They're good enough to get into lounges and duty-free shops—and past no-fly lists.
Przemek Jaroszewski, head of Poland’s chapter of the international Computer Emergency Readiness Team program, was scheduled to present what was likely one of the more basic but frightening hacks at this week’s Defcon conference in Las Vegas—an Android app that generates fake boarding passes.
As reported by Wired, Jaroszewski has used the app multiple times to access the elite lounges of airlines, including his favorite, Turkish Airlines. Jaroszewski says he has never used the fake passes to go anywhere he wasn’t already allowed—he originally created the app to bypass a scanner at a lounge where he already had privileges. But the same process could be used not just to access posh hang suites, but, Jaroszewski claims, to bypass no-fly lists.
Get Data Sheet, Fortune’s technology newsletter.
That’s possible because, according to Jaroszewski, boarding passes remain shockingly insecure, despite multiple similar demonstrations of their shortcomings over more than a decade. “Effectively, we’re dealing with simple unencrypted strings of characters,” he writes, “Containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more . . .”
He tells Wired that it takes 10 seconds to create a fake boarding pass using his app. He demonstrates in a Youtube video:
According to a statement from the International Air Travel Association, airlines are solely responsible for the security of their lounges, and the hack wouldn’t allow anyone to fly or even enter an airport without a legitimate ticket. That’s in part because they would be subject to physical inspection at those points, while the airline lounges Jaroszewski targeted often have automated entrances.
For more on airport security, watch our video:
Still, it’s shocking to realize that any aspect of the global airline security apparatus is still so flimsy and porous. And in the U.S., relying on TSA screening protocols to backstop digital systems seems wildly optimistic.
Thankfully, Jaroszewski is not releasing his hack, though he says it would be fairly easy to reproduce.