When I think about airlines I think about a lot of things but I don’t think of high tech. That isn’t very realistic as jet engines are pretty high tech devices and the ability to book reservations over the internet is high tech – simply search by date and city and presto you can select (and pay for) flight within minutes.
It is a pretty clever but all of this “internet access” is just a thin layer over the real backbone of the airlines. The airlines and travel agencies have had their own legacy system in place to allow for booking of flights. This system, a so called global distribution system, created to coordinate between the airlines and the travel agencies to prevent selling a seat twice.
However, the older the system the less likely it is to have been programmed to withstand a concentrated external attack by a dedicated attacker.
The neat thing about the internet age is not only the various technologies that exist but also the various white hat hacker groups that exist to investigate these technologies and cast light on these important issues. One of the oldest such groups involved in this is the chaos computer club which has existed since the early eighties.
The chaos computer club does some amazing clarifications of the weaknesses that they investigated. A few months ago, they had a Karsten Nohl give a speech about the security or lack of security of this very important system for anyone who flys.
This speech is both an amazing speech on the clarity of how the system works but terrifying how poorly such an important system is protected.
One of the most worrisome parts of this speech, especially for privacy advocates, is where Karsten points out that there is no access logs for this system. (at 44:20) This means that either a person or government can track a person and it would be impossible to know that someone has been checking out your itinerary.
There are a lot of things to take away from this speech but one of the surprising for most people is that the luggage tags and boarding passes need to be securely disposed of.