An easy way to get into the VIP lounge of the European airport

You don’t need to buy a business class ticket, you just need to compose the QR code correct for the boarding pass scanner

Przmek Jaroszewski demonstrates a QR code that allows him to access the airport’s VIP lounge.

Head of the Polish unit of the computer emergency response team (CERT) Przmek Jaroszewski very often goes on international business trips. Usually he flies by plane, on average 50 - 80 times a year. With such a frequency of flights, airlines provide the client with many bonuses, including access to VIP lounges. Yaroshevsky likes the Turkish Airlines room, where you can watch a movie, try Turkish pastries and even get a free massage.

In one of the flights, the status of the VIP client was not recognized by the system when scanning the Pole boarding pass. Yaroshevsky solved the problem using his skills as an information security specialist. He learned to compose a QR code for the airport system, which allowed him to receive VIP client status at almost any airport in Europe.

Pole wrote a special program, which used dummy passenger data and real flight data, generating a QR code for the boarding pass. You can use any name, flight number, terminal airport and ticket class. As it turned out, the system only needs a real flight number. All other data can be taken "from the ceiling". The Android application created by Yaroshevsky allows anyone to access the VIP lounge of a number of airlines. Also with this application you can shop in duty free stores.

The vulnerability of systems scanning boarding passes is far from news. For the first time, cryptography specialist Bruce Schneier used it. He described his method in 2003 . Another Information Security Specialist Has Created a Websiteautomatically generated fake boarding passes. The site is still working, but the script that generated the fake boarding passes is not. The site owner was forced to remove this script by the FBI, back in 2006.

With his application, Yaroshevsky showed that vulnerability exists to this day, ten years later. “In fact, it only takes 10 seconds to create a fake boarding pass,” he says.

The Pole recorded the process of creating a QR code on video. Here he uses the name Bartholomew Simpson and generates a code. After this code, he checks in for the flight and enters the Turkish Airlines VIP Lounge in Istanbul.



Przmek Jaroszewski says that he has not tested his application at airports outside Europe, so he cannot say whether he will be able to use it in the US or other countries. In addition, he never tried to fly under a fake name. In his opinion, this is hardly possible, since when boarding a plane you have to go through a second check already with the documents. In addition, this method can be used only by those users who are already at the airport, having passed all the checks, including the “framework”. The trick can only be used to obtain privileges for yourself as a passenger with VIP status. Having created the corresponding QR code, an economy class passenger can easily enter the waiting room for passengers who bought a much more expensive ticket.

Wired reporters turnedto the US Transportation Safety Administration and the International Air Transport Association, asking for comment. Representatives of these organizations replied that they did not view the current situation as a threat. Also, reporters were told that the responsibility for the safety of their passengers lies with the airlines themselves. It seems that the problem is that the scanning systems do not have the ability to check the passenger data, in their database there are only flight numbers. Such scanners cannot connect to an external network to check all the data contained in the QR code.

Przmek Jaroszewski, speaking at the Defcon conference, said that he had never tried to get into the airline lounges to which he would not have access, like a VIP passenger under his real name. He also did not try using his application to buy goods in duty free stores when he flew within the same country. The expert explained this by the fact that he did not want to break the law. True, once he generated a code for his friend, who was at the Istanbul airport, waiting for a transfer for the flight within 7 hours. He told a friend to use the QR code at his own risk. And he did it all.

Jaroszewski said he was not going to share his application. He claims that for any more or less experienced specialist it will not be a problem to create the exact same application. The program itself is simple - it only has 500 lines of code. And the intentions of a person who decides to do something similar may already be far from wanting to test the idea of ​​the possibility of cheating airport systems.