The check-in links sent to customers by several airlines could be useful for various hacking activities, warn experts
Ethical hacking and network security
specialists from the International Institute of Cyber Security report that
links sent by airlines
such as Air France, used for the electronic issuance of airline tickets, do
not have any kind of protection. These links, sent by SMS or by email, are used
to start the registration process on a flight (check-in).
Further research revealed that these unsecured
links are also sent by other relevant airlines such as Southwest in the U.S.,
KLM in Holland, Air Europe in Spain and Thomas Cook in the UK.
Network
security
specialists mention that the main problem is that these links are sent from the
airlines to customers using HTTP protocols, instead of HTTPS, the secured
version.
These links include data such as the origin and
destination of the flight, and even the full name of the passenger. Companies
use this data to identify passengers and provide access to more details about
their flights.
An attacker capable of intercepting a user’s
traffic through a public WiFi network, for example, can subtract this
information to access the user’s online billing page.
The online billing page for each airline
varies, but in general you can find user data such as:
- Full
Name - Email
Address - Passport
Information - Nationality
- Telephone
numbers - Flight
details
Attackers might even make some changes to the
information provided by legitimate users on the billing page.
“Boarding procedures vary from one airport to
another and can be more or less safe. The most troubling thing in this case is
that a hacker might even try to address a user-programmed flight”, network
security experts reported.
Recently, a man travelling from the UK to
Poland boarded the wrong plane and ended up in Malta; the ticket of the
passenger was destined for Poland, so this incident raised alert in the
boarding systems of the airline.
Specialists consider that airlines should
implement communications encryption during this check-in process, as well as
add additional authentication processes to restrict access to any personal
information from users.
“We are almost 100% sure that these
vulnerabilities are present in multiple airlines,” says Michael Covington, a
cybersecurity specialist. “We have notified some airlines and we have received
reports that they have initiated internal investigations. Still, we can say
that some of the electronic check-in systems on different airlines keep on
exposing their users’ information”, added the expert.
