00:00:00.234,00:00:04.371
>>So, good morning everyone. >>
Morning. >> Hope you're enjoying

00:00:04.371,00:00:10.777
DefCon so far. >> ?Yes... >>
Wooooh! [cheering] Happy to see

00:00:10.777,00:00:15.616
so many people so early in the
morning on the last day. So,

00:00:15.616,00:00:21.622
hope I won't get you asleep.
Uhm, let's start with it, okay,

00:00:21.622,00:00:28.128
so, aha, uh, bit of an
introduction. I am the head of

00:00:28.128,00:00:31.498
the national Polish CSIRT, that
is the Computer Security

00:00:31.498,00:00:35.836
Incident Response Team. Uhm,
that's my job but this research

00:00:35.836,00:00:39.940
is not related to the job in any
way. So, just a disclaimer,

00:00:39.940,00:00:43.143
that's my research and, uh, not
necessarily all opinions are

00:00:43.143,00:00:48.215
shared by my employer. Uhm, my
background is a programmer...

00:00:48.215,00:00:51.852
[cough] But that was a long time
ago, I eventually got a degree

00:00:51.852,00:00:55.989
in social psychology, that's not
social engineering - that's

00:00:55.989,00:00:57.324
related [audience noise] But I
don't think that they give

00:00:57.324,00:01:02.763
degrees in social engineering
yet. [pause] And, uh, I have 15

00:01:02.763,00:01:05.799
years of experience in IT
security and I also love

00:01:05.799,00:01:09.136
everything about, you know,
flying and aviation. I... I

00:01:09.136,00:01:11.571
almost became an air-traffic
controller trainee at some

00:01:11.571,00:01:16.410
moment. [pause] And I love to
learn how system works, how

00:01:16.410,00:01:18.278
systems works, you know, how
the... how everything is going

00:01:18.278,00:01:19.613
on in the background. So also
because I've, uh, tend to fly a

00:01:19.613,00:01:24.618
lot - both privately and,
because of my employer I enjoy

00:01:28.622,00:01:33.627
some benefits, uh for frequent
flyers. And I have some kind of

00:01:36.463,00:01:41.335
disregard for "Frequent Flyer
Miles", they have any real value

00:01:41.335,00:01:45.739
to me anymore but I still enjoy
the privileges like lounge

00:01:45.739,00:01:48.141
access, or fast track access, so
they really save you time and

00:01:48.141,00:01:52.612
give you some comfort at the
airports. [pause] Except when

00:01:52.612,00:01:55.716
somebody tries to fix that
problem... and the problem

00:01:55.716,00:02:00.120
doesn't really exist. So about a
year ago, my home airport in

00:02:00.120,00:02:04.024
Warsaw introduced these
automatic self-serve gates.

00:02:04.024,00:02:06.259
[audience noise] That was
supposed to speed things up

00:02:06.259,00:02:09.629
because instead of, you know,
waving your boarding pass in

00:02:09.629,00:02:14.668
front of a person, have them
scanning it... you just, uh, use

00:02:14.668,00:02:20.640
a scanner and the gates let you
in. Uhm, the only problem was

00:02:20.640,00:02:24.845
with the fast track it didn't
read my status properly. So, it

00:02:24.845,00:02:27.781
would let in all the "business
class" passengers but I tend to

00:02:27.781,00:02:31.551
travel on "economy", and I only
get the fast track access

00:02:31.551,00:02:34.921
because I have this gold status.
So it wouldn't read that status

00:02:34.921,00:02:38.925
properly and I had to go up to
the guy anyway, show him my

00:02:38.925,00:02:43.630
boarding pass, make him come to
the gate, scan my boarding pass

00:02:43.630,00:02:47.134
like two or three times like,
you know, it's kind of

00:02:47.134,00:02:50.737
counterproductive. You know, it
wastes like 30 seconds of my

00:02:50.737,00:02:53.073
precious time and the guy
probably has better things to

00:02:53.073,00:02:57.911
do. So I.. let's see if I can
fix things. [pause] Uhm, so

00:02:57.911,00:03:04.384
let's rewind a little bit, what
are we talking about? As you

00:03:04.384,00:03:10.757
probably noticed for the past 10
years or so... uhm, you get this

00:03:10.757,00:03:13.393
little barcode on your boarding
pass, whether it's mobile, on

00:03:13.393,00:03:18.765
paper, you still get a [cough]
nice 2D boarding, uh, nice 2D,

00:03:18.765,00:03:23.036
uhm, barcode on your boarding
pass. [pause] And that was

00:03:23.036,00:03:27.407
introduced in 2005 by IATA which
is International Air Traffic

00:03:27.407,00:03:31.678
Association, if I, get it
properly resolution. I've got 7

00:03:31.678,00:03:36.850
9 2, uh, it introduces something
called board, uh, barcoded

00:03:36.850,00:03:41.421
boarding pass standard. Which is
adapted by all airlines,

00:03:41.421,00:03:44.524
airports, anyone who deals with
boarding passes have to obey to

00:03:44.524,00:03:49.529
that standard. [pause] And,
uhm... [pause] And so you get

00:03:53.133,00:03:57.237
four different kinds of, uhm,
barcodes which can be used when

00:03:57.237,00:03:58.605
you have you will, it must
always be pdf 4 1 7 which is the

00:03:58.605,00:03:59.973
nice rectangle one, the wide
one; if it's on mobile it has to

00:03:59.973,00:04:03.443
be the square one, so QR code
which you probably know about.

00:04:03.443,00:04:08.448
And the Aztec and Matrix Data
which, we have examples of down

00:04:13.487,00:04:18.492
here. [pause] So, you know... I
get on Google Play search

00:04:22.662,00:04:27.768
looking for barcode scanners to
make my life easier. And,

00:04:27.768,00:04:32.272
funnily enough you get, like,
dozens of them. The, the tool in

00:04:32.272,00:04:37.911
the middle the barcode scanner
by, uh, GeeksLab and Manatee

00:04:37.911,00:04:42.182
would become my two favorites,
but you get a wide choice.

00:04:44.284,00:04:46.119
[pause] So, there are freely
available tools you can see

00:04:46.119,00:04:49.589
what's inside and you can pretty
much code the boarding pax,

00:04:49.589,00:04:55.962
boarding pass looks like when
it's encoded in BCBP. So it's

00:04:55.962,00:05:01.334
just bunch of characters. And
sort of by trial and error and I

00:05:01.334,00:05:06.339
started figuring out, okay, if
it doesn't read the, uh, my

00:05:08.475,00:05:13.980
frequent flyer status properly -
so probably I need to adjust

00:05:13.980,00:05:17.350
booking class, right? I need to
say, I, I'm in business and if

00:05:17.350,00:05:22.589
that's what it reads let's see
if it will let me...[audience

00:05:22.589,00:05:26.226
noise] So the other tool I would
need is a boarding pass

00:05:26.226,00:05:28.895
generator and funnily enough
there is also a bunch of them,

00:05:28.895,00:05:33.200
uhm, uh, on Google Play store
and I'm pretty sure on Apple

00:05:33.200,00:05:38.405
store as well. So, like I said,
first by trial and error I

00:05:38.405,00:05:43.210
figured out that this would be
the travel class character. If

00:05:43.210,00:05:47.047
you fly a little bit, you kind
of get used to this letters so

00:05:47.047,00:05:50.183
"M" would be for economy or "Y"
would be for economy; "C" would

00:05:50.183,00:05:55.555
be for business, things like
that, things like that. Uhm, and

00:05:55.555,00:05:58.291
also, you can pretty clearly see
something's standing out like

00:05:58.291,00:06:02.896
firstname, lastname, uhm, origin
airport, departure airport, uhm,

00:06:02.896,00:06:06.600
sorry, departure airport,
destination airport; flight

00:06:06.600,00:06:11.271
number, so some things you can
make out just by looking at the,

00:06:11.271,00:06:16.343
uh, the clear text characters.
So, let's see if I switch this

00:06:16.343,00:06:21.848
little character to "C", and,
uhm, seriously it, it worked. It

00:06:21.848,00:06:26.786
will let me in, so fine, I saved
you know, 30 seconds about, uh,

00:06:26.786,00:06:28.888
of my time every time I
travelled through the fast

00:06:28.888,00:06:33.727
track. So it's free fast track
for all travellers, neat, but,

00:06:33.727,00:06:38.031
you know, what else can we get?
You know, if this is not

00:06:38.031,00:06:40.900
verified, what else is not
verified? What else can I play

00:06:40.900,00:06:45.005
with? And, you know, I started
changing different things, like

00:06:45.005,00:06:50.577
firstname, lastname. Funnily
enough - let's you in! [pause]

00:06:50.577,00:06:55.448
So, then I was like, there's one
thing that can be verified

00:06:55.448,00:06:59.019
easily - it's the booking code,
right? Because that can be

00:06:59.019,00:07:02.122
looked up in the reservation
system and maybe that could be

00:07:02.122,00:07:06.926
matched to your boarding pass
and... well they could at least

00:07:06.926,00:07:09.195
know whether you're travelling
or not, you know, whether

00:07:09.195,00:07:12.932
somebody's just making up
things. So let's go ahead and

00:07:12.932,00:07:17.937
change this... it would also let
me in! So now I got, getting

00:07:21.241,00:07:26.680
really confused. So what we are
getting here is our airport

00:07:26.680,00:07:31.384
access for all pretty much.
Right? And just a bit of

00:07:31.384,00:07:34.754
explanation, that was in Warsaw,
I tested it in a number of

00:07:34.754,00:07:37.590
different airports - in the US
it would work a bit differently

00:07:37.590,00:07:40.694
which I will come back to in a
minute. [cough] But this works

00:07:40.694,00:07:43.496
in a lot of airports, it's not,
it's not something specific to

00:07:43.496,00:07:47.200
Warsaw or, you know, just one or
two airports. And we will come

00:07:47.200,00:07:53.273
back to why that is. So it's not
just fast track access, it's,

00:07:53.273,00:07:57.310
you know, airport access for
all. [audience noise] And, yea,

00:07:57.310,00:08:02.148
like, notice like millions of
travellers per day, like how

00:08:02.148,00:08:05.852
come nobody noticed it? That,
uh, somebody had to figure this

00:08:05.852,00:08:11.524
out already... And, yea, this is
not entirely news. So, back in

00:08:11.524,00:08:17.931
2003 Bruce Schneier already
noticed when, uhm, when the

00:08:17.931,00:08:21.034
concept of print your own
boarding pass was introduced,

00:08:21.034,00:08:25.338
even before the bar coded
boarding pass was there that you

00:08:25.338,00:08:31.277
can spoof a boarding pass and
the... with this you could also

00:08:31.277,00:08:37.050
circumvent the "no-fly list"
checks in the US. [pause] That

00:08:37.050,00:08:42.055
was 2003, until 2007 this was
not fixed in any way and, uh,

00:08:44.958,00:08:49.963
November 2006, Chris Soghoian,
uhm, out up a webpage where

00:08:52.098,00:08:55.802
anybody could produce a fake, i
think, it was Southwest,

00:08:55.802,00:09:01.074
boarding pass and he got into a
looooot of trouble for that.

00:09:01.074,00:09:04.310
[laughter] So, you got FB, much
FBI raided his home, you know ,

00:09:04.310,00:09:10.950
he got a nice letter from TSA
saying like "You are violating

00:09:10.950,00:09:15.155
these and these laws, don't do
it. Please". ??[coughing]

00:09:15.155,00:09:20.160
[laughter] Uhm, there's also two
articles from 2008 and, uh, 2011

00:09:23.496,00:09:26.433
which worked conjointly with
Bruce Schneier. Uhm, they also

00:09:26.433,00:09:31.171
touch a bit on physical security
- I totally recommend going and

00:09:31.171,00:09:35.842
reading them - it's very
entertaining. In 2012, uh, John

00:09:35.842,00:09:40.847
Butler also wrote an article on
how you could possibly, uhm, uh,

00:09:45.151,00:09:49.222
figure out whether you are, uhm,
pre-check eligible or make

00:09:49.222,00:09:53.927
yourself precheck eligible. Uh,
most, most of the technical

00:09:53.927,00:09:57.263
stuff she got wrong in the
article, but anyway the idea was

00:09:57.263,00:10:02.936
kind of cool. And, you know, he
made some things right at least.

00:10:02.936,00:10:07.073
So how did the fly-list bypass
work back in 2003? So you would

00:10:07.073,00:10:10.710
have to buy tickets under a
false name because when you are

00:10:10.710,00:10:14.047
buying the tickets your name,
you know, matched against the

00:10:14.047,00:10:19.052
no-fly list. Uhm, then you print
your boarding pass at home, so

00:10:22.255,00:10:25.592
this is one point where things
get checked. So your name

00:10:25.592,00:10:29.996
against the no-fly list, then
you create a copy of the

00:10:29.996,00:10:34.434
boarding pass, and, uh, put your
real name on it, which is on the

00:10:34.434,00:10:38.171
no-fly list, but we'll come to
that. The you present the fake

00:10:38.171,00:10:42.742
boarding pass to the TSA officer
along with your ID, the problem

00:10:42.742,00:10:45.078
here is that the TSA officers
did not have access to the

00:10:45.078,00:10:48.348
reservation system so they only
validated your boarding passes

00:10:48.348,00:10:52.819
against your ID. So now it's a
fake boarding pass but the name

00:10:52.819,00:10:56.122
matches with your ID - you're
good to go. And when you

00:10:56.122,00:10:58.591
actually board the plane you
discard the fake boarding pass

00:10:58.591,00:11:01.327
and produce the original
boarding pass again which

00:11:01.327,00:11:06.332
matches the reservation system.
And you can fly! So that was in

00:11:06.332,00:11:12.739
2003, and like I said, it was
the same thing described in 2006

00:11:12.739,00:11:16.943
and 2007. Uhm, it got a bit
improved since then and we'll

00:11:16.943,00:11:21.047
get to that. [pause] So this is
the letter, I dunno if you can

00:11:21.047,00:11:25.418
see it but it's , uh, it's easy
to Google it up, it's, it's the

00:11:25.418,00:11:28.788
letter that Mr. Soghoian got,
it's a letter making up this

00:11:32.625,00:11:38.464
fake boarding pass creator. So
how does bypassing no-fly list

00:11:38.464,00:11:44.404
in 2016 Europe? So basically buy
tickets under a false name, and

00:11:44.404,00:11:50.977
then you go to the airport and
fly. [laughter] So, not exactly

00:11:50.977,00:11:55.982
an improvement... [laughter] Uh,
why is that? First of all, uhm,

00:11:59.519,00:12:02.355
there's, there's like two
impacting factors, one is that

00:12:02.355,00:12:06.125
some airlines are more business
conscious than the other. So

00:12:06.125,00:12:11.397
they actually will check your ID
when you are boarding but again

00:12:11.397,00:12:14.233
it's not the airport thing -
it's the airline thing. So why

00:12:14.233,00:12:18.605
the airline do is protecting
their business so we don't buy

00:12:18.605,00:12:22.508
cheap tickets and then resell
them to somebody else. It's only

00:12:22.508,00:12:25.178
for that reason and it's mostly
local airline which will check

00:12:25.178,00:12:28.915
your IDs. Regular airlines
almost never check your IDs in

00:12:28.915,00:12:34.520
Europe. And the ID checks by
the, at the security, uh,

00:12:34.520,00:12:38.324
checkpoints have been abandoned
like two or three years ago.

00:12:38.324,00:12:41.661
When you are traveling
domestically, but not only

00:12:41.661,00:12:46.833
domestically because of Schengen
area, not sure how many of you

00:12:46.833,00:12:50.803
is gonna know what it is...
That's like 26 countries in

00:12:50.803,00:12:55.108
Europe, it's not the same as
European union. It's 26

00:12:55.108,00:12:58.544
countries in Europe which agreed
to like abandon border checks.

00:12:58.544,00:13:03.016
So you have increased boarding,
uh, border checks around the

00:13:03.016,00:13:06.653
Schengen area and a lot
information exchange in the

00:13:06.653,00:13:13.493
countries, uhm, on immigration.
But there's not check within the

00:13:13.493,00:13:16.863
area so you can freely roam, you
know, you don't need to follow

00:13:16.863,00:13:21.067
the border checkpoints you can
just hike in the mountains or

00:13:21.067,00:13:25.138
whatever. And one travelling
within the Schengen zone and it

00:13:25.138,00:13:30.076
was officially asked to the, you
know, government's why there's

00:13:30.076,00:13:32.879
no ID controls at the airports,
and it's like - there's no

00:13:32.879,00:13:36.683
reason to do it. The security is
provided by physical security

00:13:36.683,00:13:41.688
screening, fair enough. [pause]
Uhm, okay, let's go back a bit.

00:13:46.559,00:13:50.496
Turns out I didn't need to be
reverse engineering this

00:13:50.496,00:13:55.735
boarding pass. Uh, Formont, it's
you know, it's so public. It's

00:13:55.735,00:13:58.905
IATA resolution is all public,
you can just do, you can go and

00:13:58.905,00:14:04.477
download it. And, uh, this is
the part that is mandatory for

00:14:04.477,00:14:10.983
the boarding pass. So it's 60
characters and, uh, you get

00:14:10.983,00:14:15.421
things like firstname, lastname,
uh, you get compartment code

00:14:15.421,00:14:20.426
which is the, the travel class.
Can anybody spot a problem here?

00:14:23.229,00:14:25.932
This is all that is mandatory.
Nothing else is mandatory.

00:14:30.770,00:14:36.275
[pause] So I'm gonna help you
here... There's, there's

00:14:36.275,00:14:40.513
absolutely integrity checks and
no authentication provided. It's

00:14:40.513,00:14:45.485
just 60 characters and they're
as good as you provide them.

00:14:50.523,00:14:55.895
[pause] Just to be fair, this is
the full specification.

00:14:55.895,00:14:59.499
[audience noise] And there's a
bunch optional items and one of

00:14:59.499,00:15:03.903
them in the bottom is the
security part where you can

00:15:03.903,00:15:07.640
provide something that they call
a security certificate which is

00:15:07.640,00:15:11.177
basically a digital signature
for the boarding pass. So it CAN

00:15:11.177,00:15:15.448
be included but it's optional.
We will come back to that.

00:15:18.117,00:15:21.053
[pause] So, the other way to
verify it like I said would be

00:15:21.053,00:15:26.759
to look up the booking number in
the reservation system. So let's

00:15:26.759,00:15:29.896
see, where is this passengers
data stored? Where could it be

00:15:29.896,00:15:36.202
looked up? Uhm, basically it's
stored in something called

00:15:36.202,00:15:41.140
computer reservation systems
which, uhm, store your data in

00:15:41.140,00:15:45.244
terms of passenger name records
which include lots of data

00:15:45.244,00:15:49.282
including lot's of private,
private data. Which is not only

00:15:49.282,00:15:52.718
your, uh, firstname and
lastname, physical address,

00:15:52.718,00:15:56.622
email address but also things
like special requests which

00:15:56.622,00:15:59.258
means whether you need special
assistance like a wheel chair or

00:15:59.258,00:16:03.896
something; whether you have
special dietary requirements

00:16:03.896,00:16:07.266
which could tell you whether
you're Muslim, or Jewish or

00:16:07.266,00:16:10.570
things like that. And, uh,
loyalty programs information

00:16:10.570,00:16:13.539
etc, and uh, also if you
provided contacts for your

00:16:13.539,00:16:16.275
precious ones in case of
emergency would also end up

00:16:16.275,00:16:22.415
there. Uhm... [pause] So this is
one of the problems - there's a

00:16:22.415,00:16:26.452
lot of personal information
which is not, you know, allowed

00:16:26.452,00:16:30.156
to be shared between different
parties. The other problem is

00:16:30.156,00:16:32.992
there's a lot of competing
reservation systems out there.

00:16:32.992,00:16:36.495
It's not like there's a single
reservation system for all. So

00:16:36.495,00:16:42.134
it's not to just go and look up
the data by the, uh, PNR, uhm,

00:16:42.134,00:16:45.805
code and you will pull out
whatever you needed. You need to

00:16:45.805,00:16:50.042
know where to look for it.
[cough] And there are a number

00:16:50.042,00:16:55.214
of global distribution systems
which are, like, huge CRSs which

00:16:55.214,00:16:58.918
are used by multiple airlines -
most famous ones are like Sabre,

00:16:58.918,00:17:02.054
Amadeus, Galileo, Worldspan. But
there's also a lot of

00:17:02.054,00:17:05.725
proprietary ones which are used
by small airlines - they don't

00:17:05.725,00:17:10.162
pay their fees to, uhm, big
systems, they just run their

00:17:10.162,00:17:13.799
own. And as long as it works for
them, it's fine. Basically the

00:17:13.799,00:17:16.302
only place you need to lookup
this information is when you

00:17:16.302,00:17:18.504
check where you by your tickets
when you check in and when

00:17:18.504,00:17:21.707
you're boarding the plane.
[pause] So why do many airports

00:17:21.707,00:17:25.177
not have access to this data?
Also to make things more

00:17:25.177,00:17:28.414
confusion and complicated when
you make a single reservation it

00:17:28.414,00:17:32.685
may end up with bits of data
scattered around information

00:17:32.685,00:17:36.722
systems. When I made, when I
made the reservation for my

00:17:36.722,00:17:40.960
flight here I had a couple of
flight co-shared with Polish

00:17:40.960,00:17:44.630
airlines, the airline was United
which was using a different

00:17:44.630,00:17:47.967
reservations system than a lot
of Polish airlines, so at least

00:17:47.967,00:17:50.336
two reservation systems would be
involved. And, if I was making

00:17:50.336,00:17:52.605
that reservation through a
travel agency which is using a

00:17:52.605,00:17:56.042
third reservation system that
would be at least three PNR and

00:17:56.042,00:17:59.645
three reservations systems and,
you know, that's kind of

00:17:59.645,00:18:03.549
confusing. [pause] And data
access is not only limited

00:18:03.549,00:18:07.019
across, you know, different
reservation systems but not

00:18:07.019,00:18:09.355
everybody, like I said, because
of privacy issues - everybody

00:18:09.355,00:18:15.595
has access to the same pieces of
information in the system. And

00:18:15.595,00:18:22.568
yea, notice of a device, uh, the
barcode, uh, uhm [ahem]... Will

00:18:22.568,00:18:26.606
usually have more information
that is just in clear print and

00:18:26.606,00:18:30.576
if you use that information,
uhm... You can access

00:18:30.576,00:18:34.213
reservations, you can access a
lot this private data online and

00:18:34.213,00:18:36.449
you can even make some changes
like cancelling tickets or

00:18:36.449,00:18:41.387
modifying your itinerary. So
just don't post anything without

00:18:41.387,00:18:45.891
making sure anonymized or
blurred or something. And,yea,

00:18:45.891,00:18:48.094
this is just one of the
examples, which is kind of

00:18:48.094,00:18:50.830
ridiculous because like I said
anybody can go, if you know

00:18:50.830,00:18:54.734
which, uh, which CSR system is
used by the airline anybody can

00:18:54.734,00:18:58.437
go to the website. If you have
this PNR look, locator which is

00:18:58.437,00:19:02.675
also known as booking code or
reference, uh, re, reservation

00:19:02.675,00:19:08.481
number. You put it in and then
you put the passenger's name in

00:19:08.481,00:19:10.950
and you get most of the data.
This you can see whether the

00:19:10.950,00:19:13.753
reservation is there or not.
Airports are not allowed to do

00:19:13.753,00:19:18.758
so. [pause] And, uh, from the
reservation system the data is

00:19:21.193,00:19:24.330
then moved into a couple of
other systems. One of them would

00:19:24.330,00:19:27.900
be departure control system
which is basically the system

00:19:27.900,00:19:33.539
that used after you check in.
Uh, to make sure that only the

00:19:33.539,00:19:36.175
checked-in passengers get on
board, it also stores your seat

00:19:36.175,00:19:40.913
assignments, uh, baggage
information etc. Uh, there's

00:19:40.913,00:19:44.717
also a thing called API
-Advanced Passenger Information,

00:19:44.717,00:19:48.220
not advanced, adverse passenger
information which is sent to

00:19:48.220,00:19:51.390
border agencies of several
dozens of countries which

00:19:51.390,00:19:54.693
require that. So it will let
them know who is coming to their

00:19:54.693,00:19:57.229
country and they can do some
pre-screening and tell the

00:19:57.229,00:20:00.199
airlines, like, this guy needs
some additional security before

00:20:00.199,00:20:06.405
he boards the plane. There's
also PNRGOV which is not exactly

00:20:06.405,00:20:10.409
another system it's just a
message exchange format. Uhm to

00:20:10.409,00:20:14.447
exchange PNR information so the
passenger record information

00:20:14.447,00:20:18.517
with the government agencies -
it's not widely used though.

00:20:18.517,00:20:21.520
Apart from sending an adverse
passenger information which,

00:20:21.520,00:20:26.025
again, has nothing to do with,
uhm, looking up information at

00:20:26.025,00:20:29.395
the airports - it's just for
border agencies. And there

00:20:29.395,00:20:31.997
secure flight program which I
will, I will describe in more

00:20:31.997,00:20:37.603
detail in a moment. [pause] So,
okay, to make, to make things

00:20:37.603,00:20:41.373
easier for me I put up a simple
webpage and I hope I will be,

00:20:41.373,00:20:47.980
you know, able to show it...
[pause] Notice, it's all

00:20:47.980,00:20:52.218
javascript so it all works
offline and I found a nice,

00:20:52.218,00:20:57.223
javascript libraries for
producing Aztec codes.. So...

00:21:01.727,00:21:06.732
[pause] Uhm... [pause] The PNR
doesn't matter as I show you...

00:21:09.902,00:21:14.907
[pause] Uhm... [pause]
Whatever... [pause] Uhm...

00:21:32.825,00:21:37.763
[pause] And there you go!
[applause] And uh... wait wait

00:21:37.763,00:21:41.500
wait... Ahem. [applause] And I
forgot to tell you, the only

00:21:41.500,00:21:44.837
thing that actually needs to
work is the flight number and

00:21:44.837,00:21:47.807
the date. So the flight number
actually gets matched against a

00:21:47.807,00:21:50.776
list of flights that depart from
the airport. Also, yea, the

00:21:50.776,00:21:54.346
departure airport need to match
the, the, departure airport

00:21:54.346,00:21:58.250
configured with the gate and
the, the date need to match. It

00:21:58.250,00:21:59.985
can be also the next day cause
you know, enter the airport and

00:21:59.985,00:22:01.253
your flight is early in the
morning so it can be either two.

00:22:01.253,00:22:02.621
[pause] Uh... [pause] Okay, so
with paper it's just i little

00:22:02.621,00:22:03.956
bit less fun, like I said this
automatic gates help things

00:22:03.956,00:22:05.291
enormously because you don't
even have to deal with humans,

00:22:05.291,00:22:07.293
right? You don't have to produce
anything which is even remotely

00:22:07.293,00:22:08.627
legitimate-looking. It's just a
barcode. But when you need a

00:22:08.627,00:22:10.629
paper it's no big deal, you just
need to have this paper so, uh,

00:22:10.629,00:22:11.964
you need to edit the pdf,
probably, and I already have,

00:22:11.964,00:22:13.332
you know, a couple of templates
for, for the airlines I use.

00:22:13.332,00:22:14.667
And, uh, by the way Microsoft
Word is a great pdf editing tool

00:22:14.667,00:22:19.672
- really, you can, you can just
open the pdf and it will, you

00:22:50.202,00:22:53.038
know, convert it to Word
document and you can do all the

00:22:53.038,00:22:57.343
editing you need. And just
remember that, anyway, although

00:22:57.343,00:23:01.347
people look at the, people tend
to look at the paper they will

00:23:01.347,00:23:04.850
have to scan the coding, the
barcode anyway so it should

00:23:04.850,00:23:09.555
match the information you have
on the paper. [pause] So, now

00:23:09.555,00:23:12.992
let's get some fun, actually,
you know... Just, getting to the

00:23:12.992,00:23:18.197
airport is not much, so, uhm, so
how about accessing lounges? So

00:23:18.197,00:23:23.903
if contract lounges, there's
basically, it's almost too easy,

00:23:23.903,00:23:26.905
right? Because they no way to
access this private information

00:23:26.905,00:23:30.743
so they have no way to lookup
the passenger records. So, you

00:23:30.743,00:23:34.546
know, they will gladly buy
whatever you present. Just a bit

00:23:34.546,00:23:39.451
of advice - it needs to be based
on the travel class, because if

00:23:39.451,00:23:43.489
you present the gold card you
will be asked for the physical,

00:23:43.489,00:23:49.461
uh, gold card. Also your data
will be written down and

00:23:49.461,00:23:53.365
actually, uh, even if you have
the card but, the, for example,

00:23:53.365,00:23:56.368
the site has expired or
something they actually have a

00:23:56.368,00:24:01.874
way to look it up online. Uhm,
so, there is apparently a system

00:24:01.874,00:24:07.379
where you can look up the, uh,
status card status and if it's

00:24:07.379,00:24:13.085
valid and so on... [pause] So, a
bit trickier should it be with

00:24:13.085,00:24:15.988
the airline operated lounges,
right? Because they... [ahem]

00:24:15.988,00:24:18.190
They are the airlines, they have
access to the passenger data so

00:24:18.190,00:24:23.028
they should be able to verify
the status. [pause] And, uh,

00:24:23.028,00:24:26.098
there is at least on airline
which attempts to do it, it's

00:24:26.098,00:24:29.835
Scandinavian Airlines, they also
have these lounges... they will

00:24:29.835,00:24:33.505
let you in with automatic gates,
so I thought, alright, this is

00:24:33.505,00:24:36.709
easy and I travelled through
Copenhagen very often so it

00:24:36.709,00:24:41.013
gives you a lot of opportunities
for trial and error. [audience

00:24:41.013,00:24:46.151
noise] Yea, and they actually
do, they seem to do, the checks

00:24:46.151,00:24:48.587
on the reservation system. So,
whenever I've tried to, like,

00:24:48.587,00:24:53.759
fiddle with, like, booking
class, uhm, it would, uh, or my

00:24:53.759,00:24:58.197
status, it would just bounce me
with uh... It would always

00:24:58.197,00:25:02.134
bounce with the same message
like "Depart, departure airport

00:25:02.134,00:25:06.138
is, uh, not, not right" or
something like that. So now,

00:25:06.138,00:25:08.340
every... after it did so five
times I figured it must... must

00:25:08.340,00:25:09.675
be just one message for, you
know, all kinds of errors. So,

00:25:09.675,00:25:11.010
anyway, they do some checking.
Except, you know, there's

00:25:11.010,00:25:12.344
another, there's lot of other
airlines which, uh, passengers

00:25:12.344,00:25:13.712
of which are also eligible to
use the lounge. Like, SAS is in

00:25:13.712,00:25:20.085
Star Alliance, and there's about
15 or 20 other airline which are

00:25:20.085,00:25:25.090
on Star Alliance. And when you
are travelling on another

00:25:31.764,00:25:36.769
carrier with, within the same
alliance and you are traveling

00:25:39.638,00:25:42.241
on business you can still get
into the lounge. And guess what!

00:25:42.241,00:25:47.212
Not all airlines use the same
reservation system. So all you

00:25:47.212,00:25:50.582
need is to find that flight
which is departing, you know, in

00:25:50.582,00:25:54.620
a reasonable timeframe operated
by another carrier. Hopefully

00:25:54.620,00:25:57.389
that one uses another
reservation system, but, it

00:25:57.389,00:26:00.359
shouldn't be necessary. And
produce a ba... a fake boarding

00:26:00.359,00:26:04.830
pass for that carrier. And guess
what... It worked! [audience

00:26:04.830,00:26:07.433
noise] That's why I just used
Brussels Airlines which is

00:26:07.433,00:26:11.003
totally different reservation
system, I put that information

00:26:11.003,00:26:15.274
in the boarding pass from that,
uh, for the flight and it let me

00:26:15.274,00:26:19.278
in. [pause] Also, there's some
airlines which don't do it

00:26:19.278,00:26:22.681
properly. Specifically this one,
it's, uh, it's the best airline

00:26:22.681,00:26:24.683
in the world, according to many
people. One in Istanbul and it's

00:26:24.683,00:26:29.688
operated through Turkish
airlines, and I thought like,

00:26:32.758,00:26:38.797
"This is going to be hard",
because it's really, 99% of

00:26:38.797,00:26:43.635
flights are operated from
Turkish - uh, form that airport

00:26:43.635,00:26:46.738
on Star Alliance. So there are
very few flights which are Star

00:26:46.738,00:26:50.843
Alliance but not Turkish. So
what am I going to do? Well

00:26:50.843,00:26:53.412
let's first try if they will let
me in with, you know, just a

00:26:53.412,00:26:58.417
random Turkish flight data.
So... [pause] [audience noise]

00:27:06.425,00:27:11.630
[cough] And I just looked up,
you know, the departure, uh,

00:27:11.630,00:27:15.734
board. I looked up a random
flight from Istanbul to London

00:27:15.734,00:27:22.007
that week. [pause] I like to use
the name of Bartholomew

00:27:22.007,00:27:27.012
Simpson... [laughter] He was a
good prank, prankster... [pause]

00:27:35.187,00:27:40.192
Yea the date needs to match...
??[audience noise] [pause] And I

00:27:54.706,00:27:58.243
need to warn you, I had the
camera hidden in plain sight...

00:27:58.243,00:28:03.181
So. [laughter] [pause] It was
hanging from my shoulder bag.

00:28:05.317,00:28:10.022
??[cough] [pause] So this is the
automatic gates, no need to talk

00:28:10.022,00:28:15.027
to the dragon lady. [laughter]
[applause] And, by the way, this

00:28:23.802,00:28:28.206
is the full sized cinema...
[audience noise] Inside the

00:28:28.206,00:28:33.212
lounge... [pause] Yea... and,
uh... Yea... [laughter] You

00:28:37.816,00:28:41.320
don't need to be travelling,
like I said. You can do the same

00:28:41.320,00:28:44.256
to enter the airport, you will
still go through security

00:28:44.256,00:28:48.193
screenings. So they, they will
take all your liquids but...

00:28:48.193,00:28:51.630
[laughter] No need to worries
here... [pause] And you know,

00:28:51.630,00:28:56.902
after Wired, uhm, did an article
on this, and they actually

00:28:56.902,00:29:00.639
published this video I got...
lots of requests by the way.

00:29:00.639,00:29:04.443
This one is from Israeli lawyer.
[laughter] Like, what's wrong

00:29:04.443,00:29:07.746
with Israeli lawyers, really are
they paid so bad that they can't

00:29:07.746,00:29:14.019
afford lounge access? [laughter]
[ahem] One other nice thing is,

00:29:14.019,00:29:18.156
uh, you have duty free shops at
the airports, right? And again,

00:29:18.156,00:29:20.792
you don't need to be traveling.
And in many countries it's not

00:29:20.792,00:29:23.662
like in the US, you don't get
your shield bag in the passenger

00:29:23.662,00:29:28.667
seat, you get it to go... And,
uh, the eligibility for tax-free

00:29:30.736,00:29:34.473
prices is depend, is, uh,
determined whether you are

00:29:34.473,00:29:37.709
travelling inside the EU or
outside the EU. So, if it's

00:29:37.709,00:29:42.948
inside the EU, it's domestic
prices, so, uh, including, and

00:29:42.948,00:29:47.019
if you're travelling outside EU,
uh, you get this tax-free price.

00:29:47.019,00:29:51.990
And here's the difference...
[audience noise] So, uh, to

00:29:51.990,00:29:55.560
convert it to you it's one
liter, I have no idea what it is

00:29:55.560,00:30:00.966
in the US. [chatter] But it's,
uh, about 25 shots... And 20...

00:30:00.966,00:30:05.971
[laughter] And, uh... [applause]
And 25 Zloty is about $7, so I

00:30:10.008,00:30:16.882
think it's a good deal. [cough]
So what do we get, it's, uh,

00:30:16.882,00:30:21.219
airport taxes so we can meet and
greet your loved ones, do some

00:30:21.219,00:30:24.122
sightseeing, fast-track free
lunch and booze, duty-free

00:30:24.122,00:30:28.460
shopping. [laughter] Okay, let's
get to some serious stuff, uh,

00:30:28.460,00:30:33.165
what can be done to prevent it?
And what is actually done to

00:30:33.165,00:30:38.236
prevent it? So, AITA has a nice
section, about 80 pages or so

00:30:38.236,00:30:40.972
document, they have this half a
page section on fraud

00:30:40.972,00:30:46.778
prevention. Uh, which nicely
identifies the risks associated

00:30:46.778,00:30:50.849
with boarding pa, with BSBP. So
it can be modified, it can be

00:30:50.849,00:30:54.519
forged, it can be duplicated,
and pretty much all the

00:30:54.519,00:30:58.256
mitigation they came up with is
- check that the passenger is on

00:30:58.256,00:31:02.794
the passenger name list; and uh,
add a certificate. Like, I

00:31:02.794,00:31:04.396
already said, by certificate
they really mean digital

00:31:04.396,00:31:10.669
signature. [pause] So, let's see
how the digital signature is

00:31:10.669,00:31:15.640
doing. So it was introduced in
2009 by, uh, version three of

00:31:15.640,00:31:21.313
the standard, and is based on
PKI and one thing about PKI is

00:31:21.313,00:31:23.749
it needs to be deployed
properly, right? So it we need

00:31:23.749,00:31:29.254
to distribute the public keys so
it will have to be there at

00:31:29.254,00:31:35.093
every checkpoint, uh, you'll
have to maintain the serials,

00:31:35.093,00:31:40.198
etc. etc. And also many airlines
will still use version one which

00:31:40.198,00:31:44.736
will not support digital
signatures. So all the readers

00:31:44.736,00:31:51.209
also need to support the old
version, and, again, this field

00:31:51.209,00:31:53.779
is optional and this is quote
from the document "This is

00:31:53.779,00:31:56.181
optional and only to be used
only when required by the local

00:31:56.181,00:31:59.818
security, uh, administration."
So it's not even encouraged,

00:31:59.818,00:32:05.657
like, it's only to be used when
it's required. [pause] The

00:32:05.657,00:32:11.163
specific algorithm is determined
by the authority, and, uh, this

00:32:11.163,00:32:17.402
was enforced by TSA to US
carriers, but not entirely. For

00:32:17.402,00:32:21.072
example, when I was travelling
here, uh, I had my boarding card

00:32:21.072,00:32:24.910
produced in Amsterdam and it was
printed neatly on united paper

00:32:24.910,00:32:29.748
but it had no digital signature,
how did you counter that?

00:32:29.748,00:32:33.685
[pause] Uhm, there's another
thing that could be used, it's a

00:32:33.685,00:32:35.053
standard code BSBP XML, this is
for transporting data between

00:32:35.053,00:32:36.388
checkpoints and the airline
systems, so again, it's just the

00:32:36.388,00:32:37.722
data format which is
standardized by AITA. And it

00:32:37.722,00:32:39.057
could be used to check the PNR
data against the reservation

00:32:39.057,00:32:42.828
systems with no privacy, private
information getting transferred.

00:32:42.828,00:32:48.633
So you, you just send whatever
you scanned from PNR and the

00:32:48.633,00:32:53.638
airline would cut up, come up
with a 0 or 1, so "good to go"

00:33:09.955,00:33:13.425
or "not good to go". Possibly
with an explanation if it's not

00:33:13.425,00:33:19.497
good to go, uh, with a reason.
The problem again is the

00:33:19.497,00:33:24.502
complexity, uhm, many airports
are serving, like, more than 200

00:33:27.439,00:33:31.309
airlines and they would have to
connect to each of their

00:33:31.309,00:33:38.183
reservation systems, right? And
if they don't connect to 10 out

00:33:38.183,00:33:41.586
of 200 you still have a way to
produce a fake boarding pass

00:33:41.586,00:33:44.556
pretty much and if you don't
cover 100% you still get a

00:33:44.556,00:33:49.194
loophole, right? [pause] So,
just the complexity of the

00:33:49.194,00:33:53.164
solution probably is the reason
why it doesn't really work. And,

00:33:53.164,00:33:57.836
I haven't seen it deployed
anywhere. And there's also one

00:33:57.836,00:34:02.974
thing that TSA seems to be doing
right at least starting from,

00:34:02.974,00:34:08.346
uh, 2013 - so "Secure Flight" is
a program that they've

00:34:08.346,00:34:14.219
implemented in, in 2009, uhm,
and the reason for the program

00:34:14.219,00:34:19.324
was to take over the monitoring
of watchlists. So the no-fly

00:34:19.324,00:34:24.162
lists and the secondary
screening lists from the

00:34:24.162,00:34:28.300
airlines to the TSA authorities.
So, instead of relying on

00:34:28.300,00:34:33.238
airlines, they say like "No, no,
no we need this information and

00:34:33.238,00:34:37.676
we will do the verification",
right? Uhm, also part of the

00:34:37.676,00:34:43.214
secure flight is the TSA
pre-check program, uh, into 2011

00:34:43.214,00:34:49.487
so you get this nice BCBP, uhm,
field specifically for this

00:34:49.487,00:34:53.425
reason which is called select
indicator which tells you

00:34:53.425,00:34:59.297
whether you are, uh, like,
selected for the secondary

00:34:59.297,00:35:01.800
screening or whether you're
eligible for precheck or whether

00:35:01.800,00:35:06.805
you're just traveling as usual.
[pause] And in 2013 TSA started

00:35:09.174,00:35:12.744
networking their devices, the
scanning devices, to put

00:35:12.744,00:35:18.350
passengers data from this secure
flight. But it includes

00:35:18.350,00:35:21.119
passenger's full name, gender,
date of birth, screening status,

00:35:21.119,00:35:25.223
reservation of their flight
itinerary. So it can be verified

00:35:25.223,00:35:27.926
if it's deployed at all the
airports, I'm not sure about

00:35:27.926,00:35:33.298
that. It can be verified at the
screening checkpoint, and if it

00:35:33.298,00:35:38.236
doesn't match exactly, you know,
they have like a nice list of

00:35:38.236,00:35:42.273
suggestions, like "This, this
passenger's name is close

00:35:42.273,00:35:46.077
enough", you know, "Maybe it's
one of these..." so technically

00:35:46.077,00:35:50.548
they have a way to do it now.
Again, whether it's deployed

00:35:50.548,00:35:54.285
properly and how many airport
support it I'm not sure. It just

00:35:54.285,00:35:59.190
started in 2013 and generally
it's, it's the correct way to do

00:35:59.190,00:36:05.530
it, probably. [pause] And, okay,
why is DefCon awesome I felt I

00:36:05.530,00:36:09.434
had my presentation all fixed
and done and then I think it was

00:36:09.434,00:36:15.640
like Tuesday or Wednesday I get
contacted by, uhm, Kyle Kosher

00:36:15.640,00:36:19.811
saying , like, I saw your talk
on the agenda and,uh, here's

00:36:19.811,00:36:23.615
something that I got from Ebay
and maybe you want to play with

00:36:23.615,00:36:27.619
that. And the something
was..[mic contact][groaning]

00:36:27.619,00:36:32.624
This beauty... [laughter]
[cheering] [applause] [mic

00:36:42.033,00:36:45.003
contact] So it's a device you're
normally not allowed to buy.

00:36:47.305,00:36:52.911
[laughter] [ahem] I think...
[chuckles] So this information

00:36:52.911,00:36:56.147
is on the public website so
we've got, you know, this level

00:36:56.147,00:37:00.518
of specification, but, uh, it
would only be sold by limited

00:37:00.518,00:37:05.223
number of parties. And, this,
this is offer is no longer

00:37:05.223,00:37:06.925
available on Ebay,
unfortunately. It was I think

00:37:06.925,00:37:12.363
160 Dollars. [chatter] Not a big
deal. So I had like two days to

00:37:12.363,00:37:16.768
play with it and I exchanged
couple of messages with Kyle and

00:37:16.768,00:37:22.140
uhm... [pause] Here's how it
works. [pause] So you see the

00:37:22.140,00:37:27.145
booting... [pause] You'll see
airport is dash dash dash... and

00:37:34.152,00:37:36.988
because departure airport is not
configured. So it's, you know,

00:37:36.988,00:37:41.626
we have some constraints.
[pause] So let's try scanning

00:37:41.626,00:37:48.199
any random boarding pass... So,
you know, when you go with the,

00:37:48.199,00:37:51.169
any random old boarding pass
likely the departure airport is

00:37:51.169,00:37:54.506
not dash dash dash, it's
something else. And the date is

00:37:54.506,00:37:57.342
probably not the same as on the
boarding pass, uh, on the

00:37:57.342,00:38:00.712
scanner, sorry. But it will have
a valid signature, let's see

00:38:00.712,00:38:05.717
what it does. [pause] [beep
noise] [machine working] So it

00:38:07.852,00:38:14.692
says "invalid departure
location, refer to counter". So

00:38:14.692,00:38:17.562
it did not complain about the
signature but about the

00:38:17.562,00:38:22.600
departure airport. So, okay,
let's fix that departure

00:38:22.600,00:38:27.605
airport. [pause] Agh! Damnit...
[machine working] Sorry again...

00:38:45.957,00:38:50.962
[ahem] [pause] This time with
audio... [pause] [beep noise]

00:38:59.270,00:39:01.206
[pause] [audience noise] [pause]
[machine working] [click sound]

00:39:01.206,00:39:03.208
[beep noise] [beep noise] [beep
noise] So, three beeps, not good

00:39:03.208,00:39:04.709
to go. Red light. But all it
says is "invalid departure

00:39:04.709,00:39:10.515
location..." [pause] [machine
working] So now you see, using

00:39:10.515,00:39:15.987
my mobile phone, my, you know...
[beep noise] [beep noise] [beep

00:39:15.987,00:39:19.023
noise] Okay! So now the, the
departure location was okay,

00:39:19.023,00:39:22.861
date was okay but the signature
was invalid. [pause] And it says

00:39:22.861,00:39:27.866
"Refer to superior". Wow...
[laughter] [machine working]

00:39:39.110,00:39:40.445
[click noise] So... [beep noise]
[laughter] [applause] [sniff]

00:39:40.445,00:39:42.046
[applause] So, I dunno if you
noticed but it actually said

00:39:42.046,00:39:46.150
that, that, yea... That the sig
is not there so it should go

00:39:46.150,00:39:49.787
for, for some manual checking.
The problem I see here is it

00:39:49.787,00:39:53.424
still gives you a green light
and uh, you know, one beep. So

00:39:53.424,00:40:00.098
depending, you know, on how, uh,
vigilant, you know, the, the TSA

00:40:00.098,00:40:03.501
agent is and how much noise to
radio he has, he has, you know,

00:40:03.501,00:40:08.506
a good chance missing this.
[machine working] [tick sound]

00:40:13.444,00:40:19.617
[pause] So, yea let's try
modifying this select the

00:40:19.617,00:40:22.220
indicator. [machine working]
[click noise] [beep noise] [beep

00:40:22.220,00:40:25.657
noise] [beep noise] So, three
beeps, green light and you see

00:40:25.657,00:40:32.096
the "LLL". So you're eligible
for precheck. [pause] Or, if you

00:40:32.096,00:40:34.899
fancy you can actually...
[laughter] Go for secondary

00:40:34.899,00:40:39.904
screening... [laughter] [machine
working] [click noise] [beep

00:40:52.517,00:40:54.185
noise] [audience noise] Yea,
"SSS"... [pause] [sniff] Okay,

00:40:54.185,00:40:56.354
so, uh, airport access is
confirmed, fast track is

00:40:56.354,00:40:58.856
confirmed, free lunch and booze
is confirmed, duty-free shopping

00:40:58.856,00:41:02.093
is confirmed, pre-check - I'm
not sure, right? Nice idea to

00:41:02.093,00:41:08.900
play with if you have balls.
[laughter] Uhm... so, now for

00:41:08.900,00:41:12.103
responsible disclosure, right?
Actually went out and I tried to

00:41:12.103,00:41:15.073
talk about this problem to
several authorities and airports

00:41:15.073,00:41:19.310
and airlines because it's their
problem eventually. And, this is

00:41:19.310,00:41:23.681
what I,uh, what came back. So
first I contacted LOT Polish

00:41:23.681,00:41:27.752
Airlines. [laughter] They say
like, "We just, we just issue

00:41:27.752,00:41:31.556
boarding passes and it's the
airport the verifies it." So I

00:41:31.556,00:41:34.659
went to, uh, the airports and in
these two cases I was lucky

00:41:34.659,00:41:37.328
because I actually has, you
know, known people on the

00:41:37.328,00:41:40.264
management board, at the
management board level and I was

00:41:40.264,00:41:44.802
able to talk to them in person
and I... And uh, airport

00:41:44.802,00:41:47.572
authorities said like "Yea, it's
a known issues but it's not

00:41:47.572,00:41:51.943
really a problem", well, you
know, "You're following all the

00:41:51.943,00:41:55.346
laws and guidelines, that's
fine." Then the Civil Aviation

00:41:55.346,00:41:58.683
Authority, like, they, it took
them three or four months to

00:41:58.683,00:42:03.287
reply. The said, all they had to
say was like, "Boarding pass

00:42:03.287,00:42:07.558
forgery is a crime, don't do
it". [laughter] So, okay.

00:42:07.558,00:42:11.062
According to my lawyer, not
exactly my lawyer, but a lawyer

00:42:11.062,00:42:14.532
I know... [ahem] [laughter] Is
a, if you want to have a

00:42:14.532,00:42:18.669
legitimate document you need to
have a way to verify it. It's

00:42:18.669,00:42:21.005
not a document if you can not
verify it. It doesn't, you know,

00:42:21.005,00:42:24.909
bear any signature at all. They
said like, it's it's not the

00:42:24.909,00:42:27.378
exact wording that they used but
it was pretty much the message,

00:42:27.378,00:42:32.150
right... [laughter] And, uhm...
this is also what I got from

00:42:32.150,00:42:37.155
turkish airlines and SAS, so I,
you know, I... [laughter] Uh....

00:42:42.293,00:42:47.064
no comment here. And the
question you might have - will

00:42:47.064,00:42:50.334
it actually get me flying?
[pause] And I, the short answer

00:42:50.334,00:42:53.604
would be no... [audience noise]
There would be very rare

00:42:53.604,00:42:57.341
circumstances where you would be
able to get on the plane but

00:42:57.341,00:43:00.178
you'd be likely spotted before
it even departs. And it would

00:43:00.178,00:43:02.413
get you into a lot of trouble.
[audience noise] So, I don't

00:43:02.413,00:43:05.683
recommend doing that. [pause]
But, you can still, you can

00:43:05.683,00:43:09.153
still have a nice souvenir, and
that's a, a kind of a bonus. So

00:43:09.153,00:43:11.956
one of the airports in Europe,
and I will not name them because

00:43:11.956,00:43:15.092
they actually have, the, they've
communicated very openly with me

00:43:15.092,00:43:18.096
and they said like "Why... what
it is?" they confirmed this

00:43:18.096,00:43:22.200
because privacy. Uh, they
decided to have like loyalty

00:43:22.200,00:43:26.037
program for the passenger which
makes sense because the airport

00:43:26.037,00:43:28.806
collects fees on every departing
passengers. So they want to

00:43:28.806,00:43:33.010
encourage traffic. So they have
this, you know, a list of

00:43:33.010,00:43:36.481
gadgets that you can get for a
certain number of points. And

00:43:36.481,00:43:38.883
the points you get for every
departing flight and to register

00:43:38.883,00:43:42.386
at departing flight you need to
scan your loyalty card and your

00:43:42.386,00:43:45.890
boarding pass. [laughter]
[applause] Right? What can go

00:43:45.890,00:43:52.029
wrong, right? [laughter] So...
here's a simple equation.

00:43:52.029,00:43:55.333
[chuckles] [laughter] So, I
really liked the blanket in the

00:43:55.333,00:43:59.971
middle it would cost me 600
points which is 6 flights and

00:43:59.971,00:44:04.008
you see 5 QR codes because, uh,
you know, I had one, uh, legit

00:44:04.008,00:44:08.613
flight. [laughter] I was like,
you know, it was, and the funny

00:44:08.613,00:44:11.582
thing is that, it was, you know,
I, I even made it look legit...

00:44:11.582,00:44:15.586
sort of legit cause I produced
the QR codes of the flights,

00:44:15.586,00:44:21.192
like, over the next, over the
next two days. And, uh, it could

00:44:21.192,00:44:24.161
really fit into a story like "I
was flying to Edinburgh and then

00:44:24.161,00:44:27.198
going in three hours..." and you
know I could make it. [laughter]

00:44:27.198,00:44:32.203
So to wrap it up - it's the
priva, privacy and complexity of

00:44:34.205,00:44:38.609
the system which is preventing
this exchange of data, and, uh,

00:44:38.609,00:44:43.080
you know. Most important part
was, while US did a reasonably

00:44:43.080,00:44:47.151
good job preventing that, uhm,
other places actually lowered

00:44:47.151,00:44:51.789
the bar for us. Especially
within introducing the , uh,

00:44:51.789,00:44:55.927
uhm, the automatic gates. So
here are the sources and the,

00:44:55.927,00:45:01.499
the, don't worry because, uh,
this is only for the slides. And

00:45:01.499,00:45:06.203
most of that will also be on the
conference DVD, so thank you. I

00:45:06.203,00:45:11.208
don't think we have time for
questions but, I hope you liked

00:45:16.380,00:45:20.551
it. [applause]