Want to Access a Fancy Airport Lounge? Just Fake a QR Code.
Tired of watching others waltz into those fancy airport lounges, to pamper themselves in luxury and comfort (and yummy food and drinks) while they wait for their next flights? Wish you had access to these areas? If you get creative with your QR code creation, like computer security expert Przemek Jaroszewski, then you can easily spoof your way into wherever you want.
At least, that's what Jaroszewski did when his frequent flier status glitched and he wasn't allowed admittance into one of the fancy airline lounges he knew he could otherwise access. His solution? Build an Android app that generates made-up QR codes, which contains his name (a fake one), as well as all the key details he needs to get into the lounges: upcoming flight numbers, his destinations and a status for whichever carrier's lounge he's trying to get into.
"While traveling through airports, we usually don't give a second thought about why our boarding passes are scanned at various places. After all, it's all for the sake of passengers' security. Or is it? The fact that boarding pass security is broken has been proven many times by researchers who easily crafted their passes, effectively bypassing not just 'passenger only' screening, but also no-fly lists," reads a description of Jaroszewski's talk at this year's Defcon conference.
"Since then, not only security problems have not been solved, but boarding passes have become almost entirely bar-coded. And they are increasingly often checked by machines rather than humans. Effectively, we're dealing with simple unencrypted strings of characters containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more…"
As Wired reports, Jaroszewski has only tested his QR-based spoofing in European airports. And, of course, his trick would be easily defeated by any airport lounge that asks to see a passport or other form of identification to verify that he's actually who he is listing with the QR code. Though he could use his real name to thwart that, he would also have to make sure that the airline lounge doesn't cross-reference his details against a master list of eligibility.
In other words, there are plenty of things that can go wrong with his little trick. And, no, he's not using it to try and board flights under a different name; he surmises that the security checks are too strong to allow him to do that (nor would he want to).
He's also not releasing his little QR-creating code to the public. You'll just have to earn your elite status the hard way.