Everyone who has doubted the security of quick response codes is currently pointing at a sizeable hack.
Airports are usually considered to be areas where security levels are quite high, but a hacker recently used a QR code generator to gain access to a fancy airport lounge. The lounges typically require passengers to carry first class tickets. This hacker created spoofed QR codes to dodge the expensive booking.
The hack was conducted from within the airport and used a custom Android app created on the spot.
Fortunately, the incident was not a threatening one. The hacker in question was the head of the Computer Emergency Response team in Poland, Przemek Jaroszewski. Jaroszewski was declined access to the Warsaw airport lounge despite his gold frequent flyer status. As it turns out, he was turned away as a result of a computer error.
Out of frustration with the situation, he sat down and created a basic Android app that would work as a QR code generator. This special mobile application provided functional quick response codes but directed to artificial credentials he created for himself.
Jaroszewski has since used the QR code generator app to test whether or not it works in many airports.
Since first creating it, he has used it to use a false name, his real flight number, destination, and a seat class higher than coach. So far, the hack has always worked because the automated readers don’t conduct any information cross-checks from QR codes. Instead, it scans the code and as long as the information is all there, along with a real flight number, it is assumed to be valid.
Clearly, this is a massive mobile security flaw which provides users with more than airport lounge access. The QR code scans do allow people into restricted lounges. However, they also make it possible for users to make duty-free purchases without having to buy an actual plane ticket.
It is important to note that Jaroszewski has no intention of publicly releasing the QR code generator app. Moreover, he had simultaneous legitimate access to the airport lounges for which he used the mobile app to gain entry.
