Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Passbook app exploit could allow to free flights to hackers

A security student has discovered a method to fly for free across Europe by generating fake boarding documents designed for Apple’s Passbook app. A 18 year-old security student, Anthony Hariton (@DaKnObCS), from the University of Crete in Greece, has announced that he will present next month a technological trick to fly for free across Europe by generating […]

Passbook app exploit could allow to free flights to hackers

A security student has discovered a method to fly for free across Europe by generating fake boarding documents designed for Apple’s Passbook app.

A 18 year-old security student, Anthony Hariton (@DaKnObCS), from the University of Crete in Greece, has announced that he will present next month a technological trick to fly for free across Europe by generating fake boarding documents designed for Apple’s Passbook app.

Passbook is a Popular App designed by Apple iOS that allows users to store boarding passes, and much more like event tickets and coupons, Hariton will make his presentation at the next Hack in the Box conference on May 29th in Amsterdam. 

Hariton revealed to have discovered a way to deceive the ticket scanners used in the airport to authorize boarding operations just before passengers step onto the aircraft.

Passbook Apple app boarding pass

The young student using CSS and specially designed JavaScript is able to create the boarding passes within a web browser, the generated tickets could be passed to the Apple Passbook with common API available to the development community to design software able to manage the pass tickets and interact with Passbook.

In any airport boarding personnel use gate scanners to associate passengers’ ticket with the airline’s departure database, a check used that only legitimate passengers can fly with a specific aircraft.

The discovery made by Hariton is really alarming, anyone with knowledge of the bypass can take a plane from any airport located in the European Union and fly to a destination of their choice simply creating a bogus boarding pass within Apple’s Passbook app.

“Airports have scanners at the boarding gates (and many are implementing these prior to security checks) whereby the data scanned is matched against the airlines’ departure control system to reconcile the passengers on board the flights against those booked on the flight,” “In fact, following the introduction of bar coded boarding passes six years ago, airports have automated the reconciliation process of the boarding pass and the passenger list at the boarding gates.” International Air Transport Association communications officer Albert Tjoeng said.

The unique risk for the infiltrators is to be discovered in the case the aircraft they intend to board may be fully booked,  as explained by Hariton:

“Currently, if you get into a completely booked flight and you have no place to sit, it will obviously be detected,”

The situation is even more worrying in case of black out, in this specific scenario the operators revert to manual checks, this means that there will be no possibility to verify every fake ticket.

Hariton expressed his dissent on the International Air Transport Association’s response, he remarked that the procedure adopted in the European airport for the check of the passengers’ tickets is malfunctioning” because they lacked “direct access to the airliner database“.

Waiting for the official presentation at the conference we could seriously consider this kind of threats, the increased adoption of technology in civil aviation industries requires a constant improvement in cyber security, a flow like this one could open the door to dangerous events, like a hijacking or any other terroristic attack.

Pierluigi Paganini

(Security Affairs –  Passbook app, hacking)