Take care of your boarding pass

During the last weeks before Christmas, I found myself traveling more than usual throughout Germany and Europe. While I was waiting at the airports I recognized some typical behaviors that passengers showed before and after the flight. Before the boarding begins the flight ticket is handled like a precious, golden egg and stored safely in handbags, wallets, the inside of jackets or trouser pockets. Not only that, but people also seemingly feel the need to check every five minutes if it's still there and hasn't just gotten up and left. As soon as the plane lands at the destination airport, however, that precious item land in the trash without as much as a second thought. And it's not surprising, giving that one can only board a flight with a valid ticket and that said ticket can't be used to board another flight after that. But your ticket is far from worthless, not because it can be used as a ticket, but because of the information it holds. This goes for old tickets that are thrown away and twice as much for photos of tickets that are posted on social network sites.

The interesting thing with boarding passes is the information that is stored in their bar codes, which are usually of the PDF417 type encoding. Besides the data that is already printed on the ticket, the bar codes also contain confidential information such as the booking reference. img-boarding-pass-template A slightly modified example to the picture above would be: M1DOE/JANE E2EM3UT METGOTGA 1234 060F01A 0500

We changed the values to a more realistic (although still fake) example, like you would get from some random ticket you picked up while dumpster diving at an airport.

  • M1: Format code
  • DOE/JANE: Your name
  • E: Electronic ticket indecator
  • 2EM2UT: Booking reference
  • METGOTGA: Metropolis (MET), Gotham (GOT), Gotham Airline (GA)
  • 1234: Flight number
  • 060: Julian date for 29th Februar 2016
  • F: First class (F), mostly Y for regular cabin or J for business class
  • 01A: Seat
  • 05: Sequence number (5th person to check-in)
  • 00: Airline specific message

This really doesn't look all that spectacular at first glance, but combine the booking reference with the name of the ticket holder and with a bit of luck you might just get access to much more than that. To keep things simple, airlines often allow customers to manage their flights by identifying themselves by name and booking reference. The available information differs between airlines but often includes a list of future booked flights, the ability to change seats and food reservations (vegan, lactose free, etc.) as well as personal information such as contact data (email, phone, address) and in some cases even banking details. In a worst case scenario, an attacker would even be able to change the name of the ticket holder or be able to book or cancel flights. In other words, if someone with bad intentions were to get their hands on your flight ticket, it could end badly for you.

Unfortunately it's not difficult at all to get bar codes scanners which are able to read pdf417 bar codes. There are many free scanners available for Android, iOS and Windows and some of the more expensive ones are even able to scan the bar codes from difficult perspectives. And then there are also websites who can decode uploaded bar codes.

Long story short: Take care of your tickets, before and after the flight, especially about the bar code. If you don't want to either keep or properly dispose of your tickets (shredder), the least you can do is tear the bar code into two pieces and throw them into different bins, preferably not at the airport.

While partial barcodes can often still be readable, extracting the original data shouldn't be possible. For example, the bar code above split into two pieces horizontally gave us the following two strings when decoded.

    upper halt: NLB3:4      >
    lower half: GHJCACECI1==    {{{{{'{{{'>~{{{{{{{{{{/){;{{{{{{{{{?{{{{{'{{{{{{{{]['!'*@~>`>@;;';';;<;RUSM

Ripping the bar code apart vertically made it impossible for out scanner to decode it at all. If you're on a business trip, either file the ticket with your travel expenses or put it through a paper shredder. Obviously the same goes for social media, so don't post photos of your flight tickets and their bar codes.

Sources: shaun.net; wikipedia.org