Multiple Airlines Exposed To Check-In Hijack Threat

এই লেখাটি 108 বার পঠিত

Multiple Airlines Exposed To Check-In Hijack Threat.

Customers of multiple airlines are at risk of having their personal data accessed by hackers, according to cybersecurity company Wandera’s threat research team. The researchers discovered that the e-ticketing systems used by many major airlines send check-in links to passengers that are unencrypted. This can, say the researchers, put passengers’ personally identifiable data (PII) at risk of being accessed by hackers and modified. In some cases, an attacker might even be able to change details before printing out a boarding card and attempting to board the aircraft using it.

The vulnerability was first discovered in December last year when Wandera noticed unencrypted travel-related details were being sent to one of their secured customers. The company then investigated further and found that many airlines had the same issue with their e-ticketing systems. According to Eldar Tuvey, the Wandera CEO, a total of 40 major airlines were then investigated and nearly a quarter were found to be vulnerable. “We are finding more every week” Tuvey told me, adding “but we are not able to disclose who they are publicly before they have had a chance to fully secure their e-ticketing systems.”

Some of the airlines whose e-ticketing systems were caught up in this include Aireuropa, Air France, Jetstar, KLM, Southwest, Thomas Cook, Transavia and Vueling. Wandera has a strict responsible disclosure policy and Tuvey tells me that it has “tried to assist the airlines that have responded to us after we disclosed our findings to them over 4 weeks ago.” However, he also warns that many of those airlines have yet to fix the vulnerability “although we remain on hand to offer them as much assistance as they need to investigate and fix the issue.” Wandera also shared the findings with the relevant government agencies responsible for airport security.
Ian Thornton-Trump, head of cybersecurity at AmTrust International, told me that he isn’t surprised that the vulnerability is yet to be fixed by most airlines. “Four weeks is laughable as a measure of time frame in a legacy house of cards technology stack and legacy code base” Trump says, continuing “it’s one thing to discover the vulnerability but, especially in airline software, it’s quite a big endeavor to fix it. Four months seems more likely.”

Tuvey says the fact that the links are being sent unencrypted means that anyone using the same Wi-Fi network as the passenger would be able to intercept the credentials for the e-ticketing site by simply listening to the broadcasts happening over the air between the passenger’s wireless device and the access point. “This is no different than when two people talk across a crowded room” Tuvey points out, continuing “any third party in the room who stops to listen is likely to capture details from the conversation.”

Aviation News