Wednesday, December 17, 2014

Why the Delta BP “hack” isn’t a security risk

Earlier this week there was a lot of news about the Delta mobile boarding pass system was flawed or hacked and allowing travelers to display any boarding pass they wanted rather than just their own. Oopsie.


A sample Delta mobile boarding pass and Aztec barcode. Easy to decode, hard to forge

But, really, just oopsie. Yes, there is some theoretical privacy risk there where PNR data (including name and frequent flyer number) is visible. But it is not a security risk, despite the several claims I’ve read suggesting otherwise.

Let us assume, for the moment, that checking ID against the name on the boarding pass is a necessary part of the security process. Even if that were true this latest Delta situation does not actually increase any risk there. You may have read that the data in the barcode is stored in plain text. That is also true. It is easy to read what is there and, if so desired, to generate a new barcode with different data in it.

What is hard, however, is digitally signing the barcode with a valid signature. And every mobile boarding pass barcode is digitally signed. Which means you cannot just decode the barcode, alter the name, print yourself a new one and get through security. At least not with a mobile BP. (Note that this was not always the case.)

Take the sample boarding pass above. It has a passenger name and flight details encoded in it (Jane Smith is flying from LAX to ATL). But it also has a digital signature at the end.

  M1SMITH/JANE          EGY4HV2 ATLLAXDL 0110 293C06D 0001 10FDL004BI7HPF06DN4cMDYCGQCV40DTCPaG9CjVi90lLYENm1t3NhUBamcCGQDp15QB//VkMNaP65mNa6smF0XbdO35sGo=  

If you change the bits at the beginning then when it scans that hash won’t match and the TSA will know. The scanner beeps differently when that happens.

Here’s another boarding pass. This is a real one of mine from a trip earlier this year.


A United paper boarding pass printed at the airport. Also easy to decode.

And here’s what’s in the barcode:

  M1MILLER/SETHBRIAN    ED6**** LAXLASUA 1458 265F002F0016 15C>318 0 K4265BUA              2901624226****** UA UA ******37            *30600    09  UAG  

I’ve redacted it a bit but the important part to notice is that it is not digitally signed. It does not have the hash of text at the end. And none of this is particularly secret. The format for the contents of the barcode is a spec published by IATA.

Don’t get me wrong: it absolutely is possible to forge a boarding pass and not all of the barcodes are digitally signed. But it is also relatively trivial to get a fake ID or otherwise get past the TSA checkpoint.

This Delta SNAFU is a bit embarrassing for the company and may have exposed more personal information than they should have. But it is not a security risk. And, yes, there’s a difference.

Related Posts:

The post Why the Delta BP “hack” isn’t a security risk appeared first on Wandering Aramean.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...