Spoofing boarding pass QR codes with simple app

Przemek Jaroszewski, the head of Poland’s CERT, says anyone can bypass the security of the automated entrances of airlines’ airport lounges by using a specially crafted mobile app that spoofs boarding pass QR codes.

He created one for himself, and successfully tried it out on a number of European airports.

Usually, to enter these lounges, travellers need to let the scanner at the entrance scan the QR code on their boarding pass, and the doors open automatically.

Jaroszewski created an Android app that creates fake but acceptable QR codes. He says that aside from a valid flight number, the QR code doesn’t have to include correct information (traveller’s name, flight destination, etc.).

He says that he only ever tried the trick on European airports, so he doesn’t know if it would work in the US or anywhere else around the world. He also made sure to note that he tested the “attack” only when he actually was allowed inside those lounges because he had a valid boarding pass.

The fake QR codes were also accepted at duty free shops on airports.

It’s very unlikely that the trick would allow an attacker to get on an actual flight, as other security measures in place would probably reveal that the attacker is not in possession of a legitimate boarding pass. Nevertheless, Jaroszewski has proven that boarding pass security issues continue to crop up.

According to Wired, the US Transportation Security Administration (TSA) and the International Air Transport Association (IATA) don’t consider this particular issue a but problem, or a problem that they have to fix. It’s the airlines’ responsibility to improve security for their systems.

Jaroszewski demonstrated the attack and the app at the DEF CON security conference, but didn’t publish the code for it. Even though, he said, motivated hackers can easily write their own.