpassengers
2
Bookingsystems/GDS Fares Availability Reservations
Bookingagents Bookingwebsites Travelagencies
Createreservations
Travelproviders Airlines Hotels Carrental
companies
Updatefares,Changeavailabilityrules
Das Logo Horizontal
— Pos / Neg
3
GDSstorepriceandavailabilityrules TAP(TP)OLDEUSTPHAMtoSFO
GeneralnotesBASIC SEASON ECONOMY ONE WAY SPECIAL EXCURSION FARESBetween EUROPE and THE UNITED STATES APPLIES FOR ONE WAY FARES
Category3:SeasonalrestrictionsPERMITTED 01NOV THROUGH 15DEC OR 31DEC THROUGH 12MAY FOR EACH TRIP.
Category4:FlightrestrictionsIF THE FARE COMPONENT INCLUDES TRAVEL WITHIN EUROPE
THEN THAT TRAVEL MUST BE ONONE OR MORE OF THE FOLLOWINGANY TP FLIGHT OPERATED BY TP …
Fare
Availability
3
Das Logo Horizontal
— Pos / Neg
3
GDSalsostorereservationsincludingpersonalinformation
4
Reservation/PNR
Das Logo Horizontal
— Pos / Neg
3
ThreeGDSdominatethemarket
5
Bookingagents Expedia
GDS Amadeus SabreGalileo(nowpartofTravelport)
Airlines(examples)
AirBerlin Aeroflot
Example:AnAmericanAirlinesticketbookedthroughExpediaiskeptinAmadeusand Sabre
AmericanAirlines Notreally
usedbyairlines
Lufthansa
Das Logo Horizontal
— Pos / Neg
3
§ Fine-grainedaccesscontrol
§ Strongauthentication
§ Rate-limiting
§ Logging
Wewerecuriousabouttheprotectionofpassengerinformation
6
WhichwebservicesecuritybasicsareimplementedinGDS?
?
?
?
?
GDSmaybeinsecure:
§ Bookingsystems(GDS)gobacktothe70sand80s
§ Theywerethefirst“cloud”beforetheterm(ortheInternet)existed
§ Cansuchsystemshavemodernsecurity?
GDSmaybesecure:
§ Passengerdatahasbeenindisputebetweengovernmentsforyears
§ EspeciallytheEUexpressedstrongpoliticalwilltoprotecttravelerdata
Ourresearchmotivation
Das Logo Horizontal
— Pos / Neg
3
GDShaveverycoarseaccessrestrictions
7
PNRspace
Airlinestaff canaccessallPNRsthatareinanywayconnectedtothatairline
Bookingagents canaccessanyticketconnectedtotheagency
OnePNR(canincludedifferentairlines)
GDSstaff canaccessallPNRs
Toomuchinformation–§ ThePNRincludesallinfofromdifferent
providers(flight,hotel,car)forproviderstosee§ Includespaymentinformationaddress,credit
cardincl.expiry
Toomuchaccess– plentyofpeoplehaveaccesstoprivatebookingdetails:1. Employeesofthetravelagency/websitethat
createdthebooking2. Employeesofthetravelprovidersincludedon
thePNR3. EmployeesofanyoftheGDSinvolvedinany
partofthePNR,includingexternalsupportcompanies
4. AllegedlytheUSDHS
Accesscontrol:Verylittle
Das Logo Horizontal
— Pos / Neg
3
§ Fine-grainedaccesscontrol
§ Strongauthentication
§ Rate-limiting
§ Logging
?
?
?
?
Arebookingsystemsprotectedwithbasicsecuritycontrols?
8
Webservicesecuritybasics
Das Logo Horizontal
— Pos / Neg
3
Authenticationoptionsrangefromweaktoveryweak
9
Agent
<Agentid>User:
WS<DDMMYY>pw:
GDS
<Lastname>
<Bookingcode>
Traveler
Travel/airlineagentaccess
§ Traditionallyoverdirectconnections§ TodayaswebservicethatconnectsovertheopenInternet
§ Passwordsoftenterrible
Traveleraccess
§ Forgottoassignusernamesorpasswords,oops!§ Let’suselastnameasusername;andbookingcode/PNRlocatoraspassword
§ These“passwords”cannotbechangedandarewidelysharedbetweenoperators
Authentication:Fail
Login:
Das Logo Horizontal
— Pos / Neg
3
PNRscanbegatheredoffline
10
Das Logo Horizontal
— Pos / Neg
3
PNRscanbegatheredonline
11
Instagram Traveldetails
Das Logo Horizontal
— Pos / Neg
3
§ Fine-grainedaccesscontrol
§ Strongauthentication
§ Rate-limiting
§ Logging
?
?
?
?
Arebookingsystemsprotectedwithbasicsecuritycontrols?
12
Webservicesecuritybasics
Das Logo Horizontal
— Pos / Neg
3
Flighttheft
Milediversion
Privacyintrusion
Phishing
Travelers’privateinformationisaccessible
13
PNRabuse AnybodywithaccesstothePNRlocator(6-digitnumber)andlastnamecanaccess:§ Identitydetails;possiblyincludinghotelsandcarrentals§ Frequentflyerdetails§ Contactinformation:Phonenumber,e-mailaddress,oftenpostaladdress§ Oftendateofbirthandpassportdetails
Agents(orhackers)withdirectGDSaccessalsosee:§ Paymentinformation:Creditcard#andexpiry§ IPaddress(ifbookedonline)
Stalking
Tracking
Photoofluggagetagorboardingpass
Lastname PNRbruteforcesearch
Privacyintrusion
AbuseScenarios
Traveldetails,contactinfo
Das Logo Horizontal
— Pos / Neg
3
Flighttheft
Milediversion
Privacyintrusion
Phishing
Fraudsterscanpossiblystealflights
14*Miscellaneouschargesorder
§ AirlinestypicallyonlyauthenticatepassengerswiththePNRlocator,evenforticketchanges
§ Differentairlinesallowdifferentactions:– Allallowdateandflightchanges(atleastonsometickets)– Fewallownamechanges– Mostallowsomeformofrefund,oftenforacoupon
AbuseScenarios
Bruteforcesearchticketsforcommonname
RefundforcreditinPNR
RefundforMCO*Flyforfree
Booknewflightwithcredit
PNRabuse
Changename,e-mail,anddate
Changee-mailanddateandtaketheflight(onanairlinethatdoesnotcheckID)
Selectflexibleticket
Das Logo Horizontal
— Pos / Neg
3
Flighttheft
Privacyintrusion
Phishing
MilediversionMilediversion
§ Addingamilesnumber(withtherightname)toabookingdivertsavictim’smiles
§ Milescanberedeemedforfreeflights,hotelnights,orgiftcertificates
Milescanbestolen,fullyremotely
15
PNRabuse
AbuseScenario
Bruteforcesearchforcommonname
Selectsexpensivetickets
Createmilesaccountinpassengername
Addorchangemilesaccountinbooking
Convertonredeemcollectedmiles
Example
EU-AustraliaRound-tripFirstclass
10,000milesx2x3
60,000miles~900USD
Das Logo Horizontal
— Pos / Neg
3
Allpathtoabookingneedtobesecured
16
AmericanAirlinesasksforfirstname ViewTrip+TripCaseprovidealternativepathw/ofirstname
1.Brute-forcePNR+lastnameonViewTrip
2.CheckdetailsonTripCase
Das Logo Horizontal
— Pos / Neg
3
PNRscanbeguessed
17
Guessability
Sequential
Amadeus
✓
Sabre
✗
Galileo
Entropy
28.6bits:§ 1st digit:2-8,X-Z§ 2nd:Dependson1st (38of340combinationsinvalid)
§ 2nd-6th:2-9,A-Z
28.2bits:§ 1st-6th:A-Z§ (Namespacesplitbyairline)
28.9bits:§ 1st:1-9,A-Z(exceptF-I,O,U,Y)§ 2nd -5th:0-9,B-Z(exceptE,I,O,U,Y)§ 6th:0-9,A-Z,butlastbitignored!
Brute-forcesusceptibility
Airlines(examples)
Lufthansa§ Standard:§ Mobile:
Captchamax30rqs/IP
AirBerlin
max1,000rqsà Captcha
AmericanAirlines✓ +Firstname
Aeroflot
✓
Notreallyusedbyairlines,butinsteadbybookingagents
GDS-provided
CheckMyTrip
§ Classic:§ Current:
killedineffectiveCaptcha,
max1,000requests/IP
VirtuallyThere
§ DirectPNRaccessforsomeairlines(e.g.Etihad),forothers:redirecttoairlinewebsite(e.g.AA,Aeroflot)
✓
ViewTrip
✓
✓
✓à
✓ à
Helpsagainsttargetedprivacyintrusion,butnotfraud
Das Logo Horizontal
— Pos / Neg
3
§ Fine-grainedaccesscontrol
§ Strongauthentication
§ Rate-limiting
§ Logging
?
?
?
?
Arebookingsystemsprotectedwithbasicsecuritycontrols?
18
Webservicesecuritybasics
Das Logo Horizontal
— Pos / Neg
3
Flighttheft
Milediversion
Privacyintrusion
Phishing
Datadisclosureexposestravelerstotargetedattacks
19
§ Duetotheirsequentialnature,fraudsterscanfindrecentlycreatedPNRs
§ Andthensendverytargetedphishinge-mails
AbuseScenario
PollforcommonlastnameandrecentPNRs(inaGDSwherePNRsaresequential)
Fetche-mailaddressfrombooking
Phishforfrequentflyerloginorcreditcardinformation
PNRabuse
Phishing
From: LH.com online@booking-lufthansa.comSubject: Booking Details | Departure: 22 August 2016 | TXL-MUC | Reservation code: Z8JC8RDate: August 7, 2016 at 18:55To: BSCHLABS@GMAIL.COM
Lufthansa booking code:
URGENT: Please update yourpayment information
33C3PO
SANDIEGO / CARMEN MS
Miles & More: XXXXXXXXXXX0054
Ticket no.: 220-2376788232
* Seat reservations are not binding and may be changed without notice in case of aircraft change.
Passenger Type Price Taxes, fees &surcharges
Passengers
07:0 0 h MUNICH DE MUNICH INTERNATIONAL (MUC) TERMINAL 2
08:1 5 h HAMBURG DE (HAM)TERMINAL 2
Status: confirmed Seat: 03A*
Class/fare: BUSINESS (Z)
Adults OPC
222.00 € 83.67 € 1
If you cannot view this e-mail properly, please open the attached PDF version.Do not reply to this e-mail.
Additional support is available via the FAQs.
URGENT NOTICE: Your payment has been rejectedIMPORTANT: The following transaction has been rejected, so we are unable to process payment for your trip to HAMBURGDE (HAM) on 31 December. Your reservation is currently ON HOLD FOR 24 HOURS. Please update your paymentinformation to confirm your reservation.
Passenger Information
Receipt and additional documents
NOTE: Your receipt for this itinerary cannot currently be provided. PLEASE UPDATE YOUR PAYMENTINFORMATION.
Option for download is valid up to 90 days after end of travel.
Your itinerary
Sat. 31 December 2016: MUNICH DE - HAMBURG DE
LH2060operated by: LUFTHANSA
Total Price of your Ticket
Total Price of yourTickets
305.67 €
5.04 €
Total Price for all Passengers 310.71 €
From: LH.com online@booking-lufthansa.comSubject: Booking Details | Departure: 22 August 2016 | TXL-MUC | Reservation code: Z8JC8R
Date: August 7, 2016 at 18:55To: BSCHLABS@GMAIL.COM
Lufthansa booking code:
URGENT: Please update yourpayment information
33C3PO
SANDIEGO / CARMEN MS
Miles & More: XXXXXXXXXXX0054
Ticket no.: 220-2376788232
* Seat reservations are not binding and may be changed without notice in case of aircraft change.
Passenger Type Price Taxes, fees &surcharges
Passengers
07:0 0 h MUNICH DE MUNICH INTERNATIONAL (MUC) TERMINAL 2
08:1 5 h HAMBURG DE (HAM)TERMINAL 2
Status: confirmed Seat: 03A*
Class/fare: BUSINESS (Z)
Adults OPC
222.00 € 83.67 € 1
If you cannot view this e-mail properly, please open the attached PDF version.Do not reply to this e-mail.
Additional support is available via the FAQs.
URGENT NOTICE: Your payment has been rejectedIMPORTANT: The following transaction has been rejected, so we are unable to process payment for your trip to HAMBURGDE (HAM) on 31 December. Your reservation is currently ON HOLD FOR 24 HOURS. Please update your paymentinformation to confirm your reservation.
Passenger Information
Receipt and additional documents
NOTE: Your receipt for this itinerary cannot currently be provided. PLEASE UPDATE YOUR PAYMENTINFORMATION.
Option for download is valid up to 90 days after end of travel.
Your itinerary
Sat. 31 December 2016: MUNICH DE - HAMBURG DE
LH2060operated by: LUFTHANSA
Total Price of your Ticket
Total Price of yourTickets
305.67 €
5.04 €
Total Price for all Passengers 310.71 €
Das Logo Horizontal
— Pos / Neg
3
GuessabilityissuesarenotlimitedtolargeGDS
20
SITA§ Only4digitstoguess,plusonedigitforairline
OmanAir (Sabre) PakistanInternationalAirlines (Sabre)§ Wontheraceforeasiestguessability
§ Guessonecityinitineraryinsteadoflastname(Muscat,duh!)
RyanAir(Navitaire,anAmadeussubsidiary)§ UnevendistributionmakesiteasiertoguessPNR
§ Guess4creditcarddigitsinsteadoflastname
Othernoteworthysystemswedidnotlookat:§ MACS(Emirates)§ Troya(TurkishAirlines)§ HPShares(United,andothers)
Das Logo Horizontal
— Pos / Neg
3
PNRaccessisnotlogged
21
Logging/accountability:Fail
§ Foryears,questionswereraisedoverwhoisaccessingPNRs
§ Untiltoday,GDSprovidersrefusetologreadaccesstothisprivatedata(writeaccesshasalwaysbeenlogged)
§ Canmoreresearchmotivatefinallyaddingloggingandmaketransparenttotravelerswhoaccessestheirinformation?
Das Logo Horizontal
— Pos / Neg
3
§ Fine-grainedaccesscontrol
§ Strongauthentication
§ Rate-limiting
§ Logging
?
?
?
?
Bookingsystemslackbasicsecuritycontrols
22
Webservicesecuritybasics
Das Logo Horizontal
— Pos / Neg
3
Weneedbetterprotectedbookingsystems
23
Insummary Whatweneed
Coarseaccesscontrol
§ Afewglobaldatabaseskeepinformationontravelers,insystemsthathavegrownfordecadesandnowlackmodernITsecurity
§ Limitationsonwhichagents(andgovernments!)canaccesswhatinformation
Weakauthentication
§ Passengersauthenticateonlywiththeirlastnameandalow-entropy(oftensequential)bookingcode,whichisalsoprintedonpassesandtags
§ Passwordsforbookings
Insufficientratelimiting
§ Numerouswebinterfacespermitbrute-forcingofthesebookingcodes,puttingtravelers’privacyatrisk
§ Minimumwebservicesecurityforallexposedinterfaces
Nologging§ Travelerswillneverknowwhoaccessedtheirinformation,sincePNRaccessisintentionallynotlogged
§ Strictloggingofanyaccesstopersonalinformation
Das Logo Horizontal
— Pos / Neg
3
Thankyou!
24
Questions?KarstenNohl<nohl@srlabs.de>
NemanjaNikodijević<nemanja@srlabs.de>
ManythankstoLucaMelette,SebastianGötte,andPatrickLuceyformakingthisresearchpossible!
ThankyouEdHasbrouck,HendrikScholz,andSethMillerforveryvaluablefeedback!