Writing in their company bog Karsten Noh and Nemanja Nikodijevic said that airline booking systems were designed back in the 1960s and have not been updated—that means that both airlines and the customers who use their services are extremely vulnerable to hackers wishing to gain access.
The main problem is that the Global Distribution System (GDS) used by the airlines is based on a restricted access code, a six-character Passenger Name Record (PNR), which customers are given when they purchase a ticket—it is also printed on all of their luggage.
The restricted part of the code means that the number and types of characters that can be used must fall within a predetermined range—that makes it easier for hackers using computers to run through all the possibilities. Since the customer’s last name is associated with the PNR, hackers can simply type in a common name, such as Smith, and then have the computer run through all the GDS character possibilities until a hit is found, allowing access to that person’s flight record.
This allows the hackers to change information on a flight record, which they demonstrated by reassigning a reporter to a seat next to a politician on a real flight.
The weakness means that a hacker could tie their frequent flyer number to a host of other flights and giving themselves credit for thousands of miles.
The researchers also reported that they have notified the makers of the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, while others may require a full rewrite, obviously taking a lot longer.