Tag: airline

Hackers rule the airline booking systems

the-great-air-robbery-movie-poster-1919-1020417131Insecurity experts working for German security outfit Security Research Labs has found that hackers appear to have the power to upgrade themselves to flying business class.

Writing in their company bog Karsten Noh and Nemanja Nikodijevic said that airline booking systems were designed back in the 1960s and have not been updated—that means that both airlines and the customers who use their services are extremely vulnerable to hackers wishing to gain access.

The main problem is that the Global Distribution System (GDS) used by the airlines is based on a restricted access code, a six-character Passenger Name Record (PNR), which customers are given when they purchase a ticket—it is also printed on all of their luggage.

The restricted part of the code means that the number and types of characters that can be used must fall within a predetermined range—that makes it easier for hackers using computers to run through all the possibilities. Since the customer’s last name is associated with the PNR, hackers can simply type in a common name, such as Smith, and then have the computer run through all the GDS character possibilities until a hit is found, allowing access to that person’s flight record.

This allows the hackers to change information on a flight record, which they  demonstrated by reassigning a reporter to a seat next to a politician on a real flight.

The weakness means that a hacker could tie their frequent flyer number to a host of other flights and giving themselves credit for thousands of miles.

The researchers also reported that they have notified the makers of the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, while others may require a full rewrite, obviously taking a lot longer.

The technology to find a downed aircraft exists

Technology which means that planes cannot just “drop off the radar” like Malaysia Airlines Flight 370, exists, but airlines felt it was too expensive to bother with.

Medium reports how technology needed to stream crucial flight data to the ground is already on the market – only airlines balked at the $100,000 price tag.

Commercial airliners do transmit some information: radio transponders identify them when scanned by radar, and many are fitted with an Aircraft Communications Addressing and Reporting System, or ACARS, which periodically relays text-message like snippets of information about the aircraft’s status.

In the case of Flight MH370, the transponders seem to have stopped transmitting, and the airline has reportedly declined to comment about ACARS signals while the incident is being investigated.

Computer scientist Krishna Kavi, now at the University of North Texas, proposed streaming this data to cloud storage, in a system he dubbed the “glass box”.

The only problem is that transmitting data through satellites isn’t cheap, and if such a system were operating continuously, the cost would be prohibitive. Wired claimed it would cost “billions of dollars” to implement flight data streaming across the airline industry.

But most of the data is based on the maker of the existing black box technology L-3 which spun a false premise that all flight data would need to be streamed, all of the time.

Paul Hayes, safety and insurance director with Ascend, an aviation consultancy based said that systems could be designed to be triggered by unusual flight events, and only then start streaming flight data.

Such devices are already on the market, fitted to around 350 planes run by about 40 operators and they transmit data that help airlines plan maintenance, or work out how to minimise fuel consumption.

Richard Hayden, a director of FLYHT, the company that makes the system said that it transmits data via Iridium satellitesand can be programmed to start streaming flight data when a plane deviates from its flight plan, or instruments suggest something is going wrong.

If a plane is blown out of the sky by a bomb, or suffers a sudden catastrophic structural failure at cruising altitude it will not be much help but in those rare cases, conventional black boxes are really the only viable technology.

After the Air France disaster, the International Civil Aviation Organisation did consider installing the technology but the industry has concluded that the likely savings were too small.