Nowhere is the distinction between the haves and have-nots more apparent than when waiting for a flight at the airport. But it turns out you might not need an actual first class ticket to get into a swanky airport lounge—just a custom Android app that spits out a boarding pass-spoofing QR code.
Przemek Jaroszewski is the head of Poland’s Computer Emergency Response Team and a frequent flyer with gold status. When he wasn’t able to gain access to the lounge at Warsaw’s airport due to an error with an automated boarding pass reader, he created a simple Android app that generates a valid QR code based on fake credentials he inputs.
To get into most swanky airport lounges in Europe, where Jaroszewski has tested his creation dozens of time, all he needs to generate is a QR code using a fake name, his flight number, his destination, and his class—which presumably always needs to be higher than standard.
The trick works because the automated readers may airport lounges use don’t cross-check the information provided by the spoofed QR code with actual ticket information from the airline, they just confirm that the flight number is real. It’s a glaring security flaw that not only grants access to these restricted lounges but also allows someone to make duty-free purchases without the added cost of an actual plane ticket.
The app, which Jaroszewski has no intention of releasing to the public, doesn’t mean anyone off the street can just wander into a fancy airport lounge for a free meal and shower whenever they want. You’d still need to get through airport security which double-checks boarding passes against passenger databases and requires valid photo ID (usually a passport). It just means that instead of waiting for a flight in a crowded lounge by your gate, you can pass the time in a little more comfort. [Wired via BoingBoing]