Becoming a secret travel agent.
Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today’s standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.
Airline reservation systems grew from mainframes with green-screen terminals to modern-looking XML/SOAP APIs to access those same mainframes.
The systems lack central concepts of IT security, in particular good authentication and proper access control.
We show how these weaknesses translate into disclosure of traveler’s personal information and would allow several forms of fraud and theft, if left unfixed.
In the airline and travel industries, a passenger name record (PNR) is a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together. The concept of a PNR was first introduced by airlines that needed to exchange reservation information in case passengers required flights of multiple airlines to reach their destination (“interlining”). For this purpose, IATA and ATA have defined standards for interline messaging of PNR and other data through the “ATA/IATA Reservations Interline Message Procedures – Passenger” (AIRIMP). There is no general industry standard for the layout and content of a PNR. In practice, each CRS or hosting system has its own proprietary standards, although common industry needs, including the need to map PNR data easily to AIRIMP messages, has resulted in many general similarities in data content and format between all of the major systems.
When a passenger books an itinerary, the travel agent or travel website user will create a PNR in the computer reservation system it uses. This is typically one of the large Global Distribution Systems, such as Amadeus, Sabre, or Travelport (Apollo, Galileo, and Worldspan) but if the booking is made directly with an airline the PNR can also be in the database of the airline’s CRS. This PNR is called the Master PNR for the passenger and the associated itinerary. The PNR is identified in the particular database by a record locator.
When portions of the travel are not provided by the holder of the Master PNR, then copies of the PNR information are sent to the CRSs of the airlines that will be providing transportation. These CRSs will open copies of the original PNR in their own database to manage the portion of the itinerary for which they are responsible. Many airlines have their CRS hosted by one of the GDSs, which allows sharing of the PNR.
The record locators of the copied PNRs are communicated back to the CRS that owns the Master PNR, so all records remain tied together. This allows exchanging updates of the PNR when the status of trip changes in any of the CRSs.
Although PNRs were originally introduced for air travel, airlines systems can now also be used for bookings of hotels, car rental, airport transfers, and train trips.
Presented by Karsten Nohl and Nemanja Nikodijevic.
Chaos Communication Congress 33c2
December 28, 2016