Passbook app exploit could allow to free flights to hackers

A security student has discovered a method to fly for free across Europe by generating fake boarding documents designed for Apple’s Passbook app.

A 18 year-old security student, Anthony Hariton (@DaKnObCS), from the University of Crete in Greece, has announced that he will present next month a technological trick to fly for free across Europe by generating fake boarding documents designed for Apple’s Passbook app.

Passbook is a Popular App designed by Apple iOS that allows users to store boarding passes, and much more like event tickets and coupons, Hariton will make his presentation at the next Hack in the Box conference on May 29th in Amsterdam. 

Hariton revealed to have discovered a way to deceive the ticket scanners used in the airport to authorize boarding operations just before passengers step onto the aircraft.

The young student using CSS and specially designed JavaScript is able to create the boarding passes within a web browser, the generated tickets could be passed to the Apple Passbook with common API available to the development community to design software able to manage the pass tickets and interact with Passbook.

In any airport boarding personnel use gate scanners to associate passengers’ ticket with the airline’s departure database, a check used that only legitimate passengers can fly with a specific aircraft.

The discovery made by Hariton is really alarming, anyone with knowledge of the bypass can take a plane from any airport located in the European Union and fly to a destination of their choice simply creating a bogus boarding pass within Apple’s Passbook app.

“Airports have scanners at the boarding gates (and many are implementing these prior to security checks) whereby the data scanned is matched against the airlines’ departure control system to reconcile the passengers on board the flights against those booked on the flight,” “In fact, following the introduction of bar coded boarding passes six years ago, airports have automated the reconciliation process of the boarding pass and the passenger list at the boarding gates.” International Air Transport Association communications officer Albert Tjoeng said.

The unique risk for the infiltrators is to be discovered in the case the aircraft they intend to board may be fully booked,  as explained by Hariton:

“Currently, if you get into a completely booked flight and you have no place to sit, it will obviously be detected,”

The situation is even more worrying in case of black out, in this specific scenario the operators revert to manual checks, this means that there will be no possibility to verify every fake ticket.

Hariton expressed his dissent on the International Air Transport Association’s response, he remarked that the procedure adopted in the European airport for the check of the passengers’ tickets is “malfunctioning” because they lacked “direct access to the airliner database“.

Waiting for the official presentation at the conference we could seriously consider this kind of threats, the increased adoption of technology in civil aviation industries requires a constant improvement in cyber security, a flow like this one could open the door to dangerous events, like a hijacking or any other terroristic attack.

Pierluigi Paganini

(Security Affairs –  Passbook app, hacking)