Another demonstration of CRS/GDS insecurity

Zack Whittaker had a report yesterday for Techcrunch on the latest rediscovery of a continuing vulnerability affecting sensitive personal data in airline reservations that I first reported, both publicly and to the responsible companies, more than 15 years ago: computerized reservations systems and systems that rely on them for data storage and retrieval, including airline check-in Web sites, use a short, insecure, unchangeable, system-assigned, and fundamentally insecure “record locator” as though it were a secure password to control access to passenger name record (PNR) data.

I wrote about these vulnerabilities and reported them to each of the major CRS/GDS companies in 2001, 2002, and 2003, specifically noting their applicability to airline check-in Web sites (among many other Web services). I pointed these vulnerabilities out in a submission to the US Federal Trade Commission in 2009 which was co-signed by several consumer and privacy organizations, in my 2013 testimony as an invited expert witness before the Advisory Committee on Aviation Consumer Protection of the U.S. Department of Transportation, in a complaint which was which finally accepted and docketed by the European Commission in 2017, and in my comments to the European Commission in December 2018 with respect to its current review of the European Union’s regulations governing protection of personal data by CRSs.

Meanwhile, in late 2016, both the insecurity of “record locators” as passwords and “brute force” record locator attacks on one of the Web gateways to the Amadeus CRS that I had written about were publicly demonstrated by white-hat hackers, prompting another and more extensive round of publicity.

In my comments last month to the European Commission, I recounted some of this history and recommended that:

The privacy and data protection provisions of the CRS Code of Conduct…. Should be retained [and] should be enforced… including by requiring CRSs to replace “record locators” with user-selectable, user-changeable passwords.

I also pointed out the reason that airlines have not closed these vulnerabilities, or pressured CRSs to do so, despite having been aware of them for many years from my own and other reports:

In the absence of support by the CRSs for password controls on PNR access, numerous public-facing systems that rely on CRSs for data storage and functionality, including self-service check-in and itinerary viewing systems operated by airlines and travel agencies (or operated by CRSs in the names of airlines or travel agencies), rely on inherently insecure, fixed, CRS-assigned “record locators” in place of passwords. These record locators are printed on boarding passes, baggage tags, and itineraries. Travellers are never told that they need to treat record locators as unchangeable passwords….

Airlines accept this lack of security because it facilitates automation through self-service systems that reduce airline labor costs. More secure systems that require a unique or user-selectable password for access to each PNR would require more airline and/or airport staff to deal with lost or forgotten passwords, and might reduce or slow adoption of self-service check-in, flight change, or other labor-saving systems. In the absence of data protection enforcement, airlines have a financial interest in prioritizing their own business process automation over the security of travellers’ personal data.

Airlines and other CRS users will implement more secure, but more costly, PNR access controls only if they are forced to do so through enforcement of data protection requirements, or if passwords are implemented by CRSs as requirements for all users. [emphasis added]

The responses by Amadeus to the latest demonstration of these longstanding, well-known, and already reported and publicized vulnerabilities, according to Techcrunch, is to claim to have taken “immediate action”. But I spent hours on the phone and engaged in extensive e-mail correspondence with Amadeus in 20901-2003, trying unsuccessfully to get the company to do anything about this vulnerability or explain its inaction. There was no action in response, immediate or otherwise.

Yesterday Amadeus also said, according to Techcrunch, “We work with our customers and partners in the industry to address PNR security overall. The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale. Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which requires industry collaboration.”

Even if this were true, the industry has had ample time — more than 15 years — to implement changes to IATA standards such as the AIRIMP. But the suggestion that closing this vulnerability would require changes to IATA standards is simply not true. Neither the AIRIMP (which sets standards for messaging between airlines and CRSs, but not for consumer-facing interfaces) nor any other IATA standard requires the use of a record locator as means of controlling access to PNR data, or precludes the inclusion in PNRs of user-selectable and user-changeable passwords or their use to control access to PNR data.

Yes, industry-wide changes are needed. But they need to start with Amadeus and the other CRSs that set the de facto standard of insecurity for handling of personal information in airline reservations.

Amadeus and the other CRS companies, as well as the airlines that accept their insecure services, need to stop lying, stop pointing fingers of blame at anyone but themselves, stop feigning surprise at each new report of the same well-known vulnerabilities, and get to work on fixing their problems.