'It takes 10 seconds to create a boarding pass' - Hacker accesses airport lounges for free
'Bartholomew Simpson' QR Codes
A hacker claims to have used a mobile phone app to fake a QR code, gaining free entry to an airport business lounge.
Przemek Jaroszewski, head of Poland’s Computer Emergency Response Team, used his expertise and a simple program to create a new entry ticket after his membership was mistakenly rejected by a Turkish Airlines lounge in Istanbul, he says.
The frequent flier then used the app on his Android phone to access a number of other airport lounges, though none he did not already have valid access to already.
Jaroszewski, who presented his findings to a security conference in Las Vegas at the weekend, said he did not use the fake QR codes to attempt to board a plane as he would be likely stopped by more thorough checks at the departure gate.
Nevertheless, he did made a video showing how easy it was to create the fake codes, telling Wired: “Literally, it takes 10 seconds to create a boarding pass… and it doesn’t even have to look legit because you’re not in contact with any humans.”
He created the fake boarding passes under the name Bartholomew Simpson.
Over the course of his experiments, the computer expert found that the code did not need to contain many passenger details, only the flight number, and that it was possible to enter even the most exclusive airport lounges using the technology.
The hacker is yet to attempt the trick outside of Europe and believes that American security would be tighter, and pointed out that he has not used the codes to do anything illegal. However, he did share the technology website that he once sent a code to a friend to use.
Jaroszewski also used his codes to show a boarding pass required when purchasing duty-free shopping, though after a small, peaceful consumer revolt last year it is now understood that UK passengers are not obliged to show their boarding passes when buying goods in airports.
Despite giving a speech on the issue, Jaroszewski will not be releasing the code-creating software – something another computer expert did in 2006, warranting the attention of the FBI. After claims that Christopher Soghoian’s work posed a national security risk, the FBI raided his home, though neither the agency or the Transportation Security Administration (TSA) brought any charges.
Jaroszewski's revelations raise concerns about the quality of airport security that relies on computer scanners, but Chris Goater, a spokesperson for the International Air Transport Association (IATA), said a forged “bar code boarding pass… will not entitle the person carrying it with any right to travel, nor will it create any confusion with an airline’s system where the official information is stored”.
“Additionally, airlines have their own processes and rules allowing passengers into their lounges,” he said.
Turkish Airlines has not responded to a request for comment.