Skip to content

Posts from the ‘Hospitality’ Category

Can GDS Systems Really Be Hacked? The Answer should not surprise you.

December 31, 2016


In a word Yes!

GDS and airline PSS systems are based on old technology in fact so are many other travel systems including Hotel reservation system. Indeed there are many systems out there which can be hacked. Although the systems have been updated since then – many times – some things have not been touched, and for airlines the core security of the technology remains the same.

At this point I need the reader to understand that I am not going to reveal the ways in which the hack took place. I have to be careful in writing this piece not to reveal how many different ways that the hacks have occurred. Suffice to say that EVERY SYSTEM unless it is air gapped is vulnerable to a determined and organized hacking group. Nothing is 100% safe. Guess what older technologies tend to have more flaws as they were designed for different times.

So what is all the fuss about? A German so called White Hat Hacking Group called – SR Labs claims to be able to hack into airline systems and do things that perhaps they should not be able to do. Two media outlets are reporting this to be the case. The BBC actually witnessed one of the hack.  Fortune Magazine also observed this. Further if you want to follow the Annual Hackers Convention (Officially its sponsored by the Hamburg  based Hacking Group: Chaos Computer Club) You can follow their blog here. A command of German or Google Translate may be useful! There will be further announcements coming.  Another article (this time in Dutch) talks through the story as the perils of using Instagram and putting in your Boarding Pass and QR codes to match.

Normally I should be applauding the exposure of this exposure that the GDSs and the airlines are showing their vulnerability. The usual players have come out and denounced the airlines as being bad people and their technologies as being further either stupid and having no security. So the Gnomes of VaultPAD thought it would be good to examine the issue and address the impact.

As we have indicated many times – Airline and GDS systems are built on legacy designs dating from the 1950s. They are largely constructed on a message based technology architectures.  That makes them by definition susceptible to a modern hack. Does that mean that there is a real risk that everyone should be worrying about? I really deplore people who claim to be “White Knight” hackers. In my personal opinion all hacking is bad – by definition there can be no “Good Hacking”. That is a personal opinion – you should draw your own conclusions on the subject. Suffice to say one has to be very wary around any form of hacking.

Let’s break the structure of the hack down into smaller chunks. I am going to walk through the major areas of vulnerability. Consumer access, Application Access, Communications Access and finally issues in creating a Trojan Horse access.

At the lowest level,  there are access links via passwords. These are pretty much the same vulnerability that exists for any other system. One key issue is that the frequency of use means that there are a lot of  people (the author included) who cannot remember the various passwords and password conventions that exist for sites that we need to access. So the utility of passwords is horrid.  Then once in – what can can a hacker do? Well you can hurt the person whose account that has been hacked. That is singular. Can the hacker then cause havoc one the link has been established? This is probably where both the hackers and the writers have failed to grasp some of the concepts of the way PSS and GDS systems actually work.

At the next level bypassing the consumer’s security the next question for hackers is can one access any random person’s PNR just by guessing or brute force the 6 alphanumeric PNR Record Locators? Most airlines and travel sites have addressed with 2 stage (in some cases even more) authentication. Interestingly many of us are already using 2D and 3D Bar Codes and storing them happily on our phones (see the Dutch article above). The ability to gain access to an aircraft can be compromised. Again this is a risk that has been identified and in general many places have this secured. I can identify one country where the security protocols could cause an issue. That is Australia where no ID is required for Domestic travel. That issue however can be compromised in many other ways so it is not the fault of the PSS.

For the communications possibility – many things are possible via IP based networks. One of the reasons the traditional travel systems were secured was based on the way they were constructed. The systems were originally designed to operate on totally closed networks proprietary to specific vendors. Many of these were polling based which by definition had packets of data passing by several network which could be read in the clear using tools as simple as a protocol analyzer. It was simple and very effective going back to the days tht any data network was a very expensive proposition. You can still buy one of these machines on eBay (if you know how to use it!) Actually I feel pretty safe since these networks (and the equipment needed to monitor it) are mostly gone.

Finally can anyone place Trojan horse type back doors into the airline or GDS system. Fortunately there is a completely different set of security that protects that. Again this is not infallible. But it will be hard to create a way to bypass the security and have open access to all system including payment etc. Good luck trying to make sense of the core mainframe based systems and their subsystems – the people are mostly dead or like me old and decrepit!

This year there were several major events when whole (GDS and PSS) systems were brought down not by hacking but by simple system flaws with a major impact. I suggest going back and re-reading an article in wrote in TNooz.

I don’t want to paint too rosy a picture. It is not as good as it could be. There are many challenges. It is very clear that we need a new generation of systems. The needs for product service and customer service are long overdue. Add the risk of increased possible security violations and you can see that the need is becoming acute. IE  that need is becoming more pressing as each day passes. Just because the industry was well served using this old legacy technology does not preclude the need for bringing in newer and more modern systems WITH better security. In my eyes – this does need to happen – and soon. If this is another kick to get that change to take place and that the industry and the consumers can be freed from the mounting risk – that is a good thing. However just one word of caution. But as I hope you will consider this adage: Be careful what you wish for.



Mobile Web – Frustration or Paradise?

February 17, 2013


Way back in the 1990s the world’s first true global roaming phone was the Motorola Timeport. I recall one of my colleagues at the time was SO frustrated with the experience that he went home one day and got a hammer and nail and drove a stake through the heart of the errant device.

Have things improved lately?

Well according to most surveys despite the wonderful projections of how we are all going to be mobile in just a few years – there is a very strong undercurrent of dissatisfaction with Mobile based applications and the Mobile web in general.

The Mobile Experience is almost universally a compromise – and frequently not a good one at that. A 2011 Survey by Modapt, Inc. and Morrissey & Company suggested users are frustrated with Mobile Web experience. In this survey the majority of respondents were Smart Phone users. This would tend to indicate that the users were early adopters and savvy technology users. Yet their responses were not that happy.

  • While 95% of respondents reported using advanced smartphones, more than 86% found their mobile browsing experience to be either ‘okay’ or ‘frustrating’.
  • The Big 3 of user frustration are: slow downloads 40%, Difficult to navigate 40%, and Hard to find/read information 20%
  • Nearly one-half (48%) of smartphone users never make purchases via mobile

In a similar study published in August 2012 that confirmed the early results.  Keynote Competitive Research studied mobile behaviour from a much broader sample of US users. The study showed that 60% of tablet users expect to wait less than three seconds to get to a website, while 48% of PC Web users want download speeds faster than two seconds. Smartphone users also have high expectations, with 64% wanting a website to load within 4 four seconds and 82% of respondents wanting the website to load within five seconds. Even more startling is that 16% of users will not return to a site if it takes longer than six seconds to load, with 6% of users opting instead for competitor websites.

While Apps have created small specific applications – the explosive growth of the App market has created a number of cascading problems. Already we have the usual types of problems. Phantom downloads, poor search and even worse badly written Apps. As the barrier to entry is so low – almost everyone has been encouraged to enter the mobile web. This has created a cottage industry of plain awful App writers. Poor security (both with data and just in general) has created an opportunity for a new breed of hackers to steal your data. With Apple’s Passbook now a fixture in the iOS world – there are clear indications that the back door entry into your personal data from badly designed Apps (as well as Apple’s low barrier to certification processes) are going to result in security breaches. We just haven’t seen them – yet. From the Modapt study, Not surprisingly, fully one-half (50%) of smartphone users say they feel less secure about paying for something via mobile browser than desktop browser.

Another big issue is the nature of both Wifi and Cellular data based performance from the network. Wifi 802.11ac performance is now acceptable for most data applications but frequently the problem is not in the local network but in the backbone. The expectation of free wifi that most users have is now tempered with smart acces points having dual speeds. Crippled and OK. Crippled are free, OK is if you pay a premium.But we are to blame as well. Count the number of Wifi enabled devices you have. And then try and turn them on at the same time in a hotel or airport. Even a few years ago I was in a leading e-commerce player in a major market and was appalled to learn that their backbone to the web was not even a 56K circuit, yet they had hundreds of users in their environment. Cellular data performance is just plain awful for data. I have used extensively iOS, Android and Blackberry data devices using Cellular connections around the world. Frankly they all suck.

And then there is the cost. Several times in my speaking engagements I have asked the audience to honestly admit (of those who data roam) if they have ever left their data circuits on and received a large bill. go on admit it – you have too! (Oh yes and I do it frequently. Mostly because I am lazy or just forgetful.)

Consumer expectations and network performance are clearly in a state of dissonance.

Actually i am pessimistic about the network speed issue. 4G LTE the standard of choice for mobile data via cellular is not that much of a performance bump from 3G. Sadly APP and Mobile Web providers have chosen to take advantage of the speed to bulk up their offerings instead of allowing lighter applications to prevail and for the users to get real speed.

Nothing can be more frustrating for a user that to show up while data roaming and seeing a little notice that says. Download our App and get better access faster. In your head you calculate that the downloading the App will cost about $25 and so you wait in line… now even madder than you were before you saw that little sign. And its not just the consumers who are frustrated. Kayak recently abandoned its relationship with one of the current darlings of the Mobile Web. GetyourGuide. Further I have spoken to many players who have spent large amounts of money developing web applications only to be very frustrated with the results. Typical complaints are:

  • Poor adoption
  • Low usage
  • High costs

Google – with so much vested in mobile (not necessarily in mobile e-commerce (MCommerce) have some good advice for you. They even have a website to help you Go Mobile.

Mobile providers – networks and application systems need to up their game. There is just too much crap out there and that has to change.