Airlines expose board pass data

The check-in links sent to customers by several airlines could be useful for various hacking activities, warn experts

Ethical hacking and network security specialists from the International Institute of Cyber Security report that links sent by airlines such as Air France, used for the electronic issuance of airline tickets, do not have any kind of protection. These links, sent by SMS or by email, are used to start the registration process on a flight (check-in). 

Further research revealed that these unsecured links are also sent by other relevant airlines such as Southwest in the U.S., KLM in Holland, Air Europe in Spain and Thomas Cook in the UK.

Network security specialists mention that the main problem is that these links are sent from the airlines to customers using HTTP protocols, instead of HTTPS, the secured version.

These links include data such as the origin and destination of the flight, and even the full name of the passenger. Companies use this data to identify passengers and provide access to more details about their flights.

An attacker capable of intercepting a user’s traffic through a public WiFi network, for example, can subtract this information to access the user’s online billing page.

The online billing page for each airline varies, but in general you can find user data such as:

  • Full Name
  • Email Address
  • Passport Information
  • Nationality
  • Telephone numbers
  • Flight details

Attackers might even make some changes to the information provided by legitimate users on the billing page.

“Boarding procedures vary from one airport to another and can be more or less safe. The most troubling thing in this case is that a hacker might even try to address a user-programmed flight”, network security experts reported. 

Recently, a man travelling from the UK to Poland boarded the wrong plane and ended up in Malta; the ticket of the passenger was destined for Poland, so this incident raised alert in the boarding systems of the airline.

Specialists consider that airlines should implement communications encryption during this check-in process, as well as add additional authentication processes to restrict access to any personal information from users.

“We are almost 100% sure that these vulnerabilities are present in multiple airlines,” says Michael Covington, a cybersecurity specialist. “We have notified some airlines and we have received reports that they have initiated internal investigations. Still, we can say that some of the electronic check-in systems on different airlines keep on exposing their users’ information”, added the expert.