AOH :: ISN-3225.HTM

The Boarding Pass Brouhaha

The Boarding Pass Brouhaha
The Boarding Pass Brouhaha,72045-0.html 

By Bruce Schneier
Nov, 02, 2006

Last week Christopher Soghoian created a Fake Boarding Pass Generator 
website, allowing anyone to create a fake Northwest Airlines boarding 
pass: any name, airport, date, flight.

This action got him visited by the FBI, who later came back, smashed 
open his front door, and seized his computers and other belongings. It 
resulted in calls for his arrest -- the most visible by Rep. Edward 
Markey (D-Massachusetts) -- who has since recanted. And it's gotten him 
more publicity than he ever dreamed of.

All for demonstrating a known and obvious vulnerability in airport 
security involving boarding passes and IDs.

This vulnerability is nothing new. There was an article on CSOonline 
from February 2006. There was an article on Slate from February 2005. 
Sen. Chuck Schumer spoke about it as well. I wrote about it in the 
August 2003 issue of Crypto-Gram. It's possible I was the first person 
to publish it, but I certainly wasn't the first person to think of it.

It's kind of obvious, really. If you can make a fake boarding pass, you 
can get through airport security with it. Big deal; we know.

You can also use a fake boarding pass to fly on someone else's ticket. 
The trick is to have two boarding passes: one legitimate, in the name 
the reservation is under, and another phony one that matches the name on 
your photo ID. Use the fake boarding pass in your name to get through 
airport security, and the real ticket in someone else's name to board 
the plane.

This means that a terrorist on the no-fly list can get on a plane: He 
buys a ticket in someone else's name, perhaps using a stolen credit 
card, and uses his own photo ID and a fake ticket to get through airport 
security. Since the ticket is in an innocent's name, it won't raise a 
flag on the no-fly list.

You can also use a fake boarding pass instead of your real one if you 
have the "SSSS" mark and want to avoid secondary screening, or if you 
don't have a ticket but want to get into the gate area.

Historically, forging a boarding pass was difficult. It required special 
paper and equipment. But since Alaska Airlines started the trend in 
1999, most airlines now allow you to print your boarding pass using your 
home computer and bring it with you to the airport. This program was 
temporarily suspended after 9/11, but was quickly brought back because 
of pressure from the airlines. People who print the boarding passes at 
home can go directly to airport security, and that means fewer airline 
agents are required.

Airline websites generate boarding passes as graphics files, which means 
anyone with a little bit of skill can modify them in a program like 
Photoshop. All Soghoian's website did was automate the process with a 
single airline's boarding passes.

Soghoian claims that he wanted to demonstrate the vulnerability. You 
could argue that he went about it in a stupid way, but I don't think 
what he did is substantively worse than what I wrote in 2003. Or what 
Schumer described in 2005. Why is it that the person who demonstrates 
the vulnerability is vilified while the person who describes it is 
ignored? Or, even worse, the organization that causes it is ignored? Why 
are we shooting the messenger instead of discussing the problem?

As I wrote in 2005: "The vulnerability is obvious, but the general 
concepts are subtle. There are three things to authenticate: the 
identity of the traveler, the boarding pass and the computer record. 
Think of them as three points on the triangle. Under the current system, 
the boarding pass is compared to the traveler's identity document, and 
then the boarding pass is compared with the computer record. But because 
the identity document is never compared with the computer record -- the 
third leg of the triangle -- it's possible to create two different 
boarding passes and have no one notice. That's why the attack works."

The way to fix it is equally obvious: Verify the accuracy of the 
boarding passes at the security checkpoints. If passengers had to scan 
their boarding passes as they went through screening, the computer could 
verify that the boarding pass already matched to the photo ID also 
matched the data in the computer. Close the authentication triangle and 
the vulnerability disappears.

But before we start spending time and money and Transportation Security 
Administration agents, let's be honest with ourselves: The photo ID 
requirement is no more than security theater. Its only security purpose 
is to check names against the no-fly list, which would still be a joke 
even if it weren't so easy to circumvent. Identification is not a useful 
security measure here.

Interestingly enough, while the photo ID requirement is presented as an 
antiterrorism security measure, it is really an airline-business 
security measure. It was first implemented after the explosion of TWA 
Flight 800 over the Atlantic in 1996. The government originally thought 
a terrorist bomb was responsible, but the explosion was later shown to 
be an accident.

Unlike every other airplane security measure -- including reinforcing 
cockpit doors, which could have prevented 9/11 -- the airlines didn't 
resist this one, because it solved a business problem: the resale of 
non-refundable tickets. Before the photo ID requirement, these tickets 
were regularly advertised in classified pages: "Round trip, New York to 
Los Angeles, 11/21-30, male, $100." Since the airlines never checked 
IDs, anyone of the correct gender could use the ticket. Airlines hated 
that, and tried repeatedly to shut that market down. In 1996, the 
airlines were finally able to solve that problem and blame it on the FAA 
and terrorism.

So business is why we have the photo ID requirement in the first place, 
and business is why it's so easy to circumvent it. Instead of going 
after someone who demonstrates an obvious flaw that is already public, 
let's focus on the organizations that are actually responsible for this 
security failure and have failed to do anything about it for all these 
years. Where's the TSA's response to all this?

The problem is real, and the Department of Homeland Security and TSA 
should either fix the security or scrap the system. What we've got now 
is the worst security system of all: one that annoys everyone who is 
innocent while failing to catch the guilty.


Bruce Schneier is the CTO of BT Counterpane and the author of Beyond 
Fear: Thinking Sensibly About Security in an Uncertain World. You can 
contact him through his website.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods