Harvesting Boarding Passes

It’s clear that personal and sensitive data should be protected by all means.
However it’s trully sad to see that people deliberately or unconsciously reveal very sensitive details about them, despite the fact that society is very concerned with “big brother” actions of 3rd-parties in the first place.

Following are just few (ab)use scenarios which I quickly came up with - the sky is the limit (in all it’s meanings !) when playing with someone’s flight…

I am not saying that every everage Joe kind of person will be tracked by these means in “a la” agent 007 style, but imagine an important science person/professor (dealing with sensitive issues, like for example nuclear R & D) being a target of such attack. And yes, I have seen interesting university&academia related boarding passes exposed…

Person identification

- learn sensitive details
- learn (airline) preferences and Frequent Traveller (FT) (to put the importance of this kind of information, let me remind you about WhiteHouse directive leaked thru WikiLeaks suggesting FT data harvesting by US embassies worldwide)
- learn susceptability to “Frequent Traveller Customer Service” impersonation/social engineering attacks
- learn travelling habits (departure hours, taken routes, etc.)

Person (location) tracking

[More:]

- learn where the person lives (if the origin on multiple boarding passes is statistically consistent with a given geographic area)
- track reconstruction/following (and eventually analysis and alarm in case out-of-pattern/out-of-plan actions occur)
- learn travelling habbits (so that next “moves” can be predicted/evaluated and attacker-actions planned accordingly, etc.)

Various

- impersonate the person with a higher degree of credibility given level of details learned
- learn very-near future plans (every 24h window try to checkin given FT-number and last name and see what flights are scheduled for the person)
- direct effects on victim’s plans (eg: DoS by checkin cancelation, checkin seat-assignment convenient to the attacker so that next-phases of social engineering can be conducted, group-checkin impersonation so that person is being more or less associated with a group of persons (good or bad) without their own will)
- marriage cheating cases more easily detectable, etc.
- though most of the boarding passes exposed were most likely exposed (or at least published/indexed by google) after their use, pro-active harvesting and impersonations could be executed
- deliberate “leakage” of fake/misleading boarding passes by the “victim” (who is actually an attacker in this case), so that intelligence gathering dudes will have a hard time tracking down the so called “victim”
- “virtual dumpster diving” (i.e. searching in so called “Recycle bin” and “Browser caches") in hotel/ariport based public PCs in hope that eventual boarding passes haven’t been properly deleted

Google Dorks search queries

The following are just few “google dorks” for this kind of data harvesting for the reconaissance phase.

KLM

Code:

LUFTHANSA

Code:

EASYJET

Code:

AMERICAN AIRLINES

Code:

Conclusion

Though online/internet checkin is fine, proper care and awareness should be in place to make sure you don’t expose unessecary private/sensitive details.

As a general note, if the boarding pass details are considered important to be leaked and there is no certainty about complete anonimity and “shredding” of these boarding passes, take the safe solution of checking-in at the airport counter.

Contribute

It would be nice if you find this initial list of boarding-pass data-harvesting useful and I will greatly appreciate your conbtribution for other arilines as well (leave them in a comment or email them directly to me).
Thanks.