Hacker holds key to free flights
Claims to generate boarding passes with Apple Passbook.
A security boffin claims to have developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app.
AnthonyHariton, an 18 year-old computer science undergrad from the University of Crete in Greece, gave a sneak peek into his upcoming presentation on the topic at the Hack in the Box conference on May 29 event in Amsterdam.
Hariton (@DaKnObCS) revealed a bypass he claims to affect the ticket scanners used before passengers step onto the jetway to board a plane.
Anyone with knowledge of the bypass can board a plane from a European Union airport to a destination of their choice by creating a fake boarding pass within Apple's Passbook app, he said.
The feat, the efficacy of which cannot be verified directly by SC Magazine, has stumped Europe's aviation authority. The boarding gate scanners should reconcile a passengers' ticket with the airline's departure database to ensure only legitimate passengers board.
“Airports have scanners at the boarding gates (and many are implementing these prior to security checks) whereby the data scanned is matched against the airlines’ departure control system to reconcile the passengers on board the flights against those booked on the flight," International Air Transport Association communications officer Albert Tjoeng said.
"In fact, following the introduction of bar coded boarding passes six years ago, airports have automated the reconciliation process of the boarding pass and the passenger list at the boarding gates."
And if that system were to black out, operators revert to manual checks. All of this means the boarding gate is the end of the road for fake tickets.
But Hariton dismissed the agency's response.
He said the model used in all EU airports to check the validity of tickets was "malfunctioning" noting they lacked "direct access to the airliner database", but wouldn't be drawn on whether he tested his research by boarding a flight.
Hariton said he developed a 'simple' technique to produce the boarding passes using CSS and JavaScript within a web browser.
The tickets could be passed to the Apple Passbook using an application programming interface built to allow software developers to pass tickets and coupons to the app.
Passengers with phony passes in hand only run the risk that the aircraft they intend to board may be fully booked, the hacker said.
"Currently, if you get into a completely booked flight and you have no place to sit, it will obviously be detected," he said.
