December 31, 2016
In a word Yes!
GDS and airline PSS systems are based on old technology in fact so are many other travel systems including Hotel reservation system. Indeed there are many systems out there which can be hacked. Although the systems have been updated since then – many times – some things have not been touched, and for airlines the core security of the technology remains the same.
At this point I need the reader to understand that I am not going to reveal the ways in which the hack took place. I have to be careful in writing this piece not to reveal how many different ways that the hacks have occurred. Suffice to say that EVERY SYSTEM unless it is air gapped is vulnerable to a determined and organized hacking group. Nothing is 100% safe. Guess what older technologies tend to have more flaws as they were designed for different times.
So what is all the fuss about? A German so called White Hat Hacking Group called – SR Labs claims to be able to hack into airline systems and do things that perhaps they should not be able to do. Two media outlets are reporting this to be the case. The BBC actually witnessed one of the hack. Fortune Magazine also observed this. Further if you want to follow the Annual Hackers Convention (Officially its sponsored by the Hamburg based Hacking Group: Chaos Computer Club) You can follow their blog here. A command of German or Google Translate may be useful! There will be further announcements coming. Another article (this time in Dutch) talks through the story as the perils of using Instagram and putting in your Boarding Pass and QR codes to match.
Normally I should be applauding the exposure of this exposure that the GDSs and the airlines are showing their vulnerability. The usual players have come out and denounced the airlines as being bad people and their technologies as being further either stupid and having no security. So the Gnomes of VaultPAD thought it would be good to examine the issue and address the impact.
As we have indicated many times – Airline and GDS systems are built on legacy designs dating from the 1950s. They are largely constructed on a message based technology architectures. That makes them by definition susceptible to a modern hack. Does that mean that there is a real risk that everyone should be worrying about? I really deplore people who claim to be “White Knight” hackers. In my personal opinion all hacking is bad – by definition there can be no “Good Hacking”. That is a personal opinion – you should draw your own conclusions on the subject. Suffice to say one has to be very wary around any form of hacking.
Let’s break the structure of the hack down into smaller chunks. I am going to walk through the major areas of vulnerability. Consumer access, Application Access, Communications Access and finally issues in creating a Trojan Horse access.
At the lowest level, there are access links via passwords. These are pretty much the same vulnerability that exists for any other system. One key issue is that the frequency of use means that there are a lot of people (the author included) who cannot remember the various passwords and password conventions that exist for sites that we need to access. So the utility of passwords is horrid. Then once in – what can can a hacker do? Well you can hurt the person whose account that has been hacked. That is singular. Can the hacker then cause havoc one the link has been established? This is probably where both the hackers and the writers have failed to grasp some of the concepts of the way PSS and GDS systems actually work.
At the next level bypassing the consumer’s security the next question for hackers is can one access any random person’s PNR just by guessing or brute force the 6 alphanumeric PNR Record Locators? Most airlines and travel sites have addressed with 2 stage (in some cases even more) authentication. Interestingly many of us are already using 2D and 3D Bar Codes and storing them happily on our phones (see the Dutch article above). The ability to gain access to an aircraft can be compromised. Again this is a risk that has been identified and in general many places have this secured. I can identify one country where the security protocols could cause an issue. That is Australia where no ID is required for Domestic travel. That issue however can be compromised in many other ways so it is not the fault of the PSS.
For the communications possibility – many things are possible via IP based networks. One of the reasons the traditional travel systems were secured was based on the way they were constructed. The systems were originally designed to operate on totally closed networks proprietary to specific vendors. Many of these were polling based which by definition had packets of data passing by several network which could be read in the clear using tools as simple as a protocol analyzer. It was simple and very effective going back to the days tht any data network was a very expensive proposition. You can still buy one of these machines on eBay (if you know how to use it!) Actually I feel pretty safe since these networks (and the equipment needed to monitor it) are mostly gone.
Finally can anyone place Trojan horse type back doors into the airline or GDS system. Fortunately there is a completely different set of security that protects that. Again this is not infallible. But it will be hard to create a way to bypass the security and have open access to all system including payment etc. Good luck trying to make sense of the core mainframe based systems and their subsystems – the people are mostly dead or like me old and decrepit!
This year there were several major events when whole (GDS and PSS) systems were brought down not by hacking but by simple system flaws with a major impact. I suggest going back and re-reading an article in wrote in TNooz.
I don’t want to paint too rosy a picture. It is not as good as it could be. There are many challenges. It is very clear that we need a new generation of systems. The needs for product service and customer service are long overdue. Add the risk of increased possible security violations and you can see that the need is becoming acute. IE that need is becoming more pressing as each day passes. Just because the industry was well served using this old legacy technology does not preclude the need for bringing in newer and more modern systems WITH better security. In my eyes – this does need to happen – and soon. If this is another kick to get that change to take place and that the industry and the consumers can be freed from the mounting risk – that is a good thing. However just one word of caution. But as I hope you will consider this adage: Be careful what you wish for.