Fake QR codes let’s hacker enjoy free access to airport lounges

As a traveller how many times have you had to be reminded at check-in and many times in between to be careful about your boarding pass? Because it was about “passenger security” and losing it had its implications? Several times, yes. But now Przemek Jaroszewski, the head of Poland’s Computer Emergency Response Team has proved that the fuss is all really very mechanical, and that the security QR Code on a boarding pass is not as efficiently automated as we think. During a trip, Jaroszewski wasn’t able to enter an airline lounge in Warsaw because the “automated reader mistakenly rejected his boarding card.” He then wrote a 600-line Javascript programme – a mobile QR code generator that produces a valid QR based on based on fake credentials (he named himself Batholemew Simpson). He tested this and it worked. To make sure it wasn’t just Warsaw, he tried it at several airports around Europe and it worked each time.

He produced his findings at Defcon, where he explained “how easy it is to craft own boarding pass that works perfectly at most checkpoints”, while not disclosing his programme, but stressing enough to raise an awakening call for airports to improve on boarding pass security.

[ Via : Thenextweb ]

Tags from the story