As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year, and so has become something of a connoisseur of airlines’ premium status lounges. (He’s a particular fan of the Turkish Airlines lounge in Istanbul, complete with a cinema, putting green, Turkish bakery and free massages.) So when his gold status was mistakenly rejected last year by an automated boarding pass reader at a lounge in his home airport in Warsaw, he applied his hacker skills to make sure he'd never be locked out of an airline lounge again.
The result, which Jaroszewski plans to present Sunday at the Defcon security conference in Las Vegas, is a simple program that he's now used dozens of times to enter airline lounges all over Europe. It's an Android app that generates fake QR codes to spoof a boarding pass on his phone's screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he's tested actually check those details against the airline's ticketing database—only that the flight number included in the QR code exists. And that security flaw, he says, allows him or anyone else capable of generating a simple QR code to both access exclusive airport lounges and buy things at duty free shops that require proof of international travel, all without even buying a ticket.
Fake boarding passes are hardly a new hacker trick. Cryptographer Bruce Schneier wrote about the technique to make them back in 2003 and privacy activist Chris Soghoian was investigated by the FBI for creating a website that automatically generated the fake passes. But Jaroszewski's Defcon talk is intended to point out that even now, a decade later, the boarding pass security issue persists, and in some ways is easier than ever to exploit thanks to airports' use of automated QR-code readers. "Literally, it takes 10 seconds to create a boarding pass" on a smartphone, says Jaroszewski. "And it doesn’t even have to look legit because you’re not in contact with any humans."
In the video below, Jaroszewski shows how he enters fake credentials into his app—his go-to pseudonym is Bartholomew Simpson—generates a QR code for a boarding pass with them, and uses it to bypass a QR-code-checking gate and enter the Turkish Airlines Istanbul lounge.
https://www.youtube.com/watch?v=7829-HtV3uo&feature=youtu.be&t=54s
Jaroszewski admits he hasn't tested the trick outside of Europe, and he's not sure how often it would work in American airports, which may sometimes use improved boarding pass authentication systems at lounges. He's also never used the trick to attempt to fly under a false name, a more serious stunt he says would likely be foiled by more stringent checks at the departure gate. Jaroszewski's trick doesn't represent much of a real security risk, either. Anyone who uses it would still have to go through physical security, including metal detectors or millimeter wave scanners, so it would probably not work to enter an airport without a real boarding pass. Its real utility lies simply in accessing elite areas within an airport, not in attacking one or getting onto a plane.
WIRED reached out to both the TSA and the International Air Transport Association (IATA) for comment, and both said any such boarding pass security flaw would be the airlines' issue. "A forged BCBP will not entitle the person carrying it with any right to travel, nor will it create any confusion with an airline’s system where the official information is stored," cautioned the IATA. A spokeperson for the airline industry group Airlines for America wrote to WIRED in a statement that "airlines are constantly looking at new and emerging technologies designed to enhance the customer experience, while ensuring well-defined security measures and best practices are in place."
In the European airports where Jaroszewski has tried his technique, he says he's never even used his fake QR codes to access a lounge he didn't already have the right to access, or to buy duty free goods when he wasn't traveling internationally; he warns those two actions would likely be illegal. Even so, he's successfully tested his fake QR codes repeatedly with only a few failures. And he admits he once even used his program to create a QR code for a friend who didn't share his elite airline status when they had a 7-hour layover in Istanbul, so that both of them could hang out in Turkish Airlines’ swanky lounge. “I just said, I’ll send you the QR code,” Jaroszewski says carefully. “If you want to use it, you use it.”
Jaroszewski isn't publicly releasing his boarding pass QR code spoofing software. He says he'd rather avoid the FBI raid and investigation that followed Chris Soghoian's release of a similar tool 10 years ago. But he argues it would be "very easy" for motivated hackers to recreate the app, which he says consisted of about 500 lines of javascript. For a hacker willing to do a little coding—and illegal trespassing—it may offer a chance to score a small, subversive win against the global frequent-flying elite.
