Content deleted Content added
m Fixed birthday |
self-published source, general fixes, typo(s) fixed: ’s → 's (3) |
||
Line 15:
== Biography ==
Carroll began reporting security flaws as a teenager and later held engineering roles at Dropbox and Robinhood, where he led portions of the companies’ vulnerability disclosure and bug bounty initiatives.<ref>{{cite web |title=Ian Carroll – Profile |url=https://www.linkedin.com/in/ian-carroll-a56b8758/ |website=LinkedIn |publisher=LinkedIn |access-date=14 July 2025}}[[Wikipedia:SPS|{{sup|[''self-published'']}}]]</ref>
=== Seats.aero (2022–present) ===
Carroll launched '''Seats.aero''' in June 2022 as a tool for finding real-time award-flight availability across dozens of loyalty programs. Within a year the site surpassed one million monthly page views and was hailed by AwardWallet as “one of the best new points-and-miles utilities.”<ref>{{cite web |title=Seats.aero Review – The New Award Search Tool You Need |url=https://awardwallet.com/blog/seats-aero-review |website=AwardWallet |publisher=AwardWallet |date=4 September 2023 |access-date=14 July 2025}}</ref>
In October 2023, Air Canada sued Carroll and Seats.aero under the [[Computer Fraud and Abuse Act]] over automated scraping of award-fare data; a U.S. judge denied the
=== Notable security research ===
Line 25:
* '''Automotive APIs (2022).''' As part of a research group, Carroll helped reveal remote control and tracking vulnerabilities affecting more than a dozen car brands, including BMW, Ford, and Porsche.<ref>{{cite web |title=Research Team Finds Flaws in 16 Auto Manufacturers’ APIs |url=https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html |website=The Hacker News |publisher=THN |date=2 December 2022 |access-date=14 July 2025}}</ref>
* '''“Unsaflok” hotel locks (2024).''' Together with Belgian researcher Lennert Wouters, Carroll disclosed weaknesses in Dormakaba Saflok RFID door locks—installed on over three million hotel doors—allowing near-instant unauthorized entry.<ref name="WiredSaflok" /> Full technical details were presented at [[DEF CON]] 32.<ref name="DEFCONUnsaflok">{{cite web |title=DEF CON 32 – Unsaflok: Hacking Millions of Hotel Locks |url=https://defcon.org/html/defcon-32/dc-32-speakers.html#Carroll |website=DEF CON |publisher=DEF CON Communications |access-date=14 July 2025}}</ref>
* '''TSA Known Crewmember/CASS SQL injection (2024).''' Carroll documented an injection flaw in the FlyCASS portal that could grant unauthorized “crew” status, potentially bypassing airport security.<ref name="Carroll">{{cite web |last=Carroll |first=Ian |title=Bypassing airport security via SQL injection |url=https://ian.sh/tsa |website=ian.sh |date=29 August 2024 |access-date=14 July 2025}}</ref>
* '''
== Talks ==
Line 32:
== Publications ==
* “Bypassing airport security via SQL injection,” *ian.sh*, 2024.<ref
* Lily Newman, "Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform," *Wired*, 2023.<ref name="WiredMiles" />
* Andy Greenberg, “Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds,” *Wired*, 2024.<ref name="WiredSaflok" />
| |||