Hacker Creates Fake Boarding Pass QR Code App Granting Access To Elite Airline Lounges
Let's face it, for the most part, air travel can be a hassle. Long security lines, having to walk what feels like 10 miles to make a connection, and the lugging around of our belongings while we deal with all of it can be a drain. It's for that reason that airline lounges can be a wonderful place to decompress - to get away from the noise of the airport to sit in a comfier chair and with faster Internet and some snacks. With all the hassle of the airport, these lounges can help lessen the pain.
Of course, airline lounges are also rather exclusive. Unless you fly a lot and become an elite member of an airline program, you'll be shelling out good money to grant yourself access - often $50 or more. Wouldn't it be great then, to not have to meet the strict requirements and not have to pay for access? Enter Przemek Jaroszewski's rather industrious hack.
Jaroszewski discovered that most lounges don't verify a traveler's information. As long as the flight information exists for that day, and the traveler's class is labeled as one that gets free access, the automated QR code readers will consider it a-OK for entry. Obviously, this trick would not work in lounges that require you to speak to the person at the desk, but for those with complete automation, he claims it can be easily done and demonstrates this in a short video.
In the video above, Jaroszewski sits outside of Turkish Airlines' lounge in Istanbul, taps a few entries on his phone, and then generates a QR code. After scanning that code at the reader, the gate opens and he waltzes right on in. If you were a regular passenger with no perks at all, this kind of trick would be hugely valuable (especially in a high-end lounge like this one.)
Jaroszewski will be detailing this hack at Defcon this weekend, and while he admits he hasn't tested it outside of Europe, it seems like it should work. He also notes he won't be releasing his QR code generator app any time soon, but it does of course expose a significant airline security vulnerability. As mentioned above, if a human needs to verify the boarding pass, then this hack clearly wouldn't work, but most lounges will have this automated kind of system.
Something tells us that this kind of hack won't remain possible for long and of course, it's likely rather illegal.