Fake QR code app gets hacker into luxury airport lounges for free

lounge

Free airline Fast Track for all! Free lunch and booze at luxury airport lounges for all! Duty-free shopping for all!

That’s what a fake QR code generating app can get you, according to Przemek Jaroszewski, head of Poland’s Computer Emergency Response Team (CERT).

At the Defcon security conference in Las Vegas on Sunday, Jaroszewski presented the simple program that he’s now used dozens of times to get into airline lounges all over Europe.

The Android app generates the QR codes in order to spoof a boarding pass for any name, flight number, destination and class.

He hasn’t tried it in the US yet, but as far as Europe goes, he says none of the airline lounges he’s tested the app in have checked the details of that fake QR code against their own ticketing databases. All the airlines check for are that the QR codes actually exist.

That means that he – or other hackers who figure out how to replicate the 500 lines of javascript he said he used to create the app – can get access to exclusive, luxury airport lounges or to buy things at duty-free shops that should require proof of international ticket.

If this sounds familiar, it should. Jaroszewski is far from the first one to get himself past feeble airport security checks.

His Defcon presentation paper lists previous airplane hijinx, including:

  • In 2003, Bruce Schneier described how to fly on someone else’s airplane ticket by screwing around with e-tickets. He said he wasn’t the first to get this idea, by far.
  • In 2005, Andy Bowers described how online check-in meant that you can get on a flight without ever proving you were the person who bought the ticket.
  • In 2007, Christopher Soghoian created a fake boarding pass generator website, allowing anyone to create a fake Northwest Airlines boarding pass: any name, airport, date, or flight, thereby demonstrating a known and obvious vulnerability in airport security involving boarding passes and IDs. That resulted in a visit from the FBI, the glass on his front door smashed in, a ransacked home, a search warrant taped to his kitchen table, and all of his computers removed from his house.
  • In 2008, Jeffrey Goldberg demonstrated the ineffectiveness of airport security check-in by carrying in an astonishing assortment of verboten items on a variety of flights: an OSAMA BIN LADEN, HERO OF ISLAM T-shirt, a stack of homemade boarding passes courtesy of Schneier, a Hezbollah flag featuring the image of an upraised fist clutching an AK-47 automatic rifle, and a beer belly concealing two cans’ worth of Budweiser, for example.

Jaroszewski told Wired that his Defcon talk was intended to point out that years after those exploits, the boarding pass insecurity not only persists, but it’s gotten easier to exploit because of airports’ reliance on automated QR code readers.

Wired quotes him:

Literally, it takes 10 seconds to create a boarding pass [on a mobile phone]. And it doesn’t even have to look legit because you’re not in contact with any humans.

Here’s a video of Jaroszewski using the fake QR code to get into Turkish Airlines’ Istanbul airport lounge (one of his favorites, he told Wired: it’s replete with a cinema, putting green, Turkish bakery and free massages).

Before you dismiss him as a cheap-o fraudster who doesn’t want to pay for a first class or business ticket, rest assured that, according to Wired, he flies 50 to 80 times a year and is solidly in gold status. He says he created the app last year, when that gold status was mistakenly rejected, to make sure he didn’t get locked out again.

What’s more, Jaroszewski has refrained from exploiting the fake QR codes to get into places he doesn’t have the right to access. Nor has he bought duty-free goods when he wasn’t traveling internationally. Both actions would probably be illegal.

This isn’t a security concern, according to the US’s Transportation Security Administration (TSA) and the International Air Transport Association (IATA), and they have no plans to fix it. As it is, it’s up to the airlines if they don’t want lounge-crashers to rip off their amenities.

Both organizations told Wired that a forged bar-coded boarding pass (BCBP) wouldn’t get you on a flight. Other security measures would likely reveal that the bearer of a fake QR code didn’t have a legitimate boarding pass.

Still, the fake QR code app underscores Jaroszewski’s point: even 13 years after Schneier’s fake boarding pass demonstration, airport security is hardly what you’d call airtight.