Airport lounges can be duped easily by fake QR codes

QR codes, like barcodes, are becoming more ubiquitous thanks to their convenience and how much data they can compress in such a small space. However, they are not exactly the most secure, not even the most accurate, method of identification. That was part of the point that security expert Przemek Jaroszewski made in his Defcon presentation, demonstrating how a fake generated QR code was able to easily fool an automated security reader in one of the places where you'd expect things to be exclusive and secure: an airport lounge.

Jaroszewski's experience was probably born partly out of frustration and partly out of retaliation. He was denied access to a lounge in a Warsow airport just because the QR code reader erroneously rejected his boarding card. So what is a hacker supposed to do? Why write a 600-line program that generates a fake QR code, of course! Lo and behold, the QR code for a certain, of course fictional "Batholemew Simpson" was able to get in.

The anecdote isn't really just about how to fool such automated systems simply in order to gain VIP privileges, whether legit or not. Jaroszewski makes a larger point, one that should probably strike fear into the hearts of travels, given tragic events in the last decade or so.

Airport security systems have become increasingly dependent on such automated scanning systems and have removed manual checking, for convenience, speed, and supposedly for increased safety. But as Jaroszewski and others have proven, the latter is not exactly true. Never mind directly hacking into those machines or networks. Being able to trick the machine using crafted and fake codes is enough to bypass security checks.

The sad, and frightening, part is that despite the mounting evidence provided by hackers such as Jaroszewski, many airports, especially outside the US, seem not to take actions to fix such gaping security holes. Hopefully, one of these days they will take notice. And hopefully, before something tragic happens again.

VIA: Boing Boing