Sep 06 2013

Why did the NSA hack an airline reservation system (when CBP already has root access)?

The latest revelations about NSA attacks on encrypted electronic communications include this sentence buried in an article in yesterday’s New York Times (first noted today by the travel news website Skift):

But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.

It’s no surprise that the U.S. government was and is interested in monitoring airline reservations in real time as well as in mining historical airline reservation records.

But why did the NSA feel it was necessary to hack into airline and computerized reservation system (CRS) messaging, when the U.S. Customs and Border Protection division of DHS already had root access to reservations for flights worldwide stored in any of the four largest CRSs (including Amadeus, the only one not based in the USA), and was already extracting copies of all reservations that include flights to, from, via, or over the U.S. and compiling them into tits Automated Targeting System (ATS)?

  • Was the government interested in some airlines (who were these three?) that didn’t use one of the big four CRSs to host their reservations?
  • Was the government afraid that some airline or CRS (which one?) might pull the plug on CBP access, or restrict it to reservations for flights that actually touch the USA?
  • What was it about airline and CRS messaging that interested the NSA?  For what NSA purpose was the content of PNRs insufficient?

Whistleblowers, especially with airlines or CRSs or their contractors and suppliers, we need your help! If you know what was up with the NSA’s hacking of airline and CRS messaging, leave a comment or get in touch.